Admirer required lots of enumeration, and was more challenging than most other easy boxes for this reason. I explored several services before arriving at the vulnerability in Adminer, a web-based database management system. I abused the local file read vulnerability to get credentials for a user on the box, and was able to SSH as that user. I then found a vulnerability in the sudoers configuration, which allowed me to build a malicious shared library and execute it with another command as sudo.

Logo Creator OS Difficulty Points Release jkr Linux Easy 20 Initial Scan I started with an initial NMAP scan of the host, and discovered ports 22 and 80. Command: nmap -F -oN nmap/quick 10.10.10.165 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Further script scanning revealed that the HTTP service was running nostromo 1.9.6. Command: nmap -sC -sV -oN nmap/def-script -p 22,80 10.10.10.165 PORT STATE SERVICE VERSION 80/tcp open http nostromo 1.