This box starts with a site that hosts request-baskets at version 1.2.1 which is vulnerable to CVE-2023-27163 (SSRF). After exploiting the vulnerability I access hidden resources on other ports and find Maltrain at version 0.53 which is vulnerable to CVE-2023-27163 (RCE). I can exploit this vulnerability and become the user. To become root just look at what you can do with sudo and take advantage of systemctl's default pager

This box starts with a website hosting Cacti version 1.2.22 that is vulnerable to CVE-2022-46169. Just follow the automated steps in the exploit on github to get a shell as www-data. The enumeration continues, I'm inside a docker container, thanks to a weakness in the capsh binary I can become root of the container. Docker breakout? Unfourtunally not, I searched a lot but I didn't find anything to break through the docker container. As well as seeing how the system is setup, to continue just look at the /entrypoint.sh script, connect to the MYSQL db in the other container, enumerate it, find the hashed credentials for the user marcus and do the classic bruteforce attack with rockyou.txt. Finally to become root just read the mailbox for user marcus, it is explained by the system administrators what vulnerabilities there are and the exploits are on github.

This box starts with a website that contains a subfolder named "/tiny", in this subfolder there is TinyFileManager version 2.4.3 vulnerable to CVE-2021-45010. It is necessary to have a user in order to exploit the vulnerability so I proceed with a bruteforce attack by setting the username to admin. Once the password is found and the vulnerability exploited, I enumerate the whole system until I find the nginx vhosts thus discovering the "soc-player.soccer.htb" site. The site uses a WebSocket to communicate with the backend and it is vulnerable to a Blind-SQL-Injection which allows me to obtain player's credentials. Finally to get root I enumerate the system again until I find the dstat software which allows the player's group to write plugins in a specific folder. In this way, however, I still don't have root permissions, to get them you have to enumerate the system again and find some binaries not usually installed such as doas which has a configuration that allows you to run dstat as root.

This box starts with a website that allows you to upload images and view them. The show_image page is vulnerable to a LFI. Thanks to the vulnerability I'm able to enumerate all the sources and I discover that Java Spring Framework is present and from the maven pom.xml file I can trace the versions of the dependencies. The Java Spring Cloud dependency at version 3.2.2 is vulnerable to CVE-2022-22963 and I am able to login as Frank. Frank in his home has the unencrypted credentials of the user Phil but it will not be possible to login via ssh because it is prevented in the ssh configuration file, so I log in via su command. Finally for privesc root just look at the processes on the host with pspy64 to discover that all YML files in a folder that Phil can write to are executed by ansible as root, then just create an evil YML file.

This box starts with a web server in which vue.js is present, after careful analysis it is possible to obtain a path that is not correctly protected by the JWT which provides us with the staff password hashes. After having bruteforced the hashes we can access the web application as an unprivileged user, a further bruteforce attack will be necessary to obtain the secret key used by the HMAC SHA256 (aka HS256) algorithm that generates the JWT. Subsequently thanks to an SSRF it will be possible to access an internal documentation where the sources of the functions are present. Thanks to a first command-injection on the awk command, it will be possible to read the files present on the file system until obtaining the bean user password. The second command injection on the sed command present in the store sources will allow you to obtain a shell as the www-data user. The third and final command injection on the mail command will allow you to get a shell as the root user.

The box starts with a Remote Code Execution on the website, possible for a vulnerability of pdfkit which has an exploitable version 0.8.6. Thanks to this vulnerability we will be able to generate a reverse shell. Once this is done, we just have to read a file in the ruby user's home folder that contains the credentials to access via SSH as henry, so we will get the user's flag. The privesc root takes advantage of deserialization of YAML files to execute arbitrary commands.

The box starts with an Unauthenticated SQL Injection on the Wordpress website. Thanks to this vulnerability it will be possible to read the hashes of the users' passwords present in the database. After carrying out a bruteforce attack it will be possible to access the wordpress control panel as a manager user.The next step will be to exploit a second known vulnerability XXE which will allow to read any file like www-data. In the most juicy file of wordpress (wp-config.php) there will be the credentials for the FTP server. By downloading and analyzing the files on the FTP server you will find the credentials to access via ssh as user jnelson. Finally, in the privilege escalation we will have to bruteforce the password that protects the gpg private key used by the passpie password manager. Once the private key is cracked, it will be possible to access the root password saved by the password manager.

The box starts with a command injection vulnerability due to a bad filetype regex. The privesc instead thanks to the SETENV permission of sudo allows me to run a script as root and hijack the relative path of the find command.

This box starts with an SQL injection on the value of the unique PrestaShop custom cookie. The md5 hashed credentials of the user james_mason are saved in the database and I can login with SSH. Later I had to exploit, through a known CVE, IPython 8.0.0 to get code execution like dan_smith. Finally, it will be enough to sniff the unencrypted network traffic towards the local Redis server to obtain the credentials and exploit it (two methods proposed) to own the box.