https://z3r0s6.github.io/tags/easy/Recent content in Easy on z3r0sHugoenFri, 08 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/wingdata/Fri, 08 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/wingdata/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>CVEs</td> <td>CVE-2025-47812 · CVE-2025-4517 · CVE-2025-4138</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>WingData is an Easy Linux machine. A company website redirects to an FTP client portal running <strong>Wing FTP Server v7.4.3</strong>, which is vulnerable to an unauthenticated RCE (<strong>CVE-2025-47812</strong>). Post-exploitation enumeration reveals a salted SHA-256 hash for user <code>wacky</code> stored in Wing FTP config files. After cracking the hash with hashcat and gaining SSH access, a misconfigured sudo rule allows execution of a Python backup restoration script as root. The script is vulnerable to <strong>CVE-2025-4517</strong>, a tarfile <code>PATH_MAX</code> bypass that allows arbitrary file write - used to overwrite <code>/etc/sudoers</code> and gain root.</p>https://z3r0s6.github.io/machines/kobold/Sun, 05 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/kobold/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux (Ubuntu)</td> </tr> <tr> <td>CVE</td> <td>CVE-2026-23744</td> </tr> <tr> <td>Tags</td> <td><code>docker</code> <code>gshadow</code> <code>lfi</code> <code>mcp</code> <code>mcpjam</code> <code>pastebin</code> <code>path-traversal</code> <code>rce</code></td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. Initial access requires exploiting <strong>CVE-2026-23744</strong> - an unauthenticated RCE in MCPJam Inspector - by sending a crafted JSON payload to <code>/api/mcp/connect</code> to execute arbitrary commands. Privilege escalation abuses a discrepancy between <code>/etc/gshadow</code> and the running session, allowing the <code>sg</code> command to switch into the <code>docker</code> group and mount the host filesystem inside a container.</p>https://z3r0s6.github.io/machines/facts/Sun, 15 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/facts/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>Techniques</td> <td>Mass Assignment · MinIO · ssh2john · facter GTFOBin</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Facts is an Easy Linux machine running a Ruby on Rails CMS. The intended foothold is a <strong>Mass Assignment</strong> vulnerability in the password change endpoint - by appending <code>&amp;password[role]=admin</code> to the intercepted request, a low-privilege user escalates to admin without touching the LFI path. As admin, MinIO S3 credentials are exposed in the General Site filesystem settings. Using the <code>mc</code> client, an SSH private key is pulled from the internal MinIO bucket. The key passphrase is cracked offline with <code>ssh2john</code> + <code>john</code> (rockyou.txt → <code>dragonballz</code>). SSH access lands as <code>trivia</code>, who can run <code>/usr/bin/facter</code> as root via sudo. A malicious Ruby script planted in <code>/tmp/piv</code> and loaded via <code>--custom-dir</code> gives a root shell.</p>https://z3r0s6.github.io/machines/cctv/Sun, 01 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/cctv/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux (Ubuntu 24.04)</td> </tr> <tr> <td>CVE</td> <td>CVE-2024-51482</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>CCTV is an Easy Linux machine running ZoneMinder, a CCTV management web application. The attack chain involves exploiting a boolean-based SQL injection vulnerability (CVE-2024-51482) to enumerate the database and dump credentials, then pivoting through an internal Motion/MotionEye camera stack via command injection in the <code>picture_filename</code> parameter to gain a root shell.</p>