This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This machine is of medium difficulty, I liked the intrusion much more than the escalation, for the intrusion I managed to download a .bak file that had the code of the page, seeing it I realized that I was dealing with an insecure deserialization in PHP, I serialized malicious code and uploaded it to the server, for the escalation I had to include my public key before it was copied to known_hosts.