Tag
This was an intermediate Linux machine that involved exploiting a remote code execution in GitLab to gain initial access, an exposed root password and a misconfigured docker container to escalate privileges to root.
This was a very easy Linux machine and the first in the Overpass TryHackMe series. It involved adding a custom cookie to bypass web authentication in order to gain initial access and exploiting a cron job to escalate privileges to root.
This was an easy Linux machine that involved exploiting a blind SQL injection vulnerability in Joomla to gain initial access, exposed database credentials to gain user access, and the Yum package manager with Sudo permissions allowed to escalate privileges to root.
This was an easy Linux machine that involved exploiting a WordPress plugin to gain access to the wp-config.php file which contained database credentials and uploading a malicious plugin into WordPress to gain remote access. Privilege escalation was then possible by exploiting a clear-text password left in the BASH history or an insecure cron job.
This was an intermediate Linux box that involved exploiting an insecure AWS S3 bucket to upload a PHP reverse shell to gain remote access, using credentials found in an unprotected DynamoDB database to gain a user shell and exploiting a vulnerable PHP script to extract the root user’s private SSH keys and escalate privileges to root through the DynamoDB database.
This was an easy Linux box that involved accessing an open SMB share containing a list of credentials that could be used to bruteforce a SquirrelMail web application, finding SMB credentials on the application to access a new share which revealed a second web application, and exploiting a remote file inclusion vulnerability in Cuppa CMS to gain remote access. Privilege escalation was possible due to a misconfigured cron job running as root and using a wildcard with the tar command.
This was an easy Linux box that involved exploiting a directory traversal vulnerability in the pChart web application in order to access the rules in the Apache configuration file, which revealed a user agent change was necessary to be able to navigate to the PHPTax web application hosted on port 8080, which was affected by a remote code execution vulnerability that could be used to gain remote access to the machine. A simple kernel exploit can then be used to escalate privileges to root.
This was a fairly easy Linux box that involved exploiting a local file inclusion and remote code execution vulnerability in GitLab to gain remote access to the machine, obtaining administrative access to GitLab through the console to find a user’s private key and exploiting a PATH hijack vulnerability within a SUID script to escalate privileges to root.
This was an easy Linux box that involved exploiting a MySQL injection vulnerability to bypass authentication and obtain SSH credentials to gain remote access to the box and exploiting MySQL user-defined functions to execute commands as root and escalate privileges.
This was an easy Linux box that involved exploiting a remote command execution vulnerability in the LotusCMS web application to gain initial access, cracking a MySQL user’s hash to gain user access, and exploiting a text editor set to run with Sudo permissions to escalate privileges to root.