Machine Synopsis

FormulaX is a hard difficulty Linux machine featuring a chat application vulnerable to Cross-Site Scripting (XSS), which can be exploited to uncover a hidden subdomain. This subdomain runs simple-git version 3.14, susceptible to [CVE-2022-25912](https://www.cve.org/CVERecord?id=CVE-2022-25912), allowing access as user `www-data`. We then crack the MongoDB password hash to escalate to user `frank_dorky`. Next, we exploit an SNMP trap vulnerability in the internal LibreNMS instance to gain a shell as user `librenms`. Credentials found in files provide the password for user `kai_relay`. Finally, privilege escalation to `root` is achieved by exploiting a formula injection vulnerability in a LibreOffice Calc instance to access the root private SSH key.