Machine Synopsis

Retired is a medium difficulty Linux machine that focuses on simple web attacks, stack-based binary exploitation and insecure kernel features. Initial foothold is gained by exploiting a path traversal vulnerability in a web application, which leads to the discovery of an internal service that is handling uploaded data. The corresponding binary file, its dependencies and memory map can be downloaded via the same path traversal vector, and analysed to identify a buffer overflow vulnerability and obtain the necessary memory addresses and ROP gadgets to develop a working exploit, resulting in an interactive shell on the system. Lateral movement to a second low-privileged user is possible by performing a symlink attack on a scheduled backup script, gaining access to the user's home directory and their private SSH key file. Finally, a helper program that allows the user to write data to `/proc/sys/fs/binfmt_misc/register` is found, allowing for privilege escalation by leveraging the `credentials` flag when registering a custom handler for `root`-owned setuid files.