Checker
Linux
Hard
4.2
MACHINE RATING1843
USER OWNS1661
SYSTEM OWNS22/02/2025
RELEASEDMachine Synopsis
Checker is a hard-level Linux machine running Teampass and Bookstack on separate ports. The Teampass version has a SQL injection vulnerability [CVE-2023-1545](https://nvd.nist.gov/vuln/detail/CVE-2023-1545) that can be exploited to obtain user password hashes. By cracking these hashes, we get the password for the Teampass user `bob`. Logging into Teampass reveals credentials for both Bookstack user `bob` and the SSH user `reader`. Attempting SSH login as `reader` user shows that two-factor authentication is enabled. Meanwhile, the Bookstack version is vulnerable to [CVE-2023-6199](https://nvd.nist.gov/vuln/detail/CVE-2023-6199), a local file read flaw via Blind SSRF, which can be exploited to retrieve the 2FA secret key for the `reader` user’s SSH account, enabling successful SSH login. We reverse engineer a binary for privilege escalation to root to discover a command injection vulnerability, which we then exploit using a custom script.
Machine Matrix
