We’ve introduced three new exclusive machines and three training machines to Dedicated Labs.
NEW EXCLUSIVE MACHINES
Identifier
Difficulty | Hard - Penetration Testing Level 3 |
Areas of Interest | Azure Key Vault Service, Azure CosmosDB, Azure Functions App |
Technologies | Gunicorn, Flask, Azure CosmosDB Emulator |
Skills | Enumeration, OWASP Top 10, Azure Knowledge |
Archive
Difficulty | Easy - Penetration Tester Level 1 |
Areas of Interest | Path Traversal, SQLite DB Enumeration, SMB Enumeration |
Technologies | Flask, Werkzeug, SMB, WinRM |
Skills | Enumeration, OWASP Top 10, Basic Windows Knowledge |
Shaman
Difficulty | Medium - Penetration Tester Level 2 |
Areas of Interest | JumpServer CVE Exploitation, JumpServer Secrets Enumeration |
Technologies | JumpServer, FTP, Ansible Playbook |
Skills | Enumeration, OWASP Top 10, Basic Programming Knowledge, Basic Linux Knowledge |
NEW TRAINING MACHINES
The retired community machines from 20th July to 20th August are detailed below.
Usage
An easy Linux Machine that features a blog site vulnerable to SQL injection, which allows the administrator's hashed password to be dumped and cracked. This leads to access to the admin panel, where an outdated Laravel module is abused to upload a PHP web shell and obtain remote code execution. On the machine, plaintext credentials stored in a file allow SSH access as another user, who can run a custom binary as root. The tool makes an insecure call to 7zip, which is leveraged to read the root user's private SSH key and fully compromise the system.
iClean
A medium-difficulty Linux Machine featuring a website for a cleaning services company. The website contains a form where users can request a quote, which is found to be vulnerable to Cross-Site Scripting (XSS). This vulnerability is exploited to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to Server-Side Template Injection (SSTI), allowing us to obtain a reverse shell on the box. Enumeration reveals database credentials, which are leveraged to gain access to the database, leading to the discovery of a user hash. Cracking this hash provides SSH access to the machine. The user’s mail mentions working with PDFs. By examining the sudo configuration, it is found that the user can run
qpdfas root. This is leveraged to attach the root private key to a PDF, which is then used to gain privileged access to the machine.
WifineticTwo
An easy Linux Machine that presents an intriguing network challenge, focusing on wireless security and network monitoring. An exposed FTP service has anonymous authentication enabled which allows us to download available files. One of the files is an OpenWRT backup which contains a Wireless Network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server. With this information, a password reuse attack can be carried out on the SSH service, allowing us to gain a foothold as the
netadminuser. Using standard tools and with the provided wireless interface in monitoring mode, we can brute force the WPS PIN for the Access Point to obtain the pre-shared key (PSK). The passphrase can be reused on SSH service to obtain root access on the server.
Looking for more content, features, or a place to leave feedback?
Book your spot for a 15-minute call where we can discuss how to level up your training!