Remote
Remote was an easy Windows box that involved some research into the Umbraco CMS, and abusing access to an NFS share. Escalating privileges required enumerating services on the box and modifying settings to inject commands. I went the standard route using common tools such as Nishang and PowerSploit for PowerShell.
Control
Logo Creator OS Difficulty Points Graph TRX Windows Hard 40 Reconnaissance Control is a Windows host with a few twists and turns added to some standard services. I used HTTP headers to bypass a required proxy and exploited a SQL injection in the backend database to get credentials. I was then able to exploit my file read and write access through MariaDB to upload a webshell and eventually secure a standard reverse shell with netcat.
Forest
Logo Creator OS Difficulty Points Graph egre55 & mrb3n Windows Easy 20 Initial Scan My initial scan revealed a lot of open ports, and even more with more in-depth scanning. Some of the most important services I noticed are below:
Nmap 7.80 scan initiated Wed Jan 15 17:20:09 2020 as: nmap -sC -sV -p 53,88,135,139,389,445 -oN nmap/def-script 10.10.10.161 Nmap scan report for 10.10.10.161 Host is up (0.38s latency). PORT STATE SERVICE VERSION 53/tcp open domain?
Jerry
Jerry was the first box I ever owned, and there’s probably a reason for that. It’s an incredibly simple box, but despite its simplicity it was a great learning tool and I was able to teach myself some good fundamentals with reconniasance, metasploit modules, and payload creation.