Explore a medium CTF challenge that demonstrates a PHP Cookie Serialization Attack via preferences.php, leading to a reverse shell. Discover how the .Xauthority file was exploited to capture sensitive data, and learn about privilege escalation techniques used to gain root access without a password.
Photographer contains multiple exploits and misconfigurations. Starting with retrieving credentials from Samba shares then exploiting Koken CMS to gain a reverse shell. LinPEAS revealed MySQL credentials and a SUID PHP binary, enabling privilege escalation to root.
This box is exploited using OpenSSL's predictable PRNG to brute-force an SSH key, gaining access as another user. A sudo misconfiguration is then used to modify /etc/passwd, adding a root user, allowing privilege escalation and capturing the final flag.
Ephemeral 2 is a medium-level box involving Samba exploitation, reverse shells, and privilege escalation. Key steps include discovering open ports, brute-forcing SMB credentials, exploiting a "magic script," and leveraging cron jobs and writable profile scripts to gain root access.