Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.
ctf stego cve metasploit suidTeacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.
moodle mysql enumeration ctf tar cronjobRedcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.
linux xss sqli command injection pgsql cve nssThis is the writeup for Vault, a machine with pivoting across different network segments.
linux php openvpn firewall pivoting gpgThis is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
joomla ctf cron php easyThis is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
metasploit esoteric language ctf rop buffer overflow binary exploitationThis is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
networking lxc containers bgp command injection php snmp mitmThis is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.
ms-dos dns exfiltration command injection rotten potato unintended efsThis is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
telnet windows access outlook credential managerThis is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.
linux zabbix api suid