Introduction In this walkthrough, I worked on the Nickel intermediate Windows machine from PG Practice. After discovering several open ports, I focused on port 8089, which hosted a DevOps dashboar...

Introduction In this walkthrough, I worked on the Mantis intermediate Linux machine from PG Practice. The target hosted Mantis Bug Tracker, and while several public exploits failed initially, I di...

Introduction In this walkthrough, I worked on the Hokkaido intermediate Active Directory machine from PG Practice. I began by enumerating usernames using Kerbrute, and then conducted password brut...

Introduction In this walkthrough, I worked on the Hepet intermediate Windows machine from PG Practice. While browsing the target’s website, I found a user password exposed in the team section’s de...

Introduction In this walkthrough, I explored the Vault hard Active Directory machine. During enumeration, I discovered a writable SMB share. By placing a malicious .lnk (shortcut) file on the shar...

Introduction In this walkthrough, I tackled the Craft intermediate Windows machine. Port 80 revealed a file upload feature that accepted .odt documents. I crafted a malicious macro and uploaded it...

Introduction On the Nagoya hard AD machine, enumeration started by gathering team member names from the target’s website. Using these, along with username.anarchy, a list of probable usernames was...

Introduction Builder is a medium-difficulty Linux machine that hosts a Jenkins CI/CD instance vulnerable to CVE-2024-23897. This flaw allows unauthenticated attackers to read arbitrary files on th...

Introduction Timelapse is an easy-difficulty Windows machine where enumeration of an SMB share leads to a password-protected zip file. Cracking the zip file reveals an encrypted PFX certificate, w...

Introduction Monteverde is a Medium-difficulty Windows machine centered around Azure AD Connect. After enumerating domain users, a password spray attack revealed that the SABatchJobs account used ...