Cap is a fun box where we find a flask web app which lets us download network log, where we find FTP and SSH credentials for user nathan. The box has python which has capability to set UIDs, which lets us access roots shell, when UID is set to 0.
Pit is a fun box where SNMP Data reveals that seeddms instance is running, which is vulnerable to RCE. The box has CentOS’s Cockpit Web Console on port 9090, which uses reused password from DB credentials. This gives access to user shell. LinPeas reveals there is a monitoring service, which runs bash scripts in a particular directory. Chaining this with SNMPwalk gives us root.
Knife is a fun box which uses a PHP version having backdoor, which leads to RCE. The box has a command named knife which lets non-superusers run commanad as root.