Certified is a medium-difficulty Windows machine designed around an assumed breach scenario, where credentials for a low-privileged user are provided. To gain access to the management_svc account, ...

Instant is a medium difficulty machine that includes reverse engineering a mobile application, exploiting API endpoints, and cracking encrypted hashes and files. Players will analyze an APK to extr...

Alert is an easy-difficulty Linux machine with a website to upload, view, and share markdown files. The site is vulnerable to cross-site scripting (XSS), which is exploited to access an internal pa...

Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen (CVE-2024-23346) Python library by uploading a malicious CIF file to the hos...

Sightless is an easy-difficulty Linux machine featuring a website for a company offering various services. Enumeration of the website reveals an SQLPad instance vulnerable to template injection [CV...

Sea is an Easy Difficulty Linux machine that features CVE-2023-41425 in WonderCMS, a cross-site scripting (XSS) vulnerability that can be used to upload a malicious module, allowing access to the s...

Cicada is an easy-difficult Windows machine that focuses on beginner Active Directory enumeration and exploitation. In this machine, players will enumerate the domain, identify users, navigate shar...

Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Refer...

GreenHorn is an easy difficulty machine that takes advantage of an exploit in Pluck to achieve Remote Code Execution and then demonstrates the dangers of pixelated credentials. The machine also sho...

PermX is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via CVE-2023-4220. This vulnerability is leveraged to gain a foothold on the...

Editorial is an easy difficulty Linux machine that features a publishing web application vulnerable to Server-Side Request Forgery (SSRF). This vulnerability is leveraged to gain access to an inter...

Learnt / Summary Always write something in a test file… Recon Nmap # Nmap 7.94SVN scan initiated Sun Jun 16 01:37:11 2024 as: nmap -sVC --version-all -T4 -Pn -vv -oA ./nmap/full_tcp_scan -...

Learnt / Summary Instead of using plugin exploits recommended by wpscan, just get the plugin’s version then google to find most-used exploits Recon Hosts ┌──(bravosec㉿fsociety)-[~/Offsec/pg...

Learnt / Summary If the machine’s kernel is very old <=4.x and have gcc installed, it’s 90% kernel exploit for pirvesc Recon Nmap # Nmap 7.94SVN scan initiated Fri Jun 14 17:50:53 2024 ...

Learnt / Summary Couldn’t enumerate usernames? Check strings carefully on every web pages that could be a person Identify database related functions, fuzz SQLI payloads bcrypt hash? Not cra...