Proving Grounds - Nukem (Linux)
Proving Grounds Nukem Linux walkthrough covering reconnaissance, initial access, and privilege escalation.
Proving Grounds - Nukem (Linux)
Overview
| Field | Value |
|---|---|
| OS | Linux |
| Difficulty | Not specified |
| Attack Surface | Web application and exposed network services |
| Primary Entry Vector | Web-based initial access |
| Privilege Escalation Path | Local enumeration -> misconfiguration abuse -> root |
Credentials
No credentials obtained.
Reconnaissance
💡 Why this works
This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.
Initial Foothold
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50 -r --timeout 3 --no-state -s 200,301,302,401,403 -x php,html,txt --dont-scan '/(css|fonts?|images?|img)/' -u http://$ip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
✅[3:42][CPU:13][MEM:73][TUN0:192.168.45.166][/home/n0z0]
🐉 > feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50 -r --timeout 3 --no-state -s 200,301,302,401,403 -x php,html,txt --dont-scan '/(css|fonts?|images?|img)/' -u http://$ip
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.12.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.178.105
🚫 Don't Scan Regex │ /(css|fonts?|images?|img)/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 301, 302, 401, 403]
💥 Timeout (secs) │ 3
🦡 User-Agent │ feroxbuster/2.12.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, html, txt]
🏁 HTTP methods │ [GET]
📍 Follow Redirects │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 99l 448w 6193c http://192.168.178.105/wp-login.php
200 GET 53l 438w 9321c http://192.168.178.105/wp-includes/css/
200 GET 0l 0w 0c http://192.168.178.105/wp-content/themes/
200 GET 0l 0w 0c http://192.168.178.105/wp-content/
200 GET 0l 0w 0c http://192.168.178.105/wp-includes/assets/script-loader-packages.php
200 GET 15l 53w 944c http://192.168.178.105/wp-includes/assets/
200 GET 0l 0w 0c http://192.168.178.105/wp-includes/bookmark.php
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
smbclient //$ip/Commander -N -m SMB3 -p 36445
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❌[3:51][CPU:76][MEM:65][TUN0:192.168.45.166][/home/n0z0]
🐉 > smbclient //$ip/Commander -N -m SMB3 -p 36445
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Sep 19 02:19:19 2020
.. D 0 Sat Aug 3 06:56:45 2024
.gitignore H 15 Sat Sep 19 02:19:19 2020
README.md N 417 Sat Sep 19 02:19:19 2020
server.py N 2552 Sat Sep 19 02:19:19 2020
requirements.txt N 287 Sat Sep 19 02:19:19 2020
chinook.db N 884736 Sat Sep 19 02:19:19 2020
9738528 blocks of size 1024. 5337108 blocks available
smb: \>
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
smbclient //$ip/Commander -N -m SMB3 -p 36445
1
2
3
✅[3:57][CPU:6][MEM:65][TUN0:192.168.45.166][...OSCP/Proving_Ground/Nukem]
🐉 > smbclient //$ip/Commander -N -m SMB3 -p 36445
Caption: Screenshot captured during this stage of the assessment.
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
1
wpscan --url http://192.168.178.105/ --disable-tls-checks --enumerate u,t,p
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
❌[4:10][CPU:3][MEM:71][TUN0:192.168.45.166][/home/n0z0]
🐉 > wpscan --url http://192.168.178.105/ --disable-tls-checks --enumerate u,t,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.178.105/ [192.168.178.105]
[+] Started: Tue Feb 24 04:16:01 2026
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.46 (Unix) PHP/7.4.10
| - X-Powered-By: PHP/7.4.10
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.178.105/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.178.105/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.178.105/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.178.105/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.178.105/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
| - http://192.168.178.105/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
[+] WordPress theme in use: news-vibrant
| Location: http://192.168.178.105/wp-content/themes/news-vibrant/
| Last Updated: 2024-06-25T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/news-vibrant/readme.txt
| [!] The version is out of date, the latest version is 1.5.2
| Style URL: http://192.168.178.105/wp-content/themes/news-vibrant/style.css?ver=1.0.1
| Style Name: News Vibrant
| Style URI: https://codevibrant.com/wpthemes/news-vibrant
| Description: News Vibrant is a modern magazine theme with creative design and powerful features that lets you wri...
| Author: CodeVibrant
| Author URI: https://codevibrant.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.12 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/news-vibrant/style.css?ver=1.0.1, Match: 'Version: 1.0.12'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simple-file-list
| Location: http://192.168.178.105/wp-content/plugins/simple-file-list/
| Last Updated: 2026-01-29T20:30:00.000Z
| [!] The version is out of date, the latest version is 6.1.18
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 4.2.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.178.105/wp-content/plugins/simple-file-list/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.178.105/wp-content/plugins/simple-file-list/readme.txt
[+] tutor
| Location: http://192.168.178.105/wp-content/plugins/tutor/
| Last Updated: 2026-01-28T10:59:00.000Z
| [!] The version is out of date, the latest version is 3.9.6
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.5.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.178.105/wp-content/plugins/tutor/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.178.105/wp-content/plugins/tutor/readme.txt
[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:09 <========================================================================================> (400 / 400) 100.00% Time: 00:00:09
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] gaming-mag
| Location: http://192.168.178.105/wp-content/themes/gaming-mag/
| Last Updated: 2021-12-29T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/gaming-mag/readme.txt
| [!] The version is out of date, the latest version is 1.0.2
| [!] Directory listing is enabled
| Style URL: http://192.168.178.105/wp-content/themes/gaming-mag/style.css
| Style Name: Gaming Mag
| Style URI: https://codevibrant.com/wpthemes/gaming-mag
| Description: Gaming Mag is a child theme of News Vibrant modern magazine WordPress theme, with creative design an...
| Author: CodeVibrant
| Author URI: https://codevibrant.com
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/gaming-mag/style.css, Match: 'Version: 1.0.1'
[+] news-vibrant
| Location: http://192.168.178.105/wp-content/themes/news-vibrant/
| Last Updated: 2024-06-25T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/news-vibrant/readme.txt
| [!] The version is out of date, the latest version is 1.5.2
| Style URL: http://192.168.178.105/wp-content/themes/news-vibrant/style.css
| Style Name: News Vibrant
| Style URI: https://codevibrant.com/wpthemes/news-vibrant
| Description: News Vibrant is a modern magazine theme with creative design and powerful features that lets you wri...
| Author: CodeVibrant
| Author URI: https://codevibrant.com
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0.12 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/news-vibrant/style.css, Match: 'Version: 1.0.12'
[+] twentynineteen
| Location: http://192.168.178.105/wp-content/themes/twentynineteen/
| Last Updated: 2025-12-03T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://192.168.178.105/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.178.105/wp-content/themes/twentynineteen/, status: 500
|
| Version: 1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/twentynineteen/style.css, Match: 'Version: 1.7'
[+] twentyseventeen
| Location: http://192.168.178.105/wp-content/themes/twentyseventeen/
| Last Updated: 2025-12-03T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 4.0
| Style URL: http://192.168.178.105/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.178.105/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 2.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.4'
[+] twentytwenty
| Location: http://192.168.178.105/wp-content/themes/twentytwenty/
| Last Updated: 2025-12-03T00:00:00.000Z
| Readme: http://192.168.178.105/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.178.105/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.178.105/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.178.105/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.5'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.178.105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Feb 24 04:16:53 2026
[+] Requests Done: 473
[+] Cached Requests: 19
[+] Data Sent: 128.264 KB
[+] Data Received: 822.126 KB
[+] Memory used: 269.324 MB
[+] Elapsed time: 00:00:51
💡 Why this works
The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.
Privilege Escalation
💡 Why this works
Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.
Lessons Learned / Key Takeaways
- Validate framework debug mode and error exposure in production-like environments.
- Restrict file permissions on scripts and binaries executed by privileged users or schedulers.
- Harden sudo policies to avoid wildcard command expansion and scriptable privileged tools.
- Treat exposed credentials and environment files as critical secrets.
Attack Flow
At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.
flowchart LR
subgraph SCAN["🔍 Scan"]
direction TB
S1["Enumerated web content with feroxbuster"]
S2["Discovered anonymous SMB share on port 36445"]
S3["Fingerprinted WordPress stack with WPScan"]
S1 --> S2 --> S3
end
subgraph INITIAL["💥 Initial Foothold"]
direction TB
I1["Identified candidate entry points\nsimple-file-list plugin and admin user"]
I2["No confirmed shell callback transcript saved"]
I1 --> I2
end
subgraph PRIVESC["⬆️ Privilege Escalation"]
direction TB
P1["Privilege escalation phase not documented in source notes"]
end
SCAN --> INITIAL --> PRIVESC
References
- RustScan: https://github.com/RustScan/RustScan
- Nmap: https://nmap.org/
- feroxbuster: https://github.com/epi052/feroxbuster
- Nuclei: https://github.com/projectdiscovery/nuclei
- GTFOBins: https://gtfobins.org/
- HackTricks Privilege Escalation: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html
This post is licensed under CC BY 4.0 by the author.