Time is a medium-rated Linux machine created by egotisticalSW & felamos. Initial foothold is discovered by accessing a JSON beautifier and validator running on port 80. Server Side Request Forgery can be abused to perform code execution and gain user access. Root privilege is obtained by modifying a back up script writable by the compromised user and is initiated by root.
Nmap discovered ports 80(http), and 22(ssh) open.
Passage is a medium-rated Linux machine created by ChefByzen. Initial foothold is gained by exploiting a vulnerable version of CuteNews PHP. User compromise is performed by finding encoded files and decrypting a SHA256 password. Movement to another user was done by simply authenticating through SSH in localhost. Root privileges are granted after copying nadav’s public key to root’s authorized_keys file by exploiting a vulnerable USB creator (gdbus).
Nmap discovered port 22(ssh) and port 80(http) open.
Doctor is an easy Linux box created by egotisticalSW. Initial foothold is discovered by fuzzing the ‘New Message’ form in the Doctor Secure Messaging page. A reverse shell can be spawned by performing Server Side Template Injection. Lateral movement to user ‘shaun’ is done by finding his password in a backup file. Root privileges are granted after exploiting SplunkForwarder which is vulnerable to remote code execution/local privilege escalation.
Nmap discovered 3 open ports, 22(ssh), 80(http), and 8089(Splunkd).
OpenKeyS is a medium-rated OpenBSD machine created by polarbearer & GibParadox. Initial foothold can be obtained by discovering a authentication bypass on the HTTP service. User access is gained by adding a username cookie for a discovered user, ‘jennifer’ along with the exploitation of the authentication bypass to snatch an SSH private key. Root privilege is obtained by exploiting a local privilege escalation via S/Key auth with a user belonging to ‘auth’ group.
Nmap scan shows only port 22(SSH) and port 80(HTTP) open.
Unbalanced is a hard-rated Windows machine created by polarbearer & GibParadox. Initial foothold is discovered by downloading encrypted configuration files from the RSync service running on port 873. Hostnames are found on the squid configuration file after decrypting the files with EncFS. Boolean-based SQL Injection is performed to gather user credentials for SSH authentication after accessing the discovered hostnames through the squid proxy service. Root privileges are granted by exploiting a Code Execution vulnerability on a Pi-hole service listening locally and finding root’s password in the pi-hole config script.
Nmap discovered ports 22(SSH), 873(rsync), and 3128(Squid HTTP Proxy 4.6) …
SneakyMailer is a medium-rated Linux machine created by sulcud. Initial foothold is discovered by performing a social engineering attack to get a user hand over his credentials for the Internet Message Access Protocol(IMAP) service. Access to the FTP server is gained after finding credentials in one of the email in the Sent Items. User shell is obtained by uploading a PHP reverse shell in the FTP server and triggering it over the HTTP protocol. Lateral movement to user ‘low’ is performed by uploading a python package that contains malicious code which will be installed and executed by user ‘low’. …
Buff is an easy-rated windows machine created by egotisticalSW. User access is gained by exploiting a Remote Code Execution(RCE) vulnerability on Gym Management Software 1.0. Administrative privileges were obtained by exploiting a buffer overflow vulnerability on CloudMe 1.11.2.
Nmap scan only shows port 8080 (http) open.
Tabby is an easy-rated Linux machine created by egre55. Initial foothold is obtained by discovering tomcat credentials with the help of Local File Inclusion. Access as tomcat is granted after deploying a WAR file which contains a reverse shell payload to the tomcat manager text interface. Lateral movement to Ash user is performed by taking advantage of reused passwords and root privileges are gained by abusing the system container manager(LXD) group where Ash is a member of.
Nmap scan results show ports 22(ssh), 80(http), and Apache Tomcat running on port 8080(http).
Fuse is a medium-rated windows machine created by egre55. Initial foothold is gained by discovering an expired password that can be changed in order to get access to SMB shares and RPCClient. A user shell is obtained by enumerating the printer in RPCClient and determine a password used by one of the users. Administrative privileges is obtained by abusing SeLoadDriverPrivilege.
Nmap scan results show common ports for LDAP such as port 445,139(smb), 135(rpc), 88(kerberos), and an HTTP service on port(80).
Admirer is an easy-rated linux machine created by polarbearer and GibParadox. Initial foothold focuses on discovering ftp credentials on the web server that leads to discovery of files. User access is gained after finding credentials by exploiting a vulnerability in adminer database. Root privileges are obtained by exploiting sudo privileges that lets us set a python environment to our own package that has a malicious python module.
Nmap only shows port 21(ftp), 22(ssh), and 80(http) open.