Monitors Two involved exploiting cacti which was vulnerable to un-aunthenticated remote code execution (CVE-2022–46169) which returns a shell as www-data in a docker container, escalating privileges to root through capsh on the container and then getting root on the host by abusing CVE-2021-41091, which is a flaw in docker engine…

Retro, an easy rated machine, involved enumerating smb shares to find an account having a weak password, further finding a note about pre-created computer account having enrollment rights on a template allowing to request a certificate on behalf of any other user dubbed as ESC1 template attack. NMAP PORT…

OnlyForYou, a medium rated machine involved enumerating vhost to find an application which gives us the ability to download the source which was vulnerable to LFR (Local File Read) which leads to reading nginx config to find the root directory of the application and reading the source code of the…

Lustrous, a medium chain AD machine involved two machines, LusMS and LusDC , from LusMS, accessing the ftp share there were usernames which out of which ben.cox didn’t require any pre-authentication, resulting in AS-REP roasting , having remote access to LusMS, local administrator password found in a form of secure…

Intercept, a hard rated chain machine involved two machines, WS01 and DC01 , on WS01 coercing NTLM authentication by uploading different file extensions to grab the hash of the user, performing Resource Based Constrained Delegation (RBCD) by utilizing WebDAV and PetitPotam to relay WS01’s hash through LDAP, abusing GenericAll to…

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials…

Agile involved using Local File Read (LFR) to read the source files with debug mode enabled, allowing to access werkzeug console by reading files responsible for generating PIN, having access to the console, getting a shell as www-data and escalating to corum user by accessing the database to retrieve the…

Cerberus, a hard rated mixture of linux and windows, involved exploiting icinga2 through two CVEs, arbitrary file disclosure (CVE-2022–24716) and Authenticated RCE (CVE-2022–24715) giving a shell as www-data , escalating privileges on linux system through firejail (CVE-2022–31214), being a root user, domain user’s cached hash was recovered from sssd which…

Hybrid is an easy Active Directory which involved two machines MAIL01 and DC01, MAIL01 had roundcube webmail running, nfs share was available for mount which had the credentials for roudcube, it was using a plugin for marking mails as junk which was vulnerable to remote code execution with a crafted…