NEW Exclusive Machines
Adagio
Difficulty: Medium
CVSS Score: 9.8 (Critical)
Areas of Interest: Reconnaissance & System
Technologies: Kerberos, ADIDNS
Languages: Python & PowerShell
Level: Penetration Testing Level 2
Skills: Network Exploitation
Adagio is a Medium difficulty Windows machine that showcases a few of common Active Directory misconfigurations which lead to Domain Administrator access on a Domain Controller machine. Initial access is obtained via ASREPRoasting, then password reuse allows us to move laterally to a second user.
Following a path revealed by BloodHound it is possible to gain access to a higher privileged user that has GenericWrite access to the DC computer object, allowing for a Resource-Based Constrained Delegation attack. The usual attack method is prevented by the ms-DS-MachineAccountQuota setting, so an alternate approach must be followed.
Couch
Difficulty: Easy
CVSS Score: 9.8 (Critical)
Areas of Interest: Databases
Technologies: Apache CouchDB
Languages: Python
Level: Penetration Testing Level 1
Skills: CVE Exploitation
Couch is an easy Linux machine that showcases remote code execution in Apache CouchDB version 3.2.1 which has a CVE assigned as CVE-2022-24706. An adversary can access an improperly secured default installation without authenticating and gain admin privileges.
Business Logic Machine (Valuta)
Difficulty: Medium
Areas of Interest: Web & Payment Gateways
Technologies: Flask
Languages: Python
Level: Penetration Testing Level 1
Skills: Web Exploitation
Valuta is a Medium linux machine that showcases multiple vulnerabilities that lead to illegitimately paying for a product. This is done through cookie manipulation and exploiting improper currency conversion.
NEW Training Machines
The retired community machines from 20th December to 16th January are detailed below.
Shoppy
An easy Linux machine that features a website with a login panel and a user search functionality, which is vulnerable to NoSQL injection.
It can be exploited to obtain the password hashes of all the users. Upon cracking the password hash for one of the users we can authenticate into the Mattermost chat running on the server where we obtain the SSH credentials for user jaeger. The lateral movement to user deploy is performed by reverse engineering a password manager binary, which reveals the password for the user. We discover that the user deploy is a member of the group docker. Its privileges can be exploited to read the root flag.
Health
A medium Linux machine that features an SSRF vulnerability on the main webpage that can be exploited to access services that are available only on localhost.
More specifically, a Gogs instance is accessible only through localhost and this specific version is vulnerable to an SQL injection attack. Due to the way that an attacker can interact with the Gogs instance the best approach in this scenario is to replicate the remote environment by installing the same Gogs version on a local machine and then using automated tools to produce a valid payload.
After retrieving the hashed password of the user susanne an attacker is able to crack the hash and reveal the plain text password of that user. The same credentials can be used to authenticate to the remote machine using SSH. Privilege escalation relies on cron jobs that are running under the user root. These cron jobs are related to the functionality of the main web application and process unfiltered data from a database. Thus, an attacker is able to inject a malicious task inside the database and exfiltrate the SSH key file of the user root, thus, allowing him to gain a root session on the remote machine.
Support
An Easy difficulty Windows machine that features an SMB share that allows anonymous authentication.
After connecting to the share, an executable file is discovered that is used to query the machine's LDAP server for available users. Through reverse engineering, network analysis or emulation, the password that the binary uses to bind the LDAP server is identified and can be used to make further LDAP queries. A user called support is identified in the users list, and the info field is found to contain his password, thus allowing for a WinRM connection to the machine.
Once on the machine, domain information can be gathered through SharpHound, and BloodHound reveals that the Shared Support Accounts group that the support user is a member of, has GenericAll privileges on the Domain Controller. A Resource Based Constrained Delegation attack is performed, and a shell as NT Authority\System is received.