Machine Synopsis

Intentions is a hard Linux machine that starts off with an image gallery website which is prone to a second-order SQL injection leading to the discovery of BCrypt hashes. Further enumeration reveals a v2 API endpoint that allows authentication via hashes instead of passwords, leading to admin access to the site. Within the admin panel the attacker will find a page that allows them to edit the images within the gallery with the help of Imagick. The attacker is able to exploit the Imagick object instantiation and gain code execution. Once the attacker has a shell as www-data they will need to examine the Git history for the current project, where they will find credentials for the user greg. Once logged in as greg the user will enumerate and find that they have access to the /opt/scanner/scanner binary with extended capabilities, specifically CAP_DAC_READ_SEARCH. This capability allows the attacker to exfiltrate sensitive files such as the private SSH key of the root user, byte-by-byte. With the key the attacker is able to authenticate through SSH as the root user.