THM: b3dr0ck
THM: b3dr0ck is a Flintstones themed boot to root challenge that fairly straightforward and mostly involves enumeration. We’ll start by exploring the open services on the box and leaking credentials in order to gain a foothold. Once on the box we will continue with our enumeration by looking through some of the code for the leaky service in order to get the password for and pivot to another low-privilege user. Finally we’ll get a root shell by deobfuscating a password hash and finding the plaintext in a rainbow table.
THM: Agent T
THM: Agent T is fast and easy box demonstrating the importance of enumeration. After a quick port scan we’ll quickly see that something about the only service running seems odd. It is a development build of PHP, and a quick web search tell us this version includes a backdoor that allows an attacker to easily achieve RCE by simply manipulating HTTP headers.
THM: Watcher
THM: Watcher is a boot to root that’s broken down into a series of several mini flags. We’ll start with exploiting an LFI vulnerability to leak credentials for FTP, and then we will upload a shell and launch it with the LFI. Once on the box we’ll privesc through a series of low privilege users before ultimately getting root. This box doesn’t require any advanced techniques, just lots of enumeration.
THM: Startup
THM: Startup is an easy Linux box that’s good for practicing enumeration. We will be pentesting the systems of Spice Hut, a spicy new food startup company. It starts off with a misconfigured FTP service that allows anonymous read access as well as write access in a specific directory. We will abuse this to upload some PHP shell code that we can execute through the HTTP service to get our initial foothold. Once on the box, a bit of enumeration reveals a PCAP file labeled as a suspicious incident. After combing through this file we’ll find the password for an unprivileged user. From there, privesc is a straightforward manipulation of a shell script being executed by root on a cronjob.
THM: Team
THM: Team is supposed to be aimed at beginners but requires a lot of enumeration and persistence to get through to root. It can feel like there are a lot of rabbit holes getting started, but once we make it through a few rounds of content enumeration we’ll find a hint that leads us to a hidden PHP page where we can exploit an LFI vulnerability. We’ll use that to find FTP credentials and later an SSH key that we can use to get into the box. Finally we’ll escalate our privileges to root by exploiting a command injection vulnerability in a bash script and then adding a malicious command to script running on a cronjob as root.
THM: OhMyWebserver
THM: OhMyWebserver is a medium difficulty linux box that presents a fun set of challenges. We’ll exploit multiple CVEs to get remote code executions. There are multiple layers of privilege escalation, as the initial target is a docker container. Let’s get started!
THM: Gallery
THM: Gallery is a fun boot to root challenge that involves a variety of techniques to get the initial foothold. We’ll start by enumerating an Apache server that’s running a highly flawed image gallery CMS. It is vulnerable to SQL injection which we’ll exploit to bypass authentication. Once logged in we’ll find out there is no filtering or validation on file uploads, and we’ll be able to upload arbitrary PHP code and use that to send ourselves a reverse shell. Finally, we’ll do some basic enumeration on the box to capture the flags.
THM: LazyAdmin
LazyAdmin is an easy and fun linux box running a PHP-based CMS. We’ll start with some enumeration to find our way around, and that will eventually lead to credentials for the CMS being leaked through a database backup. Once we have admin access we’ll be able to upload and execute arbitrary PHP code, which we’ll exploit to get a shell. There’s not much required to grab the user flag from there, and we can abuse a combination of sudo privileges with wide open file permissions to escalate to a root shell. Let’s get started!
THM: Lian_Yu
Lian_Yu is a beginner friendly CTF mostly focused on enumeration. We’ll fuzz a website to find credentials that will get us access to the FTP service. There we’ll find an image file to perform steganalysis on, and that will reveal a password we can use to SSH into the box. Escalating to root from there is just a matter of escaping from a binary we have sudo privileges for.
THM: VulnNet Internal
VulnNet Internal is one of the more fun boxes I’ve done so far. For this box we won’t be searching for known exploits or attacking a webapp. Instead, we’ll enumerate several network services to find info that will ultimately help us find a way to a shell. Once we get a user shell we’ll continue enumerating and see what services are running internally. We’ll encounter an internal service running as root that we can create an SSH tunnel to and escalate to a root shell.
THM: Boiler
Boiler is another enumeration-heavy boot to root challenge. It has multiple rabbit holes to keep things interesting, but at least they don’t end up wasting too much time. Once we find the vulnerable application we will use a command injection bug to get a shell. Finding the user flag requires hopping through a couple of user accounts, again by just focusing on simple enumeration. Finally we will escalate to root by exploiting a root-owned SUID binary.