EarlyAccess
EarlyAccess
EarlyAccess 375
EarlyAccess
RETIRED MACHINE

EarlyAccess

EarlyAccess - Linux Linux
EarlyAccess - Hard Hard

4.7

MACHINE RATING

846

USER OWNS

780

SYSTEM OWNS

04/09/2021

RELEASED
Created by Chr0x6eOs

Machine Synopsis

EarlyAccess is a Hard Linux machine featuring a web server that is vulnerable to XSS. Exploiting the XSS vulnerability allows the users to get administrative access to the web page. Upon accessing the administrator's panel two more endpoints are discovered and an offline validation script can be downloaded. Upon reverse engineering the offline validation script, a `game-key` can be generated, which allows the user to access the `game` virtual host. The `game` vhost is vulnerable to an SQL injection that allows the user to retrieve and crack the password hash of the `admin` account. Using the administrator's credentials the `dev` vhost can be accessed and two new menu entries are revealed. One entry features an LFI vulnerability that can be used to disclose the source code of the second entry. After reviewing the source code of the second entry, a command injection vulnerability can lead to RCE as `www-data` on the box, which upon enumerating the file system is revealed to be a docker container. A password reuse scenario allows a privilege escalation from `www-data` to `www-adm`. An unencrypted file with plain text credentials allows the access of a database endpoint that reveals plain text credentials for `drew` user. The user `drew` can use SSH to login on the host machine. An SSH key inside the home folder of `drew` can be used to access another docker container. The container hosts a Node JS game and whenever the server hangs and restarts, a script executes all Bash scripts that exist inside a directory mounted from the host machine as `root`. After planting a malicious Bash script on the mounted directory and crashing the web server, `root` access can be obtained on the docker container and a password hash for the user `game-adm` can be retrieved and cracked. Back on the host machine, the user `game-adm` uses the same password, so `drew` can switch to `game-adm`. Enumerating the host machine as `game-adm` reveals that `arp` can be essentially executed as a SUID binary, thus leading to arbitrary file read. The SSH key of the `root` user can be read though `arp` and then used to gain a `root` shell on the machine.

Machine Matrix

Ready to start your
hacking journey?