Machine Synopsis

EarlyAccess is a Hard Linux machine featuring a web server that is vulnerable to XSS. Exploiting the XSS vulnerability allows the users to get administrative access to the web page. Upon accessing the administrator's panel two more endpoints are discovered and an offline validation script can be downloaded. Upon reverse engineering the offline validation script, a `game-key` can be generated, which allows the user to access the `game` virtual host. The `game` vhost is vulnerable to an SQL injection that allows the user to retrieve and crack the password hash of the `admin` account. Using the administrator's credentials the `dev` vhost can be accessed and two new menu entries are revealed. One entry features an LFI vulnerability that can be used to disclose the source code of the second entry. After reviewing the source code of the second entry, a command injection vulnerability can lead to RCE as `www-data` on the box, which upon enumerating the file system is revealed to be a docker container. A password reuse scenario allows a privilege escalation from `www-data` to `www-adm`. An unencrypted file with plain text credentials allows the access of a database endpoint that reveals plain text credentials for `drew` user. The user `drew` can use SSH to login on the host machine. An SSH key inside the home folder of `drew` can be used to access another docker container. The container hosts a Node JS game and whenever the server hangs and restarts, a script executes all Bash scripts that exist inside a directory mounted from the host machine as `root`. After planting a malicious Bash script on the mounted directory and crashing the web server, `root` access can be obtained on the docker container and a password hash for the user `game-adm` can be retrieved and cracked. Back on the host machine, the user `game-adm` uses the same password, so `drew` can switch to `game-adm`. Enumerating the host machine as `game-adm` reveals that `arp` can be essentially executed as a SUID binary, thus leading to arbitrary file read. The SSH key of the `root` user can be read though `arp` and then used to gain a `root` shell on the machine.