We’ve introduced three new exclusive machines, four training machines, and three Sherlocks to Dedicated Labs.
NEW EXCLUSIVE MACHINES
Sekure
Difficulty | Very Easy - Penetration Testing Level 1 |
Areas of Interest | Exposed Git Repository, Linux Privilege Escalation |
Technologies | Nginx & Git |
Skills | Enumeration, OWASP Top 10, Basic Linux Knowledge |
Crushed
Difficulty | Easy - Penetration Tester Level 2 |
Areas of Interest | CrushFTP CVE Exploitation & Password Cracking |
Technologies | CrushFTP |
Skills | Enumeration, Basic Linux Knowledge |
Chaffinch
Difficulty | Easy - Penetration Tester Level 2 |
Areas of Interest | GeoServer RCE & Windows CSC Service Privilege Escalation |
Technologies | GeoServer |
Skills | Enumeration, Basic Windows Knowledge |
NEW TRAINING MACHINES
The retired community machines from 20th August to 20th September are detailed below.
Intuition
A Hard Linux machine highlighting a CSRF (Cross-Site Request Forgery) attack during the initial foothold, along with several other intriguing attack vectors. To gain a foothold, you must first exploit a CSRF vulnerability, followed by exploiting CVE-2023-24329 in the Python urllib module to access files on the server. This allows you to disclose the application's source code, leading to the discovery of credentials needed to access the FTP server via an LFI (Local File Inclusion) vulnerability. Once inside the box, you must perform log analysis to progress to the next user and code review combined with a small amount of scripting. To achieve root access, you need to reverse engineer and exploit a custom binary, which is then leveraged to exploit CVE-2023-5115, a path traversal attack in the Ansible automation platform.
Mailing
An easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice.
Runner
A medium difficulty Linux box that contains a vulnerability (CVE-2023-42793) in TeamCity. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a TeamCity docker container and compressing the HSQLDB database files, we can extract credentials for the user matthew and find an SSH key for john. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the /etc/hosts file, we discover a running Portainer instance. Using matthew's credentials, we access the subdomain externally. While authenticated, we find that we can create images, but our privileges are limited. After checking the version of runc on the host, we exploit a vulnerability (CVE-2024-21626) through the image build function of Portainer, which allows us to create a SUID bash file on the host.
Skyfall
An Insane Linux machine that features a company launching their new beta cloud storage application that MinIO, an S3 object storage service, backs. The web application is written in Python with Flask. It has a restricted section of the site that is vulnerable to a Nginx ACL and Flask-specific bypass which is specific to its configuration. The restricted section contains Prometheus metrics for a MinIO cluster that exposes internal host names and the MinIO version which has a known security vulnerability for information disclosure CVE-2023-28432. This information disclosure leaks the MinIO root credentials which allows access to the S3 buckets it's hosting.
Exclusive Sherlocks
Saboteur
Difficulty | Easy |
Category | DFIR |
Technology | Windows |
A user at Forela Corp has reported unusual activities on their computer, including file deletions and multiple pop-up windows. The Incident Response team has been notified and the user mentioned that these issues began on August 14, 2024. The Incident Response team lead has directed the frontline responders to investigate the situation and suggested implementing correlation rules, as these events were not flagged by their monitoring system, potentially indicating a cyber attack.
Fancy Pants
Difficulty | Medium |
Category | DFIR |
Technology | Windows |
FancyPants is a medium-difficulty Sherlock that will provide you the analyst
with multiple forensic data sources. This Sherlock will expose you to several
commonly used attack techniques associated with APT28 and requires an
investigative mindset to unravel the breach.
Highway Patrol
Difficulty | Very Easy |
Category | DFIR |
Technology | Invanti |
Forela's Sysadmin recently deployed Ivanti Virtual Traffic manager and accidently left the port open to internet. Little did he know that there was a serious vulnerability recently uncovered in Ivanti VTM package.
Since the setup was new, we had no monitoring capability yet on that server. It was only when the sysadmin saw a wierd Virtual server already created on the Ivanti VTM when he did not remember setting one up. Thankfully he collected the logs and sent over to the security team before shutting the server down. Take a look at logs and find out what happened
Looking for more content, features, or a place to leave feedback?
Book your spot for a 15-minute call where we can discuss how to level up your training!