Admirer

Admirer
Admirer required lots of enumeration, and was more challenging than most other easy boxes for this reason. I explored several services before arriving at the vulnerability in Adminer, a web-based database management system. I abused the local file read vulnerability to get credentials for a user on the box, and was able to SSH as that user. I then found a vulnerability in the sudoers configuration, which allowed me to build a malicious shared library and execute it with another command as sudo.
Read more →

Writeup

Writeup
Writeup was an easy Linux box that required paying attention to what happened when users interact with the server. Getting user required basic web enumeration and the use of an existing SQL injection exploit to get RCE using CMS Made Simple. After that, privilege escalation involved understanding environment variables and how to properly configure a user’s PATH, and abusing a misconfigured command triggered by SSH logins.
Read more →

Control

Control
Logo Creator OS Difficulty Points Graph TRX Windows Hard 40 Reconnaissance Control is a Windows host with a few twists and turns added to some standard services. I used HTTP headers to bypass a required proxy and exploited a SQL injection in the backend database to get credentials. I was then able to exploit my file read and write access through MariaDB to upload a webshell and eventually secure a standard reverse shell with netcat.
Read more →

VirSecCon 2020 Sequelitis

Description: Sequelitis has moved to a new database for keeping track of their customers. Break in. Points: 100 Recon When you visit the URL for the challenge, you get a basic search bar. Based on the name of the challenge, I know this is going to be some kind of SQL injection. When I submit a search request and capture it in BurpSuite, I get a normal looking response with no results.
Read more →