In the first place we find a web server managed with GitLab, it seems that it is working with a version with a certain vulnerability of RCE.
after gaining access to the machine, it turns out that we are in a docker container. We have to get root in the container and then get out of the cage.
the root password is obtained by reviewing log files. It is possible to escape from the container because the container is running with — privileged flag
The port scan shows nothing but a ssh server and a web server:
Hello everyone! this machine consists of managing to get a subdomain (vhost) on the host to discover a software which is outdated and that presents an rce vulnerability with which we can get a revshell
Once inside the machine, we discovered that we are in a docker container but we managed to obtain some ssh keys from the host by changing the password of the gitlab admin user.
Once on the host, we managed to climb to root thanks to a process with the SUID bit that does not use a command with the absolute PATH so we take advantage…
This machine is about exploiting a json parser online which presents a rce vulnerability.
After gaining access to the machine, it is possible to escalate to root by modifying a script that is executed periodically
Port scan only shows ssh and a web server
Initial access to the machine is achieved through outdated cms!
Later, it is possible to scale to a conventional user through the study of the web files. Another horizontal scaling is achieved thanks to ssh.
We manage to scale to root via USBCreator D-Bus!
first and as always, a port scan shows us that there is an ssh server and a web server
This machine is about getting access to an admin panel on the web page by modifying the parameters when registering a user.
After this, another web page is discovered which shows a technology that contains a vulnerability to achieve rce.
With this, you can access the machine through a revshell.
Privilege escalation is achieved by reviewing log files.
Finally, root is achieved by exploiting a PHP dependency management tool that runs with sudo.
nmap shows nothing but a ssh server and a web server on their respective ports:
# Nmap 7.91 scan initiated Mon Nov 30 10:48:10 2020 as: nmap…
This easy machine consists of finding out the password of a user on a web server that uses wordpress to gain access to the machine.
Once inside this, it is possible to escalate to root by abusing the SUID bit
First of all and as always, we do a port scan and we see that we only have a web server and an ssh server (on an unusual port)
This machine consists of finding a vhost on the remote machine to gain access to a “forum” in which we find SSTI — Server Side Template Injection — and we manage to get a revshell.
Once inside the machine, we manage to scale horizontally thanks to the revision of the log files.
We managed to scale to root thanks to a Splunk service login as root.
First of all and as always, we do a port scan to see what we have this time
Initial access is achieved by cracking the password of a wordpress user and exploiting a vulnerability in cms.
After this, it is possible to escalate to root through a command that has the SUID bit activated
as always, we are going to do a port scan to see what we have:
We get initial access to the machine by finding a page which allows us to execute some commands but they are filtered, we manage to launch a revshell through a bypass technique.
Once inside the machine, we managed to escape from the web server user thanks to a script that can be executed as another user.
We discover an exposed web server on the local interface which presents a login page. We look for the files on this website and we discovered some credentials and an image which has a hidden zip file inside it.
The password is cracked and…