After playing with Ted, I was excited to move to the next box from the same author.  DomDom is described as:  "How well do you understand PHP programs? How familiar are you with Linux misconfigurations? This image will cover advanced Web attacks, out of the box thinking and the latest security vulnerabilities."

Let me start off by saying that I think Ted was harder but it's really a matter of what you know versus what you don't know. This seemed pretty straightforward and it didn't take long to get on the box.  From there, root was quick.  I only went one route for root this time because it's Saturday morning and I have things to do. ;)  Given the nature of Ted, I think there's a more clever way to root but I take these boxes to be more about the entry than the privilege escalation.  Perhaps I'll take a second glance later.  I also thought about scripting up a portion of the process in Python.  For now....

This is definitely not a beginner style box.  The description for Ted states:  "How well do you understand PHP programs? How familiar are you with Linux misconfigurations? This image will cover advanced Web attacks, out of the box thinking and the latest security vulnerabilities."  

The biggest barrier for Ted is the entry.  Once you get on the box, standard enumeration will lead you to root in any number of ways.  There are no less than three kernel exploits and a misconfigued something.  It's Friday not, I've got nothing better to do than hack, once I got on the box, I just kept popping it until I got bored.  That said, I did NOT get bored with the entry.  This box is hard, this box is fun, and this box is worth doing even if you're following this walkthrough because there are lessons to be learned.

I recently performed a pentest for a client who wanted a sanity check on their environment because there have been numerous new devices installed and those installations were done in haste.  While I do have prior knowledge of this network, I treated it like a black box test.  Initially, I thought I would drop into the network through a VPN and then attack from there but as luck would have it, I gained entry through a vulnerable device which made this all the more fun.

When I began scanning the network, I uncovered numerous devices that could have potentially been used to drive further into the network but I put those aside when I fired up Responder.  In previous times, Responder would poison a request and we'd get a hash for cracking but with a modern domain controller, odds are pretty good that password complexity rules will thwart your hash cracking attempts.  That said, we won't need to crack hashes when we can relay them.