A hard difficulty Linux Machine that intricately covers various ways to use OpenSSH private and public keys. It centers around the SSG IT Resource Center which offers a ticketing service to address the IT issues (SSH access, website and security issues, etc. ) of its customers. Upon creating a ticket through the website we can execute Local File Inclusion, trigger a reverse shell, and get access to what appears to be a docker container that hosts the ticketing website. From this point, there are various clues in past tickets and leftover SSH artifacts as well as a key signing API service that will lead to pivoting through other users and escaping the docker. Finally, the machine includes various scripts detailing the functions of its ticketing service and key signing API, one of which includes a vulnerable line of code allowing for brute forcing the final SSH key and achieving full privilege escalation.
​

A Hard Linux Machine that showcases a misconfiguration in the Skipper Proxy and a Blazor-based web application. To successfully complete this challenge, an attacker must first exploit a Server-Side Request Forgery (SSRF) vulnerability to pivot into an internal service running locally. This will allow them to read files and upload new ones where the ultimate goal is to obtain a keypair that can be used to gain SSH access to the system. Privilege escalation is achieved by leveraging the misuse of the procmon utility, which allows for monitoring sensitive syscalls. To succeed in this challenge, they player must conduct careful reconnaissance, exploit .NET binaries, and leverage privilege escalation techniques.

An easy difficulty Machine that takes advantage of an exploit in Pluck to achieve Remote Code Execution and then demonstrates the dangers of pixelated credentials. The machine also showcases that we must be careful when sharing open-source configurations to ensure that we do not reveal files containing passwords or other information that should be kept confidential.​

A medium-difficulty Windows Machine featuring a Gitea instance and a web application that clones Git repository URLs on the backend. The server's Git version is vulnerable to CVE-2024-32002, which can be exploited to gain initial access with a Git Bash shell as Richard. By cracking the password hash retrieved from the Gitea database file, the password for user Emily can be obtained. Privilege escalation to Administrator is achieved by exploiting CVE-2024-20656, a vulnerability in the Visual Studio Code version installed on the server.