Writeup was an easy Linux box that required paying attention to what happened when users interact with the server. Getting user required basic web enumeration and the use of an existing SQL injection exploit to get RCE using CMS Made Simple. After that, privilege escalation involved understanding environment variables and how to properly configure a user’s PATH, and abusing a misconfigured command triggered by SSH logins.

Obscurity was a medium Linux box that offered completely custom written software. This was a cool concept to explore, because it required diving into source code to spot vulnerabilities. For the foothold, this was fuzzing to find the source of the web server and then spotting a vulnerable exec function based on user input. User required a bit of reverse engineering to decrypt a key used in a custom encryption tool. Finally, root access came from abusing the temporary write of password hashes during login attempts for a custom SSH service.

Logo Creator OS Difficulty Points Graph TRX Windows Hard 40 Reconnaissance Control is a Windows host with a few twists and turns added to some standard services. I used HTTP headers to bypass a required proxy and exploited a SQL injection in the backend database to get credentials. I was then able to exploit my file read and write access through MariaDB to upload a webshell and eventually secure a standard reverse shell with netcat.

Logo Creator OS Difficulty Points Release MrR3boot Linux Medium 30 Initial Scan I started the enumeration of Mango as usual with an NMAP quick scan, followed by the default script scan and a full port scan. With the script scan I identified three key ports for the box: 22, 80, and 443. Command: nmap -sC -sV -oN nmap/def-script -p 22,80,443 10.10.10.162 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.

Logo Creator OS Difficulty Points Release jkr Linux Easy 20 Initial Scan I started with an initial NMAP scan of the host, and discovered ports 22 and 80. Command: nmap -F -oN nmap/quick 10.10.10.165 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Further script scanning revealed that the HTTP service was running nostromo 1.9.6. Command: nmap -sC -sV -oN nmap/def-script -p 22,80 10.10.10.165 PORT STATE SERVICE VERSION 80/tcp open http nostromo 1.