Summary

Servmon,a Windows box created by HackTheBox user dmw0ng.Initially scan show us that ftp is running with anonymous login.Checking those we find some hints for a file Passwords.txt on Nathan Desktop.Checking Web we find it is running NVMS-1000 checking searchsploit we see it have Directory Traversal using which we can read the passwords.txt file.
Using crackmapexec we can try all the passwords and against Nathan and Nadine and we get a valid credential for Nadine. Using that we can ssh to the box and we have user on this box.Privilege Escalation on this was fun we need to exploit NSClient++ RCE to get a nt authority/ system shell.

Summary

LazyAdmin is a Linux box. Initial Scan was finding an Sweet-Rice CMS which have a backup Disclosure issue using that we can dump the credentials in Database.Login with those credentials we see we can put php code in an ads using which we can get RCE. After getting RCE we can get a shell. Trying sudo -l shows us that we can run a backup.pl script as root without password and checking backup.pl reveal a bash script is being called which can be modified by www-data using which we can get a root shell.

Summary

TheCodCaper is a linux box created by user Paradox. Initial Scan was finding an administrator.php page and exploiting SQLi on the login page to dump the credentials. Using that we can get the redirected to an command page, using which we can get a shell as www-data. Enumerating the box we find the password for the user in /var/hidden/pass using that we can ssh to box as pingu. Enumerating again we can see that we can execute a binary in /opt/secert/root which also have SUID set. also on THM page we get the code so we can BOF and get to the hidden function shell and we can read the /etc/shadow. we can crack the hash and get the root password.