A hard-difficulty Windows Machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice macros after disabling the MacroSecurityLevel registry value, abusing MSKRP to dump DPAPI credentials, and abusing Group Policies due to excessive Active Directory privileges.
​

A medium-difficulty Windows Machine that features an Openfire XMPP server, hosted on a Domain Controller (DC). Public registration on the XMPP server allows the user to register an account. Then, by retrieving a list of all the users on the domain, a kerberoastable account is found, which allows the attacker to crack the retrieved hash for the user's password. By visiting the account's XMPP chat rooms, another account's password is retrieved. This new account has DCOM privileges over the DC, thus granting the attacker local access on the machine. Finally, a malicious plugin uploaded through the locally-hosted Openfire Administration Panel gives the user SYSTEM access.

An insane-difficulty Linux Machine featuring a feature-rich web attack surface that requires chaining various vulnerabilities to bypass strict Content Security Policies (CSP) and steal an authentication cookie via Cross-Site Scripting (XSS). This results in staff-level access to internal web applications, from where a file-sharing service's access controls can be bypassed to access other users' files. This leads to an onboarding document revealing the default password template. Password spraying the SSO endpoint returns valid credentials, which can be used to SSH into a workstation that authenticates via LDAP. Data in the user's home directory can be used to brute force the pin to a Bitwarden vault, enabling the attacker to pass multi-factor authentication (MFA) on Gitea and enumerate private repositories, discovering a private key used to sign JWT tokens. Forging a token and authenticating as a user in the engineering group, the LDAP password is changed to obtain system access to the group and a docker socket, which is leveraged to obtain root privileges inside a Proxmox environment. The container is escaped using a private SSH key belonging to the sysadmin group. Finally, CVE-2022-35508 is used to exploit PVE and obtain access to the root account on the host machine.
​

An easy-difficulty Linux Machine that features a Python Werkzeug server hosting a website. The website has a customer support form, which is found to be vulnerable to blind Cross-Site Scripting (XSS) via the User-Agent header. This vulnerability is leveraged to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to command injection, leading to a reverse shell on the box. Enumerating the user’s mail reveals a script that does not use absolute paths, which is leveraged to get a shell as root.