Freelancer is a hard difficulty lab from HackTheBox which features a web application and Windows Active Directory. The web application has broken access control which allowed us to login as the administrator through an IDOR. From there, we gain access to a panel that allows us to execute SQL commands, and gain initial foothold onto the box. The foothold is interesting as it involves MSSQL impersonation and AV evasion. After gaining the foothold, we discover hardcoded credentials in one of the configuration files to get to user. The root step using a crash dump file to extract passwords from SAM. This gives us access as another user that is a member of the AD Recycle Bin Group. This group had GenericWrite privileges over the domain controller, which allowed us to perform a Resource-Based Constrained Delegation (RBCD) attack to get a shell as the Domain Admin.

3108 CTF is a Malaysian CTF organized by Bahtera Siber, themed around National Day. This is my first time joining the event, and I got to solve a few challenges. 🇲🇾🇲🇾🇲🇾

Cap is an easy machine from HackTheBox which has a website that allows users to download pcap files. I'll exploit an IDOR to grab a pcap which contains the user's credentials to get a shell on the box. For the root step, I'll discover that the `CAP_SETUID` capability is set for `python3.8` which allows us to manipulate the proecss UID to get a shell as root.

Publisher is an easy box from TryHackMe which features a vulnerable instance of SPIP that allows us to get unauthenticated RCE. After getting user on the box, we notice that we are being blocked by some sort of ACL. The root step involves bypassing AppArmor, and exploiting an unexpected SUID in which we have control over to get a shell as root.

In Crafty, I'll exploit the infamous Log4j RCE exploit (CVE-2021-44228) on a Minecraft server to gain a shell as the user. Then, I'll discover a jar file in one of the user's directories, decompile it, and discover a hardcoded password which allows me to gain a shell as the Administrator.

Lame as its name suggests is a very easy box. The services running on the box are old, and there is a known CVE that allows to directly gain a shell as root.

In DC-9, we only have access to a web application, which is vulnerable to SQL injection and LFI. We exploit the SQL injection to collect a set of credentials that is used later on in the box. The interesting part of this box is that it uses port knocking to “hide” the SSH service. We leverage the LFI to find the specific port sequence, and after opening the port, we perform a password spray to get valid users. In root, one of the users is able to run a binary as root, which allows us to add ourselves as root by writing to the /etc/passwd file.

FALL is an easy box from the digitalworld.local series. It hosts a web application that uses CMS Made Simple, where we discover an LFI vulnerability that allows us to read the SSH private key of the user on the box. Then, we find the user’s credentials in their bash history, which allows us to run sudo. The user had run ALL privileges on the box, so we jump straight to root.