Obscurity
Obscurity was a medium Linux box that offered completely custom written software. This was a cool concept to explore, because it required diving into source code to spot vulnerabilities. For the foothold, this was fuzzing to find the source of the web server and then spotting a vulnerable exec function based on user input. User required a bit of reverse engineering to decrypt a key used in a custom encryption tool. Finally, root access came from abusing the temporary write of password hashes during login attempts for a custom SSH service.
Mango
Logo Creator OS Difficulty Points Release MrR3boot Linux Medium 30 Initial Scan I started the enumeration of Mango as usual with an NMAP quick scan, followed by the default script scan and a full port scan. With the script scan I identified three key ports for the box: 22, 80, and 443.
Command: nmap -sC -sV -oN nmap/def-script -p 22,80,443 10.10.10.162
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.
Registry
Logo Creator OS Difficulty Points Graph thek Linux Hard 40 Reconnaissance Registry is a Ubuntu host running a private docker registry server guarded by weak credentials. With some enumeration of the service, I was able to locate a certificate that allowed me to pull the docker image and examine the filesystem, which gave me an encrypted SSH key and its password. With the user account, I dug through the SQLite database for the web server and found admin credentials.
Bitlab
Logo Creator OS Difficulty Points Graph Frey & thek Linux Medium 30 Initial Scan I identified two open ports (22 and 80) with my quick scan: nmap -F 10.10.10.114. I’ll do a script scan to get some more information.
Nmap 7.80 scan initiated Mon Dec 2 13:52:48 2019 as: nmap -sC -sV -oN nmap/def-script -p 22,80 10.10.10.114 Nmap scan report for 10.10.10.114 Host is up (0.037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.
Postman
Logo Creator OS Difficulty Points Release TheCyberGeek Linux Easy 20 Initial Scan I started with an initial NMAP scan of the host, and discovered ports 22, 80, and 10000.
Command: nmap -F -oN nmap/quick 10.10.10.160
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 10000/tcp open snet-sensor-mgmt Further script scanning revealed an Apache service and a MiniServ service.
Command: nmap -sC -sV -oN nmap/def-script -p 22,80,10000 10.10.10.160
80/tcp open http Apache httpd 2.