This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.