Machine Name: Socket IP: 10.10.11.206 Difficulty: Medium
Summary
Socket is a medium machine that starts with decompiling and obtaining the python source code for an executable. The source code reveals how one can communicate with the WebSocket server that is hosted. The WebSocket server is vulnerable to SQLi which is leveraged to obtain password hashes for the user. The privilege escalation involves exploiting a script that the user can run as root. This script uses PyInstaller to build files. A python file that sets the suid bit was executed using this script to gain root privileges.
Machine Name: Scrambled IP: 10.10.11.168 Difficulty: Medium
Summary
Scrambled is a medium machine that requires an understanding of how Kerberos works. It includes enumerating users using Kerberos’ authentication protocol’s error message and password spraying to obtain valid credentials of the found users. The obtained credentials are used to get a TGT through which the SPN and TGS are obtained. The TGS was cracked and new credentials were obtained. The new credentials did not work when logging into MsSQL Client. The TGT ticket was used to enumerate the SMB share where a PDF with information about imposed access controls was found. Only administrator accounts can access the SQL database. A Silver ticket attack was performed in order to gain access to the database where more credentials were found and a shell could be obtained. After gaining the user shell, a DLL file found was decompiled and analysed. A serialization method was being called which was exploited by crafting a payload using ysoserial to gain a administrator shell.
