THM: b3dr0ck
THM: b3dr0ck is a Flintstones themed boot to root challenge that fairly straightforward and mostly involves enumeration. We’ll start by exploring the open services on the box and leaking credentials in order to gain a foothold. Once on the box we will continue with our enumeration by looking through some of the code for the leaky service in order to get the password for and pivot to another low-privilege user. Finally we’ll get a root shell by deobfuscating a password hash and finding the plaintext in a rainbow table.
Headless Kali Linux Lab Setup Using Docker
I recently built myself a new Kali Linux lab for playing CTFs using Docker. It is more lightweight and portable than a VM. In this article I will share how it works and how I had to adapt my CTF workflow to support hacking from a Docker container.
THM: Tech_Supp0rt: 1
THM: Tech_Supp0rt: 1 is a linux boot to root challenge where we’ll pwn a fake tech support scam company. We’ll start by leaking credentials for a web CMS through an open SMB share. The CMS turns out to be vulnerable to authenticated arbitrary file uploads, and since we have creds we can exploit this to get a shell. Once on the box, there are 2 paths we can take to getting a root shell. One involves pivoting to another user on the system and exploiting their sudo privileges, and another involves exploiting CVE-2021-4043.
THM: Agent T
THM: Agent T is fast and easy box demonstrating the importance of enumeration. After a quick port scan we’ll quickly see that something about the only service running seems odd. It is a development build of PHP, and a quick web search tell us this version includes a backdoor that allows an attacker to easily achieve RCE by simply manipulating HTTP headers.
THM: Biblioteca
THM: Biblioteca is a medium difficulty Linux box that starts with a classic SQL injection vulnerability. We’ll use several UNION attacks to enumerate the database and eventually leak some user credentials. We’ll use those to SSH in to the box and pivot to another user account by simply guessing a weak password. Finally, we’ll escalate to a root shell by hijacking the PYTHONPATH environment variable when running a python script via sudo.