Inject
Inject
Inject 533
Inject
RETIRED MACHINE

Inject

Inject - Linux Linux
Inject - Easy Easy

4.3

MACHINE RATING

11654

USER OWNS

10536

SYSTEM OWNS

11/03/2023

RELEASED
Created by rajHere

Machine Synopsis

Inject is an Easy Difficulty Linux machine featuring a website with file upload functionality vulnerable to Local File Inclusion (LFI). By exploiting the LFI vulnerability, files on the system can be enumerated, revealing that the web application uses a specific version of the `Spring-Cloud-Function-Web` module susceptible to `CVE-2022-22963`. Exploiting this vulnerability grants an initial foothold as the `frank` user. Lateral movement is achieved by further file enumeration, which discloses a plaintext password for `phil`. A cronjob running on the machine can then be exploited to execute a malicious `Ansible` playbook, ultimately obtaining a reverse shell as the `root` user.

Machine Matrix

Ready to start your
hacking journey?