Data is an easy linux machine from vulnlabs where we exploit a vulnerable version of grafana to pull out its database file. We get some hashes that can be cracked to get ssh credentials. Root part involves exploiting privileged containers.

Feedback is an easy linux machine from vulnlabs where we exploit a vulnerable java application. We use exploit a vulnerable version of log4j to get a shell and a hardcoded password to escalate our privileges.

Busqueda is an easy machine from hackthebox. It starts with a vulnerable version of Searchor that can be abused to inject arbitrary shell commands due to a bad use of the eval function. After our shell as www-data we inspect log files from a git repository to find credentials for the user. That user can run a particular python script as root that we can use to elevate our privileges.

MonitorsTwo is an easy machine hosted at hackthebox. To get user we need to exploit the cacti service with a public exploit in order to get a shell inside a docker container. We grab the password hash from the user and crack with hashcat. Root part is about exploit the CVE-2021-41091, which allows otherwise unprivileged Linux users to traverse directory contents and execute programs.

Sync is an easy linux machine from vulnlabs where we can abuse a misconfigured rsync to download a backup of the website. We discover some password hashes and how it is being generated, with a particular salt and pepper. We use this to crack the hashes and get access to the FTP service and upload our public to authenticate to the machine. Root can be achieved by exploiting a misconfigured backup script.

Soccer is an easy machine from hackthebox. IT starts with a vulnerable version of tiny file manager with default credentials. This version allows any authenticated users to upload arbitrary files and run php code. After we get a shell, we need to find a subdomain that allows us to find a SQL Injection vulnerability through a websocket service. Exploiting it, gives us credentials to ssh in. Enumerating a bit more as a different user, we spot that the doas config file lets us run dstat with high privileges which leads to the root shell.