Bolt - Hack The Box
Bolt is a medium difficulty Linux machine featuring a custom web application providing a docker image file having multiple layers with deleted files. Enumerating deleted database file reveals credentials for an application revealing hints to demo site. Further enumeration of the docker image reveals an invitation token which allows registration to the site. The site is found to be vulnerable to Server Side Template Injection. Foothold can be gained by exploiting the SSTI vulnerability. Enumerating passbolt configuration reveals database credentials that can be used to achieve lateral movement. Root password can be obtained by exploiting the passbolt server.
Instant is a medium difficulty machine that includes reverse engineering a mobile application, exploiting API endpoints, and cracking encrypted hashes and files. Players will analyze an APK to extract sensitive information and a hardcoded authorization token, then they will exploit an API endpoint vulnerable to Arbitrary File Read. Finally, they will achieve full system compromise by decrypting and analyzing encrypted session data from Solar-PuTTY.
Waldo is a medium difficulty machine, which highlights the risk of insufficient input validation, provides the challenge of rbash escape or bypassing, and showcases an interesting privilege escalation vector involving Linux Capabilities, all of which may be found in real environments.
Hawk is a medium to hard difficulty machine, which provides excellent practice in pentesting Drupal. The exploitable H2 DBMS installation is also realistic as web-based SQL consoles (RavenDB etc.) are found in many environments. The OpenSSL decryption challenge increases the difficulty of this machine.
Jeeves is not overly complicated, however it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path.
Toolbox is an easy difficulty Windows machine that features a Docker Toolbox installation. Docker Toolbox is used to host a Linux container, which serves a site that is found vulnerable to SQL injection. This is leveraged to gain a foothold on the Docker container. Docker Toolbox default credentials and host file system access are leveraged to gain a privileged shell on the host.
SolidState is a medium difficulty machine that requires chaining of multiple attack vectors in order to get a privileged shell. As a note, in some cases the exploit may fail to trigger more than once and a machine reset is required.
Devzat is a medium Linux machine that features a web server and the ‘Devzat’ chat application. Upon enumerating the web server, a new vhost called ‘pets’ can be discovered. The ‘pets’ vhost has a ‘.git’ directory with listing enabled, providing access to the source code of ‘pets’. Reviewing the source code, a command injection vulnerability is discovered allowing an attacker to gain a reverse shell as the user ‘patrick’. Logging to the ‘Devzat’ chat application as ‘patrick’ on the remote machine the chat history between ‘patrick’ and ‘admin’ reveals that ‘InfluxDB’ is installed on the remote system. Enumerating ‘InfluxDB’ it is discovered that the version installed is vulnerable to CVE-2019-20933, an authentication bypass vulnerability. Exploiting the aforementioned vulnerability an attacker is able to dump the contents of ‘InfluxDB’ revealing the password of the user ‘catherine’. Switching from ‘patrick’ to ‘catherine’ and logging in to the Devzat chat application as ‘catherine’ the chat history between t...
Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers.
Previse is a easy machine that showcases Execution After Redirect (EAR) which allows users to retrieve the contents and make requests to accounts.php whilst unauthenticated which leads to abusing PHP ‘exec()’ function since user inputs are not sanitized allowing remote code execution against the target, after gaining a www-data shell privilege escalation starts with the retrieval and cracking of a custom MD5Crypt hash which consists of a unicode salt and once cracked allows users to gain SSH access to the target then abusing a sudo executable script which does not include absolute paths of the functions it utilises which allows users to perform PATH hijacking on the target to compromise the machine.