A medium-difficulty Linux Machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite.The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (CVE-2024-24590 - CVE-2024-24595) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with sudo is discovered. The program loads arbitrary PyTorch models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, fickling is used to scan the dataset for insecure pickle files , prior to loading the model. Malicious code can be injected into a model, using runpy to bypass the fickling checks.
​

A Hard Difficulty Machine is designed to challenge players with a series of vulnerabilities that are frequently encountered in real-world penetration testing scenarios. It covers a broad range of skills, including identifying business logic flaws in web applications, exploiting common vulnerabilities like insecure direct object reference (IDOR) and authorization bypass, and engaging with SQL impersonation attacks, which may not be common but are still critical to understand.Players will work through various scenarios, such as exposing sensitive information through directory enumeration and manually building SQL queries, which mimic the tasks typically required in real-life assessments. Advanced exploitation techniques are introduced, including remote code execution via SQL features and Windows memory forensics, which add depth to the challenges.Active Directory attacks are featured heavily, focusing on exploiting the AD Recycle Bin and the "Backup Operators" group, both of which have practical implications in modern environments. Password spraying, hash cracking, and bypassing antivirus tools also form part of the lab, ensuring a comprehensive experience that tests basic and advanced penetration testing techniques. Expect a blend of logical reasoning, technical exploitation, and real-world problem-solving throughout this lab.

An easy difficulty Linux Machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data.After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell.
​

A medium Windows Machine that starts with a webpage featuring a business site. Moreover, an SMB share is accessible using a guest session that holds files with sensitive information for users on the remote machine.An attacker can extract valid credentials from this file and log in to a page allowing employees to fill out forms for company purposes. These forms are turned into PDFs using the ReportLab library, which is vulnerable to CVE-2023-33733. After some exploit development/modification, the attacker can get code execution as the user blake on the remote machine. Further enumeration of the remote machine, reveals that Openfire is installed and running locally. By using a SOCKS tunnel, the attacker can access the Administrator Console for Openfire. It turns out, that the version installed, is vulnerable to CVE-2023-32315 which allows the attacker to bypass the authentication screen, upload a malicious plugin, and get code execution as the openfire user. The openfire user can read the logs from when the server was installed and extract all the necessary information to crack the Administrator's password and it turns out that this password is re-used for the local Administrator account.