THM: Agent T is fast and easy box demonstrating the importance of enumeration. After a quick port scan we’ll quickly see that something about the only service running seems odd. It is a development build of PHP, and a quick web search tell us this version includes a backdoor that allows an attacker to easily achieve RCE by simply manipulating HTTP headers.

In Debug we’ll practice an exploitation technique called PHP Objection Injection, also known as a PHP deserialization attack. This vulnerability occurs when an application does not sanitize user-supplied input before passing it to the unserialize() function. It is not unique to PHP, and is also found in Python, Java, Node.js, and other object-oriented languages.

Dogcat involves one of my favorite techniques: log file poisoning. We’ll start by enumerating a webapp and finding a LFI bug. Then we can poison the web server’s logs to escalate the LFI to RCE and pop a user shell. From there, getting root is almost too easy. That’s because we’ll find ourselves inside a Docker container, and the final challenge will be escaping to a root shell on the host.

Battery is a medium difficulty Linux box that touches on several techniques. We’ll start with fuzzing a webapp and reverse engineering an executable we find on the target as part of our enumeration stage. Then we’ll move on to exploiting a null byte injection vulnerability in the very old version of PHP to gain access to the webapp as an admin user. Once inside we’ll find an XXE bug that will allow us to enumerate files on the target and leak SSH credentials for an unprivileged user. Finally we’ll walk through 2 different privilege escalation techniques to get a root shell and capture the flag!

Skynet is a fun Terminator themed linux box to practice enumeration on. Getting an intial foothold involves exploiting a straightforward remote file inclusion bug, but we’ll go through a fair amount of enumerating multiple services before finding the way in. After that we’ll use the tar command’s ability to execute arbitrary commands to escalate our privileges and grab the root flag.

RootMe is an easy Linux box where we’ll exploit the ability to upload an arbitrary file to get remote code execution. It’s a good box for practicing how to approach a file upload vulnerability when the developer has put some basic defenses in place that must be circumvented in order to achieve RCE.

ColddBox is another beginner friendly boot to root challenge. We’ll get a foothold by conducting a dictionary attack to brute force the login for a WordPress site. Once we have access we can use WordPress' built-in code editor to edit a file in the active template to get code execution and pop a reverse shell. There are at least 4 ways to escalate privileges to root, and we’ll cover 2 of them here.

Ignite is a very beginner friendly Linux boot to root challenge on TryHackMe. I actually got root before finding the user flag! We’ll be exploiting a CVE in a PHP application to gain access to the box, and from there a little bit of enumeration of the app’s config files reveal the root user’s credentials.