Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Topology is an easy machine which starts by exploiting LaTeX injection to read files on the server that contain password hashes. After cracking the password hash, it was possible to login via SSH and obtain the user flag. The privilege escalation consisted of enumerating for processes that are run by root. One of the processes being run by root executed “.plt” files in a particular folder to which the user had write permissions. Finally, it was a simple matter of looking up the documentation on running OS commands for that particular extension and use it to gain a shell as root.
Busqueda is an easy machine that challenges you to read code, find the vulnerability, and craft syntactically correct payloads that suit the code when injected. The privilege escalation is straight forward and explores relative path hijacking through SUID scripts to get root.
Machine Name: Agile IP: 10.10.11.203 Difficulty: Medium
Summary
Agile is a medium machine that starts with discovering a LFI which was leveraged to gain information required to crack the Werkzeug pin. The werkzeug pin allowed console access which allowed us to gain a shell as www-data. A config file revealed MySQL database credentials. The credentials for user corum were found which were used to SSH into the box. Enumerating further, it was found that chrome was running a remote-debugging-port at 41829 which was port forwarded to attacker machine which allowed us access to an existing session of the application. The credentials for user edwards was found here and were used to SSH into the box. Privilege escalation to root involved exploiting the sudo version 1.9.9 which was used to execute a writeable script running as root.
Machine Name: Socket IP: 10.10.11.206 Difficulty: Medium
Summary
Socket is a medium machine that starts with decompiling and obtaining the python source code for an executable. The source code reveals how one can communicate with the WebSocket server that is hosted. The WebSocket server is vulnerable to SQLi which is leveraged to obtain password hashes for the user. The privilege escalation involves exploiting a script that the user can run as root. This script uses PyInstaller to build files. A python file that sets the suid bit was executed using this script to gain root privileges.
Inject is an easy machine which starts with exploiting an LFI to gain information on the application being built on Spring Framework. Through the LFI, we discover one of the configuration files which reveals that the framework version is vulnerable to RCE. The RCE in Spring Cloud is exploited to gain a shell as user Frank. However, only user Phil can read the user flag. The credentials of Phil were found in another configuration file which was used to switch user to Phil. Privilege Escalation consisted of checking for cronjobs and looking for vulnerabilities in the jobs running as root. Ansible was being run on all the “.yml” files, which was exploited to gain access as root.
Stocker is an easy machine which starts with a subdomain enumeration, and leads to NoSQL injection to bypass a login page. Then, it challenges us to understand the flow of API calls that generate a PDF, which can be exploited to read local files on the server using a Server Side XSS exploit. We find credentials of a user by exploiting the Server Side XSS to read the source code of the application. The privilege escalation involves abusing sudo rights that allow the user to run javascript files as root.
Machine Name: Interface IP: 10.10.11.200 Difficulty: Medium
Summary
Interface is a medium machine that requires some “curling” skills to form request and demystify their respective response codes. The machine has a lot of fuzzing for API endpoints and parameters which lead to an exploit for DomPDF. The vulnerability deals with how DomPDF caches the font file and allows remote files to be read. The privilege escalation teaches a new technique that abuses Arithmetic Expression Injection in bash scripts.
MetaTwo is an easy machine that needs exploiting a SQLi that leads us to hashes that need to be cracked. The cracked hash credentials provide access to a WordPress dashboard. This WordPress version is vulnerable to Blind XXE via a WAVE file format metadata. The XXE gives us access to the “wp-config.php” file which contains cleartext password for FTP. Enumerating the FTP server, SSH credentials are found for user. Privilege Escalation requires understanding of private and public keys and different methods that are used to encrypt them. Passpie is the application that was used to encrypt private keys found. We can crack the GPG format keys using John and gain the credentials for root.
Machine Name: Investigation IP: 10.10.10.197 Difficulty: Medium
Summary
Investigation is a medium machine that has a web server vulnerable to command injection vulnerability. With enough enumeration, it is easy to exploit command injection. However, it only leads to a shell as www-data. Getting a user shell requires some log file analysis and common sense. Privilege escalation deals with binary analysis and code review.