This Alice in TryHackMe Wonderland themed box is quite the rabbit hole. It starts with some basic web app enumeration, leading us to leaked credentials buried deep in a series of hidden directories. Once we get a foothold we’ll solve a series of path/code injection challenges with some light reversing to make a couple of horizontal jumps before finally getting a root shell. I really enjoyed this box. The hints make it more like a puzzle than realistic hacking challenge, but the privesc was fun.

Lian_Yu is a beginner friendly CTF mostly focused on enumeration. We’ll fuzz a website to find credentials that will get us access to the FTP service. There we’ll find an image file to perform steganalysis on, and that will reveal a password we can use to SSH into the box. Escalating to root from there is just a matter of escaping from a binary we have sudo privileges for.

Brooklyn Nine Nine is an easy Linux box with 2 different ways to get user shells and to escalate privileges. We’ll cover both solutions here.