Skip to main content
August-2024 Updates - New Exclusive Content
Diablo avatar
Written by Diablo
Updated over 3 months ago

We’ve introduced three new exclusive machines and three training machines to Dedicated Labs.


NEW EXCLUSIVE MACHINES

Identifier

Difficulty

Hard - Penetration Testing Level 3

Areas of Interest

Azure Key Vault Service, Azure CosmosDB, Azure Functions App

Technologies

Gunicorn, Flask, Azure CosmosDB Emulator

Skills

Enumeration, OWASP Top 10, Azure Knowledge

Archive

Difficulty

Easy - Penetration Tester Level 1

Areas of Interest

Path Traversal, SQLite DB Enumeration, SMB Enumeration

Technologies

Flask, Werkzeug, SMB, WinRM

Skills

Enumeration, OWASP Top 10, Basic Windows Knowledge

Shaman

Difficulty

Medium - Penetration Tester Level 2

Areas of Interest

JumpServer CVE Exploitation, JumpServer Secrets Enumeration

Technologies

JumpServer, FTP, Ansible Playbook

Skills

Enumeration, OWASP Top 10, Basic Programming Knowledge, Basic Linux Knowledge


NEW TRAINING MACHINES

The retired community machines from 20th July to 20th August are detailed below.

Usage

  • An easy Linux Machine that features a blog site vulnerable to SQL injection, which allows the administrator's hashed password to be dumped and cracked. This leads to access to the admin panel, where an outdated Laravel module is abused to upload a PHP web shell and obtain remote code execution. On the machine, plaintext credentials stored in a file allow SSH access as another user, who can run a custom binary as root. The tool makes an insecure call to 7zip, which is leveraged to read the root user's private SSH key and fully compromise the system.

iClean

  • A medium-difficulty Linux Machine featuring a website for a cleaning services company. The website contains a form where users can request a quote, which is found to be vulnerable to Cross-Site Scripting (XSS). This vulnerability is exploited to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to Server-Side Template Injection (SSTI), allowing us to obtain a reverse shell on the box. Enumeration reveals database credentials, which are leveraged to gain access to the database, leading to the discovery of a user hash. Cracking this hash provides SSH access to the machine. The user’s mail mentions working with PDFs. By examining the sudo configuration, it is found that the user can run qpdf as root. This is leveraged to attach the root private key to a PDF, which is then used to gain privileged access to the machine.

WifineticTwo

  • An easy Linux Machine that presents an intriguing network challenge, focusing on wireless security and network monitoring. An exposed FTP service has anonymous authentication enabled which allows us to download available files. One of the files is an OpenWRT backup which contains a Wireless Network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server. With this information, a password reuse attack can be carried out on the SSH service, allowing us to gain a foothold as the netadmin user. Using standard tools and with the provided wireless interface in monitoring mode, we can brute force the WPS PIN for the Access Point to obtain the pre-shared key (PSK). The passphrase can be reused on SSH service to obtain root access on the server.


Looking for more content, features, or a place to leave feedback?

Book your spot for a 15-minute call where we can discuss how to level up your training!


Did this answer your question?