A hard Windows Machine that starts with a website on port 80. The site, informs potential users that it's down for maintenance but Excel invoices that need processing can be sent over through email and they will get reviewed.
An attacker is able to craft a malicious XLL file to bypass security checks that are in place and perform a phishing attack. Once the attacker has code execution on the machine, he is able to create a malicious .url file that the user dallon.matrix will execute and will get comprised. This user, is a member of a group that can change the password of the user jacob.greeny and use WinRM afterward to authenticate as jacob.greeny. Finally, that user is a member of the App Devs group and the StandaloneRunner binary has been automated and it's running as SYSTEM. The attacker is able to exploit that automation and get a shell as the Administrator user.
​

an Easy Difficulty Linux Machine featuring a learning management system vulnerable to unrestricted file uploads via CVE-2023-4220. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A sudo misconfiguration is then exploited to gain a root shell.

An Insane-difficulty Machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The Machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a DCSync attack to obtain the Domain Administrator hash.
​

An easy difficulty Linux Machine that features a publishing web application vulnerable to Server-Side Request Forgery (SSRF). This vulnerability is leveraged to gain access to an internal running API, which is then leveraged to obtain credentials that lead to SSH access to the machine. Enumerating the system further reveals a Git repository that is leveraged to reveal credentials for a new user. The root user can be obtained by exploiting CVE-2022-24439 and the sudo configuration.