Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Machine Name: Snoopy IP: 10.10.11.212 Difficulty: Hard
Summary
Snoopy is a hard machine that starts with discovering subdomains through DNS zone transfer, and exploiting an LFI to obtain site configuration files that revealed mailserver secret key. The key was used to update the mail server’s DNS records to receive mails on my local SMTP server. The mattermost subdomain discovered had an “email password reset link” page. The password was received on the SMTP server for user cbrown. Authenticated session of mattermost provided an option to interact with the server through SSH which was intercepted to perform a man-in-the-middle attack to fetch the SSH credentials of cbrown. The user cbrown could run “git apply” command as user sbrown which was exploited by using a known vulnerability that uses symbolic links to access files of the user running Git. This was used to write the SSH public key into sbrown and gain a SSH shell. Privilege escalation involved exploiting ClamAV’s XXE vulnerability to fetch the private key of root.
OpenSource like it’s name is all about exploiting information that is openly available. It demands knowledge about LFI, Docker, Flask, understanding source code, and ofcourse, Git. To get the user shell, LFI vulnerability was exploited to get RCE. Then, a docker container needed to be escaped in order to gain the user shell. Knowledge of tunneling helps to connect to the host machine and enumerate further. Ability to access the host machine lets us enumerate further and gain access to user via leaked credentials. Escalating privileges requires understanding the concept of Git hooks to exploit a process running as root. This box is great for someone who is new to programming and learning code/version management tools like Git.
