{"id":566,"date":"2026-04-21T16:18:38","date_gmt":"2026-04-21T16:18:38","guid":{"rendered":"https:\/\/rmfsales.com\/?p=566"},"modified":"2026-04-21T16:18:38","modified_gmt":"2026-04-21T16:18:38","slug":"offsec-proving-grounds-walkthrough-escape","status":"publish","type":"post","link":"https:\/\/rmfsales.com\/?p=566","title":{"rendered":"Offsec Proving Grounds Walkthrough &#8211;  Escape"},"content":{"rendered":"<p>Walkthrough of the machine called &#8220;Escape&#8221; in the <a class=\"_03702b49 _0cc16c0e\" href=\"https:\/\/www.linkedin.com\/company\/offsec-training\/\"><span class=\"c05af92a\"><strong>OffSec<\/strong><\/span><\/a> Proving Grounds&#8230;this is a Linux machine rated as hard. In this video we exploit a website using Burp Suite to upload a PHP reverse shell masquerading as a .gif. Once on the machine we determine the we can escape the Docker container using the SNMP &#8220;extend&#8221; functionality. Finally, we laterally move to the user Tom via a exploitation of a custom binary using capabilities and modifying the search order of our PATH. We then privesc taking advantage of an OpenSSL server, again, using incorrectly set capabilities.<\/p>\n<div class=\"jetpack-video-wrapper\"><iframe loading=\"lazy\" title=\"Offsec Proving Grounds Walkthrough -  Escape\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/DjPsmJF0-Ac?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Walkthrough of the machine called &#8220;Escape&#8221; in the OffSec Proving Grounds&#8230;this is a Linux machine rated as hard. In this video we exploit a website using Burp Suite to upload a PHP reverse shell masquerading as a .gif. Once on the machine we determine the we can escape the Docker&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[53,48,7,55,44,10,1,54],"tags":[51,13,28,57,46,15,56],"class_list":["post-566","post","type-post","status-publish","format-standard","hentry","category-ethical-hacking","category-hacking","category-linux","category-offsec","category-security","category-tutorial","category-uncategorized","category-walkthrough","tag-cybersecurity","tag-linux","tag-networking","tag-offsec","tag-security","tag-tutorial","tag-walkthrough"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/posts\/566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rmfsales.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=566"}],"version-history":[{"count":1,"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/posts\/566\/revisions"}],"predecessor-version":[{"id":567,"href":"https:\/\/rmfsales.com\/index.php?rest_route=\/wp\/v2\/posts\/566\/revisions\/567"}],"wp:attachment":[{"href":"https:\/\/rmfsales.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rmfsales.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rmfsales.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}