Red panda, an easy rated linux machine, involved a spring boot application vulnerable Server Side Template Injection (SSTI) which was blocking few characters to not allow remote code execution, using any encoder for generating payload for java runtime exec, we get the shell as woodenk user, running pspy a jar…

Hathor was an insane windows machine that involved logging to mojopotral using default admin creds, uploading aspx web shell, enumerating the system to get BeatriceMill credentials, being a web service user we can perform IIS Impersonatation to get a reverse shell as BeatriceMill, on further enumeration, 7zip is being executed…

Shared was medium rated linux machine which involved exploiting data in the cookie which was being fetched from database in json format vulnerable to sqli, enumerating the database we’ll find the credentials for james_mason , running pspy we’ll see that ipython which has is being ran in a directory where…

Moderators was a hard rated box which involved fuzzing for report number which lead to accessing a page for uploading file that was restricted to only pdf that was bypassed through magic bytes and content type leading to uploading php file but most of the functions were blocked, using proc_open…

Trick an easy linux machine involved performing DNS zone transfer which lead to a management system vulnerable to sqli allowing us to login, through sqli, exploiting LFI to read vhost file to get another subdomain which was also had LFI but the site was running as the user michael and…

Faculty was a medium rated linux machine which involved exploiting Local File Inclusion in mpdf allowing us to read local files, reading the db_connect.php file we’ll get the credentials which will work for gbyolo user, running sudo -l, we’ll see that we can run meta-git through which we can escalate…

Opensource an easy rated linux machine which involved a flask application running in debug mode with an ability to upload files, having the .git folder with two branches one having the source code of the application, it was vulnerable to LFI (Local File Inclusion) due to the use os.path.join with…

Cloud Goat is a AWS deployment container which is basically a CTF for teaching AWS abuses. The scenarios that I have tried covering from cloudgoat are Cloud Breach s3 EC2 SSRF RCE Web App The reason why I have done only three is because most of them were unstable required…

Scrambled was a medium rated AD machine which had NTLM authentication disabled meaning that you would need to authenticate through kerberos only, the site revelaed a username with a message that the password is the same as the name, through kerbute the credentials can be verified and after accessing SMB…