Category: Linux

Checker is a hard-level Linux machine running Teampass and Bookstack on separate ports. The Teampass version has a SQL injection vulnerability CVE-2023-1545 that can be exploited to obtain user password hashes. By cracking these hashes, we get the password for the Teampass user bob. Logging into Teampass reveals credentials for both Bookstack user bob and the SSH user reader. Attempting SSH login as reader user shows that two-factor authentication is enabled. Meanwhile, the Bookstack version is vulnerable to CVE-2023-6199, a local file read flaw via Blind SSRF, which can be exploited to retrieve the 2FA secret key for the reader user’s SSH account, enabling successful SSH login. We reverse engineer a binary for privilege escalation to root to discover a command injection vulnerability, which we then exploit using a custom script.

Yummy is a hard box that starts with a Restaurant web app using Caddy web service, on port 80, where an attacker finds an arbitrary file read HTTP Location header, which is not handled and sanitized properly by the default Caddy configuration. This allows an attacker to find several cronjob scripts that allow downloading the web app source code. Reading the source code, the web app uses JWT RSA keypairs to forge an admin token and escalate privileges on the web app. The admin panel has an SQL injection, allowing arbitrary file write over a file running periodically (cronjob). Improper directory permissions allow the attacker to move laterally to www-data and eventually a dev user. The dev user can execute rsync binary as root, which helps escalate privileges to root.