Writeups for all of the different CTFs I’ve done, mostly TryHackMe and HackTheBox in prep before starting the private OSCP and Proving Grounds labs. Will be doing more in the future to try to learn more advanced AV evasion and binary exploitation (the latter more for fun than usefulness).
TartarSauce
A medium Linux box from HackTheBox, get initial access through a vulnerable wordpress plugin, then get privesc to a full user through tar, and then find a backup script that unzips a file as root, allowing you to privesc to root by unzipping a malicious archive with a custom root-owned SUID executable.
Worker
A medium box from HackTheBox, get initial acces by finding leaked Azure DevOps credentials in a SVN repo’s commit history, then escalate privileges to a user account by cached passwords in the SVN config files on the victims PC, then get root by making a pipeline function in Azure DevOps that sends a reverse shell as nt authority\system.
Bastard
A medium box from HackTheBox, use a vulnerability in a Drupal plugin to get initial access, then a kernel exploit for privesc.
Mirai
An easy Linux box from HackTheBox, get initial access by enumerating that the victim is a Raspberry Pi and just use the default password to SSH in with root privileges, then have to recover a deleted root flag.
Wonderland
A medium Linux box from TryHackMe, get initial access by finding creds in site HTML, then escalate privilege through PATH vulnerabilities, and exploit an SUID binary for root