THM: Biblioteca
THM: Biblioteca is a medium difficulty Linux box that starts with a classic SQL injection vulnerability. We’ll use several UNION attacks to enumerate the database and eventually leak some user credentials. We’ll use those to SSH in to the box and pivot to another user account by simply guessing a weak password. Finally, we’ll escalate to a root shell by hijacking the PYTHONPATH environment variable when running a python script via sudo.
THM: Gallery
THM: Gallery is a fun boot to root challenge that involves a variety of techniques to get the initial foothold. We’ll start by enumerating an Apache server that’s running a highly flawed image gallery CMS. It is vulnerable to SQL injection which we’ll exploit to bypass authentication. Once logged in we’ll find out there is no filtering or validation on file uploads, and we’ll be able to upload arbitrary PHP code and use that to send ourselves a reverse shell. Finally, we’ll do some basic enumeration on the box to capture the flags.