THM: Tech_Supp0rt: 1 is a linux boot to root challenge where we’ll pwn a fake tech support scam company. We’ll start by leaking credentials for a web CMS through an open SMB share. The CMS turns out to be vulnerable to authenticated arbitrary file uploads, and since we have creds we can exploit this to get a shell. Once on the box, there are 2 paths we can take to getting a root shell. One involves pivoting to another user on the system and exploiting their sudo privileges, and another involves exploiting CVE-2021-4043.

VulnNet Internal is one of the more fun boxes I’ve done so far. For this box we won’t be searching for known exploits or attacking a webapp. Instead, we’ll enumerate several network services to find info that will ultimately help us find a way to a shell. Once we get a user shell we’ll continue enumerating and see what services are running internally. We’ll encounter an internal service running as root that we can create an SSH tunnel to and escalate to a root shell.