An easy-difficult Windows machine that focuses on beginner Active Directory enumeration and exploitation. In this machine, players will enumerate the domain, identify users, navigate shares, uncover plaintext passwords stored in files, execute a password spray, and use the SeBackupPrivilege to achieve full system compromise.

An insane box that starts with an e-commerce store on port 80, where an attacker sets up a rouge HTTP server and exploits an SSRF to escalate privileges on their user account. Followed by the SSRF, the attacker eventually abuses an XSS vulnerability in the form of a QR code, which subsequently leads to the Django Administrator panel, which allows reading of the encrypted hashes and ultimately gives SSH access. Furthermore, the attack path involves reversing and exploiting a traffic analyzer program to move to another user laterally. For privilege escalation, an image is downloaded from the docker registry, which helps abuse insecure deserialization in the Django application, giving us a reverse shell in a container. The attacker creates and loads a kernel module to break out of the docker container and obtain a root shell.
​

A medium-difficulty Linux machine featuring a PrestaShop application vulnerable to CVE-2024-34716. Exploiting this vulnerability grants access to the remote server as the www-data user. Further enumeration reveals PrestaShop configuration files containing database credentials, allowing us to dump and crack password hashes to obtain the password for user james. We can then SSH into the server as james. A Docker container running ChangeDetection.io is also present, vulnerable to CVE-2024-32651, which can be exploited to gain a root shell inside the container. Inside the container, backup files from ChangeDetection.io reveal the password for user adam, which allows SSH access as adam. Finally, privilege escalation to root is achieved by exploiting CVE-2023-47268 in the PrusaSlicer tool.