Skip to main content
September-2024 Updates - New Exclusive Content
Diablo avatar
Written by Diablo
Updated over 2 months ago

We’ve introduced three new exclusive machines, four training machines, and three Sherlocks to Dedicated Labs.


NEW EXCLUSIVE MACHINES

Sekure

Difficulty

Very Easy - Penetration Testing Level 1

Areas of Interest

Exposed Git Repository, Linux Privilege Escalation

Technologies

Nginx & Git

Skills

Enumeration, OWASP Top 10, Basic Linux Knowledge

Crushed

Difficulty

Easy - Penetration Tester Level 2

Areas of Interest

CrushFTP CVE Exploitation & Password Cracking

Technologies

CrushFTP

Skills

Enumeration, Basic Linux Knowledge

Chaffinch

Difficulty

Easy - Penetration Tester Level 2

Areas of Interest

GeoServer RCE & Windows CSC Service Privilege Escalation

Technologies

GeoServer

Skills

Enumeration, Basic Windows Knowledge


NEW TRAINING MACHINES

The retired community machines from 20th August to 20th September are detailed below.

Intuition

  • A Hard Linux machine highlighting a CSRF (Cross-Site Request Forgery) attack during the initial foothold, along with several other intriguing attack vectors. To gain a foothold, you must first exploit a CSRF vulnerability, followed by exploiting CVE-2023-24329 in the Python urllib module to access files on the server. This allows you to disclose the application's source code, leading to the discovery of credentials needed to access the FTP server via an LFI (Local File Inclusion) vulnerability. Once inside the box, you must perform log analysis to progress to the next user and code review combined with a small amount of scripting. To achieve root access, you need to reverse engineer and exploit a custom binary, which is then leveraged to exploit CVE-2023-5115, a path traversal attack in the Ansible automation platform.

Mailing

  • An easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice.

Runner

  • A medium difficulty Linux box that contains a vulnerability (CVE-2023-42793) in TeamCity. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a TeamCity docker container and compressing the HSQLDB database files, we can extract credentials for the user matthew and find an SSH key for john. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the /etc/hosts file, we discover a running Portainer instance. Using matthew's credentials, we access the subdomain externally. While authenticated, we find that we can create images, but our privileges are limited. After checking the version of runc on the host, we exploit a vulnerability (CVE-2024-21626) through the image build function of Portainer, which allows us to create a SUID bash file on the host.

Skyfall

  • An Insane Linux machine that features a company launching their new beta cloud storage application that MinIO, an S3 object storage service, backs. The web application is written in Python with Flask. It has a restricted section of the site that is vulnerable to a Nginx ACL and Flask-specific bypass which is specific to its configuration. The restricted section contains Prometheus metrics for a MinIO cluster that exposes internal host names and the MinIO version which has a known security vulnerability for information disclosure CVE-2023-28432. This information disclosure leaks the MinIO root credentials which allows access to the S3 buckets it's hosting.


Exclusive Sherlocks

Saboteur

Difficulty

Easy

Category

DFIR

Technology

Windows

A user at Forela Corp has reported unusual activities on their computer, including file deletions and multiple pop-up windows. The Incident Response team has been notified and the user mentioned that these issues began on August 14, 2024. The Incident Response team lead has directed the frontline responders to investigate the situation and suggested implementing correlation rules, as these events were not flagged by their monitoring system, potentially indicating a cyber attack.

Fancy Pants

Difficulty

Medium

Category

DFIR

Technology

Windows

FancyPants is a medium-difficulty Sherlock that will provide you the analyst

with multiple forensic data sources. This Sherlock will expose you to several

commonly used attack techniques associated with APT28 and requires an

investigative mindset to unravel the breach.

Highway Patrol

Difficulty

Very Easy

Category

DFIR

Technology

Invanti

Forela's Sysadmin recently deployed Ivanti Virtual Traffic manager and accidently left the port open to internet. Little did he know that there was a serious vulnerability recently uncovered in Ivanti VTM package.

Since the setup was new, we had no monitoring capability yet on that server. It was only when the sysadmin saw a wierd Virtual server already created on the Ivanti VTM when he did not remember setting one up. Thankfully he collected the logs and sent over to the security team before shutting the server down. Take a look at logs and find out what happened


Looking for more content, features, or a place to leave feedback?

Book your spot for a 15-minute call where we can discuss how to level up your training!

Did this answer your question?