THM: Tech_Supp0rt: 1 is a linux boot to root challenge where we’ll pwn a fake tech support scam company. We’ll start by leaking credentials for a web CMS through an open SMB share. The CMS turns out to be vulnerable to authenticated arbitrary file uploads, and since we have creds we can exploit this to get a shell. Once on the box, there are 2 paths we can take to getting a root shell. One involves pivoting to another user on the system and exploiting their sudo privileges, and another involves exploiting CVE-2021-4043.

THM: Watcher is a boot to root that’s broken down into a series of several mini flags. We’ll start with exploiting an LFI vulnerability to leak credentials for FTP, and then we will upload a shell and launch it with the LFI. Once on the box we’ll privesc through a series of low privilege users before ultimately getting root. This box doesn’t require any advanced techniques, just lots of enumeration.

THM: OhMyWebserver is a medium difficulty linux box that presents a fun set of challenges. We’ll exploit multiple CVEs to get remote code executions. There are multiple layers of privilege escalation, as the initial target is a docker container. Let’s get started!

Zeno is a medium difficulty Linux box with a vulnerable web application we’ll exploit to get a shell. With a bit more enumeration we’ll find credentials for a user account to get the first flag. Finally we’ll abuse a misconfiguration of a service file to escalate privileges to root.

This Alice in TryHackMe Wonderland themed box is quite the rabbit hole. It starts with some basic web app enumeration, leading us to leaked credentials buried deep in a series of hidden directories. Once we get a foothold we’ll solve a series of path/code injection challenges with some light reversing to make a couple of horizontal jumps before finally getting a root shell. I really enjoyed this box. The hints make it more like a puzzle than realistic hacking challenge, but the privesc was fun.

Brooklyn Nine Nine is an easy Linux box with 2 different ways to get user shells and to escalate privileges. We’ll cover both solutions here.

Battery is a medium difficulty Linux box that touches on several techniques. We’ll start with fuzzing a webapp and reverse engineering an executable we find on the target as part of our enumeration stage. Then we’ll move on to exploiting a null byte injection vulnerability in the very old version of PHP to gain access to the webapp as an admin user. Once inside we’ll find an XXE bug that will allow us to enumerate files on the target and leak SSH credentials for an unprivileged user. Finally we’ll walk through 2 different privilege escalation techniques to get a root shell and capture the flag!