Forwardslash is a hard-rated box (medium difficulty imo) in which we exploit an LFI in the web server to get access to some sensitive info that lets us SSH in. In our initial SSH session we exploit a SUID binary to obtain once again read access to a file with credentials that we use to move laterally to another user. From there we have sudo rights to access an encrypted luks image file, so we only have to bruteforce the key to then gain root and complete the machine.
Player2 was a challenging but very fun box by MrR3boot and b14ckh34rt. The highlight of the box for me is the finale 2.29 heap pwn! In my opinion, if there were no unintended routes, this would have been by far the hardest box so far, but some of these alternative solutions were never patched.
Albatross This was a misc pyjail golf challenge.
Throughout this writeup we’ll see how just a little bit of additional information allows us to effectively abuse a directory traversal vulnera- bility in way too old software. Going forward, we’ll use credentials obtained to look around the system to discover credentials for yet another application. Abusing an inherent flaw in the application design we’ll obtain SYSTEM privileges and ultimately take over the box. After we finished the hassle we’ll look at an alternative, easier, and more reliable route dmw0ng told me about after I solved the box and for style points use RDP to log into the system.