Headless its a easy hackthebox machine that is vulnerable to xss in a contact form. Using that vulnerability we can grab a cookie and gain admin access to the web app. Following that we detect a command injection which allows the foothold into the machine. Inside the machine we gain root by exploiting a script containing a path hijack vulnerability.
Analytics is a easy hackthebox machine that explores a vulnerability in a service called metabase. After gaining foothold into a docker continer we get credentials used in both the database and the ssh. Inside the machine we use a vulnerability in a service called overlayfs to get root.
Topology is a hackthebox machine that has a website showing information about a topology group. The group have a project which is a latex equation generation. The subdomain that is running the project accepts latex equations as inputs and generates a png image of that equation. However the project is vulnerable to latex injection and we can read files. One of those files, .htpassword, contains credentials that give access to a ssh session in the machine. To elevate privileges we used a binary called pspy64 to look at processes without root privileges. We are able to look at a command executed by root that can be used to gain root privileges and this way we get root access.
Pilgrimage is a hackthebox machine that has a website to shrink images. Running gobuster we found a git repository and we extract all the code used in the website. Inside the retrieved repository we have a binary called magick that is used to shrink images, however it has a vulnerable version. The version in question has a Local File Inclusion vulnerability that allows the attackers to read files. After reading a sqlite database file we get ssh credentials. Inside the system we found a script that analyses the files submitted in the website for malware. However the script use a vulnerable version of binwalk which gives us a shell as root.
Keeper is a machine that uses a well-known ticket web application called Request Tracker with default credentials. Using the credentials we get access as root and find a ticket with information made by a user that has the SSH password in his description. Those credentials give us access to their SSH session. In there, we get a keepass dump and database. We use a vulnerability of keepass that allows us to get parts of the master key from a dump and with a quick search we get all the master key. In the database, we have a PuTTY-User-Key-File that we need to translate to an SSH private key to login in SSH as root.