Jason is an easy box where we’ll practice exploiting insecure deserialization in NodeJS. To make it a little more interesting, this is a blind vulnerability, meaning we’ll have to find some other way besides checking if our input is reflected back to us to verify code execution.

h4cked is a different kind of challenge than the CTFs I normally write about. Quite the opposite actually. We’re given the solution up front and are tasked with reverse engineering a hack by analyzing the traffic recorded in a PCAP file, otherwise known as a packet capture. (It’s an extremely detailed log of all inbound and outbound network traffic over a period of time.) After that we’ll use the findings to replicate the hack and root the box. We’ll use Wireshark to conduct our analysis. Let’s get started!

This Alice in TryHackMe Wonderland themed box is quite the rabbit hole. It starts with some basic web app enumeration, leading us to leaked credentials buried deep in a series of hidden directories. Once we get a foothold we’ll solve a series of path/code injection challenges with some light reversing to make a couple of horizontal jumps before finally getting a root shell. I really enjoyed this box. The hints make it more like a puzzle than realistic hacking challenge, but the privesc was fun.

Mustacchio is a fun boot to root Linux box. We’ll start with some enumeration on a HTTP service and find credentials for the admin panel in a SQLite database backup. Once we’re in, it quickly becomes apparent we’ll want to test for XXE after more enumeration. With XXE confirmed, we can then exfiltrate the private key of a user on the box and use that to gain SSH access. Finally we’ll escalate privileges by performing a path injection attack on a root-owned SUID binary.

In Debug we’ll practice an exploitation technique called PHP Objection Injection, also known as a PHP deserialization attack. This vulnerability occurs when an application does not sanitize user-supplied input before passing it to the unserialize() function. It is not unique to PHP, and is also found in Python, Java, Node.js, and other object-oriented languages.