This Challenge is currently active , You need to complete the challenge first and then try to decrypt the writeup with the help of flag
Altering the administrator username by changing the roleid and login as admin on the web , two ways to get user one is admin page revealing a new VHOST which is running on laravel , and the lavarel is exposing its app_key so its is vulnerable to RCE , Exploiting the RCE and get a shell as www-data . and second is reading the .env file and get the password for the user from academy dir , Hit and trial that password on all console users , got lucky with one user .And second is reading the .env file and get the password for the user from academy dir and login with onw of the user metioned on admin page. Now got mrb3n user password from audit-logs and logged in as mrb3n. mrb3n can run composer as sudo , making a custom script and running it with composer as root, Thats how i pwned it
There are two features on webiste ONLINE JSON BEAUTIFIER & VALIDATOR the validator feature is vulnerable to a CVE and after searching about it bit more got initial shell as user , Privlege escaltion was bit easy there is a timer_backup script that is in cronjobs and running as root, and we have write permissions to it , writing our rev shell to it and got root
This is relatively an easy box which is based on the 2 CVE’S , The PHP webapp that is hosted on port 8080 is vulnerable to a Unauthenticated Remote Code Execution from that exploit got first initial shell , There is a Binary Cloudme.exe running on the local port that is vulnerable to the buffer over flow and exploting it to get shell as Administrator
Nmap exposing a new domain , Grabbing employees emails from a webpage . Using swaks to send Spoofed email to all the 57 emails to phish an employee . Got a Username and password , Login into the imap and reading some messages and got another credentials , Using them to login to ftp , The Dir which is being shared on ftp is a new subdomain itself . On Ftp we have rights to write into Ftp dir so uploading a shell and executing it on website. Got a hash from .htpasswd file, cracking it and building a package and Exploiting the Pypi server to get shell as low and the user low can run pip3 as root . Abusing pip3 and got shell as root
Discvering a new domain and adding it to the hosts file , Identifying a Local-file-Inclusion and extracting sensitive information . Fuzzing some dirs and got the tomcat-users.xml which contain username and password for tomcat-manager , Generating a java-payload and uploading it to get an initial reverse shell . or using metasploit to exploit the tomcat-deploy . Got a zip file cracking it with john and the password that is cracked is of user ash , The user ash is in lxd group . By importing and initialization lxd image and mouting the root dir , We got shell as root
Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.