Future Router - UMassCTF 2024 Writeup
A web category challenge which involves chaining an arbitrary file read vulnerability in a cURL utility with a command injection vulnerability on a WebSocket-based customer service agent.
Flight - HackTheBox Writeup (10.10.11.187)
Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.
RedPanda - HackTheBox Writeup (10.10.11.170)
Easy-difficulty Linux box on exploiting a server-side template injection vulnerability in a Spring Boot web application, then a not-so-easy privilege escalation involving an XML external entity injection vulnerability in a custom view counter script.
Horizontall - HackTheBox Writeup (10.10.11.105)
Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.
Ophiuchi - HackTheBox Writeup (10.10.10.227)
Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.
ScriptKiddie - HackTheBox Writeup (10.10.10.226)
Easy-difficulty Linux box on exploiting CVE-2020-7384 APK template vulnerability in MSFvenom. Privilege escalation by exploiting a command injection vulnerability in a Bash script, then pivoting to a privileged user with sudo rights on msfconsole.
Delivery - HackTheBox Writeup (10.10.10.222)
Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.
Ready - HackTheBox Writeup (10.10.10.220)
Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.
Time - HackTheBox Writeup (10.10.10.214)
Medium-difficulty Linux box on exploiting SSRF vulnerability CVE-2019-12384 in Jackson and leveraging a privileged shell script to gain root.
Heim - UMassCTF '21 Writeup
Only those who BEARER a token may enter! A web exploitation category challenge on intercepting and forging JSON Web Tokens from a debugging endpoint to bypass Bearer authentication.
Passage - HackTheBox Writeup (10.10.10.206)
Medium-difficulty Linux box on exploiting CuteNews 2.1.2 CVE-2019-11447 and abusing Linux's official USB-creator tool to gain arbitrary file write as root.
Academy - HackTheBox Writeup (10.10.10.215)
Easy-difficulty Linux box about exploiting Laravel CVE-2018-15133 and privilege escalation with Composer.
Doctor - HackTheBox Writeup (10.10.10.209)
A not-so-easy Linux box about advanced URL command injection and exploiting Splunk Universal Forwarder to gain root and persistence.
Worker - HackTheBox Writeup (10.10.10.203)
Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.