Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Busqueda is an easy machine that challenges you to read code, find the vulnerability, and craft syntactically correct payloads that suit the code when injected. The privilege escalation is straight forward and explores relative path hijacking through SUID scripts to get root.
Stocker is an easy machine which starts with a subdomain enumeration, and leads to NoSQL injection to bypass a login page. Then, it challenges us to understand the flow of API calls that generate a PDF, which can be exploited to read local files on the server using a Server Side XSS exploit. We find credentials of a user by exploiting the Server Side XSS to read the source code of the application. The privilege escalation involves abusing sudo rights that allow the user to run javascript files as root.
Machine Name: Interface IP: 10.10.11.200 Difficulty: Medium
Summary
Interface is a medium machine that requires some “curling” skills to form request and demystify their respective response codes. The machine has a lot of fuzzing for API endpoints and parameters which lead to an exploit for DomPDF. The vulnerability deals with how DomPDF caches the font file and allows remote files to be read. The privilege escalation teaches a new technique that abuses Arithmetic Expression Injection in bash scripts.
MetaTwo is an easy machine that needs exploiting a SQLi that leads us to hashes that need to be cracked. The cracked hash credentials provide access to a WordPress dashboard. This WordPress version is vulnerable to Blind XXE via a WAVE file format metadata. The XXE gives us access to the “wp-config.php” file which contains cleartext password for FTP. Enumerating the FTP server, SSH credentials are found for user. Privilege Escalation requires understanding of private and public keys and different methods that are used to encrypt them. Passpie is the application that was used to encrypt private keys found. We can crack the GPG format keys using John and gain the credentials for root.
Machine Name: Investigation IP: 10.10.10.197 Difficulty: Medium
Summary
Investigation is a medium machine that has a web server vulnerable to command injection vulnerability. With enough enumeration, it is easy to exploit command injection. However, it only leads to a shell as www-data. Getting a user shell requires some log file analysis and common sense. Privilege escalation deals with binary analysis and code review.
Precious is an easy machine that requires basic enumeration to find and exploit an outdated software running on a web server. To escalate privileges, the machine makes you look at Ruby scripts and understand how one can identify and exploit Insecure Deserialization vulnerabilities.
Machine Name: Catch IP: 10.10.11.150 Difficulty: Medium
Summary
Catch is a machine that requires reverse engineering an APK, enumerating for information in the APK file and finding API tokens. Using the tokens, we login to a dashboard which is vulnerable to injection that leads to leaking SSH credentials. These credentials are used to get the user shell. Escalating Privileges involves monitoring processes and finding a script that allows the user to inject payloads and execute them as root.
OpenSource like it’s name is all about exploiting information that is openly available. It demands knowledge about LFI, Docker, Flask, understanding source code, and ofcourse, Git. To get the user shell, LFI vulnerability was exploited to get RCE. Then, a docker container needed to be escaped in order to gain the user shell. Knowledge of tunneling helps to connect to the host machine and enumerate further. Ability to access the host machine lets us enumerate further and gain access to user via leaked credentials. Escalating privileges requires understanding the concept of Git hooks to exploit a process running as root. This box is great for someone who is new to programming and learning code/version management tools like Git.
Machine Name: Meta IP: 10.10.11.140 Difficulty: Medium
Summary
Meta is a machine that involves finding a virtual host and then exploiting a vulnerability in the web application. Once exploited, it gives us a limited shell as www-data. To obtain user, we enumerate further into background processes and how they’re being run. Exploiting another vulnerability in the application, we gain access to files that would otherwise be unreadble. With that sensitive information, we gain access to the user shell and process to escalate privileges through a SUDO misconfiguration. It involves understand how the SUDO allowed binary runs and how an environment variable could be used to leverage the binary’s functionality to gain root privileges.
