THM: Biblioteca is a medium difficulty Linux box that starts with a classic SQL injection vulnerability. We’ll use several UNION attacks to enumerate the database and eventually leak some user credentials. We’ll use those to SSH in to the box and pivot to another user account by simply guessing a weak password. Finally, we’ll escalate to a root shell by hijacking the PYTHONPATH environment variable when running a python script via sudo.

THM: Watcher is a boot to root that’s broken down into a series of several mini flags. We’ll start with exploiting an LFI vulnerability to leak credentials for FTP, and then we will upload a shell and launch it with the LFI. Once on the box we’ll privesc through a series of low privilege users before ultimately getting root. This box doesn’t require any advanced techniques, just lots of enumeration.

THM: Startup is an easy Linux box that’s good for practicing enumeration. We will be pentesting the systems of Spice Hut, a spicy new food startup company. It starts off with a misconfigured FTP service that allows anonymous read access as well as write access in a specific directory. We will abuse this to upload some PHP shell code that we can execute through the HTTP service to get our initial foothold. Once on the box, a bit of enumeration reveals a PCAP file labeled as a suspicious incident. After combing through this file we’ll find the password for an unprivileged user. From there, privesc is a straightforward manipulation of a shell script being executed by root on a cronjob.

THM: Overpass is a linux box that starts out with a simple authentication bypass on a website to access an admin page that revelas a SSH key. We’ll have to crack the passphrase, but once that’s done we’ll be able to SSH to the box. The theme of this box involves a “secure” password manager written by some compsci students. The source code is provided which will reveal where and how password data is stored. Once we understand how it works we’ll retrieve a password for another user on the box. Finally, we’ll abuse open file permissions on the hosts file to control what code is being executed by a cronjob running as root in order to escalate privileges.

THM: Archangel is fun easy box that has involves one of my favorite techniques: escalating LFI to RCE by poisoning a log file. Once we have a shell we’ll take advantage of open permissions on a file running as cronjob to pivot to another user. And we’ll finish with a path injection attack to root the box.

THM: Team is supposed to be aimed at beginners but requires a lot of enumeration and persistence to get through to root. It can feel like there are a lot of rabbit holes getting started, but once we make it through a few rounds of content enumeration we’ll find a hint that leads us to a hidden PHP page where we can exploit an LFI vulnerability. We’ll use that to find FTP credentials and later an SSH key that we can use to get into the box. Finally we’ll escalate our privileges to root by exploiting a command injection vulnerability in a bash script and then adding a malicious command to script running on a cronjob as root.

THM: OhMyWebserver is a medium difficulty linux box that presents a fun set of challenges. We’ll exploit multiple CVEs to get remote code executions. There are multiple layers of privilege escalation, as the initial target is a docker container. Let’s get started!

THM: Gallery is a fun boot to root challenge that involves a variety of techniques to get the initial foothold. We’ll start by enumerating an Apache server that’s running a highly flawed image gallery CMS. It is vulnerable to SQL injection which we’ll exploit to bypass authentication. Once logged in we’ll find out there is no filtering or validation on file uploads, and we’ll be able to upload arbitrary PHP code and use that to send ourselves a reverse shell. Finally, we’ll do some basic enumeration on the box to capture the flags.

LazyAdmin is an easy and fun linux box running a PHP-based CMS. We’ll start with some enumeration to find our way around, and that will eventually lead to credentials for the CMS being leaked through a database backup. Once we have admin access we’ll be able to upload and execute arbitrary PHP code, which we’ll exploit to get a shell. There’s not much required to grab the user flag from there, and we can abuse a combination of sudo privileges with wide open file permissions to escalate to a root shell. Let’s get started!

One of the most useful (and in my opinion, coolest!) features of the AWS cloud is the ability to create your own Virtual Private Cloud (VPC). What is a VPC? It’s a private virtual network that allows you to design and launch scalable, secure networks in a matter of minutes. VPCs are logically isolated from other network in the AWS cloud, meaning by default, traffic cannot flow in or out of them.