In VulnNet we’ll enumerate a corporate website and learn of another hidden app hosted on a subdomain. By exploiting an LFI vulnerability on the first site we will leak credentials for the other. After cracking the hash we can authenticate and see what’s hiding on the subdomain. We’ll quickly find the app has public exploits available that can be used to upload a file on to our target and spawn a reverse shell. Finally, with a bit of enumeration on the machine we’ll find a way use wildcard injection to exploit a command in a job that is owned by root and escalate to a root shell.

Battery is a medium difficulty Linux box that touches on several techniques. We’ll start with fuzzing a webapp and reverse engineering an executable we find on the target as part of our enumeration stage. Then we’ll move on to exploiting a null byte injection vulnerability in the very old version of PHP to gain access to the webapp as an admin user. Once inside we’ll find an XXE bug that will allow us to enumerate files on the target and leak SSH credentials for an unprivileged user. Finally we’ll walk through 2 different privilege escalation techniques to get a root shell and capture the flag!

Ninja Skills is not a boot to root challenge – it’s a series of linux command line exercises mostly focused on advanced use of the find command. It starts by giving us a list of file names with a teaser: “The aim is to answer the questions as efficiently as possible." I took that as a challenge to answer each question with a BASH one-liner and with minimal output.

VulnNet Internal is one of the more fun boxes I’ve done so far. For this box we won’t be searching for known exploits or attacking a webapp. Instead, we’ll enumerate several network services to find info that will ultimately help us find a way to a shell. Once we get a user shell we’ll continue enumerating and see what services are running internally. We’ll encounter an internal service running as root that we can create an SSH tunnel to and escalate to a root shell.

Boiler is another enumeration-heavy boot to root challenge. It has multiple rabbit holes to keep things interesting, but at least they don’t end up wasting too much time. Once we find the vulnerable application we will use a command injection bug to get a shell. Finding the user flag requires hopping through a couple of user accounts, again by just focusing on simple enumeration. Finally we will escalate to root by exploiting a root-owned SUID binary.