Resolute was a quite particular windows box that did not have a web server running. A password could be retrieved remotely from user descriptions comments, allowing a login into the box through WinRM. From there, another password can be grabbed from PSTranscripts to escalate to a user with DnsAdmin privieleges, which allowed us to further privesc to the Domain Admins group and finish the box.
ropmev2 was a fun binary exploitation challenge by r4j in which we needed to rop our way through some twists to be able to build a successful exploit.
Rope was an insane box from r4j that was almost purely binary exploitation, one of the favorite categories of the members of this team.
Patents was quite a difficult box from gb.yolo (who’s now a teammate of mine!) with a realistic pwn in the end. Overall, it was a very enjoyable box that took a while! Before I start, I would like to thank D3v17 and pottm, my teammates who worked with me on this box. Additionally, I would like to thank oep, Sp3eD, R4J, and Deimos who I collaborated with at times throughout and after the box.
Obscurity is a medium difficulty box where we will leverage bad server code to inject and run commands, and take advantage of poor cryptography and leftover files to get user access. From there we take advantage of sudo privileges and a poorly executed program to read the root.txt file.
Openadmin was an easy box that required exploiting a vulnerability in a running web service to get a shell, then escalating privileges laterally to different users to finally escalating to root abusing a sudo nopasswd access configuration.
Control is a hard-rated box that required writing a shell through an SQL injection, using previously acquired hashes to pivote to a different user and then modifying a service to gain an Administrator shell.
Mango is a medium difficulty box where with basic enumeration and some MongoDB NOSQL Injection we can extract user passwords to log in and get user access. From there we will leverage a classic jjs privilege escalation to get root access and read the root.txt file.
