Future Router - UMassCTF 2024 Writeup
A web category challenge which involves chaining an arbitrary file read vulnerability in a cURL utility with a command injection vulnerability on a WebSocket-based customer service agent.
Flight - HackTheBox Writeup (10.10.11.187)
Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.
RedPanda - HackTheBox Writeup (10.10.11.170)
Easy-difficulty Linux box on exploiting a server-side template injection vulnerability in a Spring Boot web application, then a not-so-easy privilege escalation involving an XML external entity injection vulnerability in a custom view counter script.
DFIR Investigation - DownUnderCTF 2022 Writeup
A digital forensics and incident response challenge on deobfuscating a C2 persistence PowerShell stager, using ActivitiesCache.db to reveal past user activities, and recovering resident data from the NTFS Master File Table.
Timelapse - HackTheBox Writeup (10.10.11.152)
Easy-difficulty Windows machine with a focus on Active Directory LDAP and SMB enumeration. Privilege escalation by recovering service account credentials in PowerShell history logs, then dumping LAPS passwords from the service account.
Horizontall - HackTheBox Writeup (10.10.11.105)
Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.
Vault - IJCTF 2021 Writeup
A forensics category challenge on recovering TLS session keys from a packet capture, and decrypting TLS traffic tunnelled over ICMP (ping) through a SOCKS proxy, then recovering files from partial HTTP/2 requests.
Ophiuchi - HackTheBox Writeup (10.10.10.227)
Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.
Spectra - HackTheBox Writeup (10.10.10.229)
Easy-difficulty ChromeOS box with a focus on password reuse on WordPress. Privilege escalation by leveraging sudo rights on initctl to create a new malicious service and gain root access.
Tenet - HackTheBox Writeup (10.10.10.223)
Medium-difficulty Linux box about exploiting insecure deserialisation vulnerabilities in a PHP data migration program under development. Privilege escalation by exploiting a race condition between Bash variable references in an SSH backup script.
ScriptKiddie - HackTheBox Writeup (10.10.10.226)
Easy-difficulty Linux box on exploiting CVE-2020-7384 APK template vulnerability in MSFvenom. Privilege escalation by exploiting a command injection vulnerability in a Bash script, then pivoting to a privileged user with sudo rights on msfconsole.
Delivery - HackTheBox Writeup (10.10.10.222)
Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.
Ready - HackTheBox Writeup (10.10.10.220)
Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.
Sharp - HackTheBox Writeup (10.10.10.219)
Hard-difficulty Windows box with a focus on reverse engineering C# applications and enumerating SMB shares. Foothold gained by reversing the encryption in a Kanban application. Privilege escalation by abusing WCF server and client applications ported from .NET remoting.
Bucket - HackTheBox Writeup (10.10.10.212)
Medium-difficulty Linux box all about exploiting improperly configured Amazon S3 buckets. Privilege escalation by extracting credentials from DynamoDB and leveraging arbitrary file read through PD4ML, an HTML-to-PDF tool.
Laboratory - HackTheBox Writeup (10.10.10.216)
Easy-difficulty Linux box with a focus on exploiting local file inclusion and insecure deserialisation vulnerabilities in GitLab 12.8.1. Privilege escalation by escaping the Docker container and abusing a SUID binary with a PATH hijacking attack.
Time - HackTheBox Writeup (10.10.10.214)
Medium-difficulty Linux box on exploiting SSRF vulnerability CVE-2019-12384 in Jackson and leveraging a privileged shell script to gain root.
Chicken - UMassCTF '21 Writeup
Chicken Chicken Chicken: Chicken Chicken? A forensics category challenge all about extracting hidden streams in a PDF file and 7-Zip password cracking.
Heim - UMassCTF '21 Writeup
Only those who BEARER a token may enter! A web exploitation category challenge on intercepting and forging JSON Web Tokens from a debugging endpoint to bypass Bearer authentication.
Reel2 - HackTheBox Writeup (10.10.10.210)
Hard-difficulty Windows box with a focus on password spraying attacks and NetNTLMv2 hash phishing on Outlook. Privilege escalation by abusing an insecure Powershell JEA cmdlet with symbolic links, while bypassing PS constrained language mode.
Passage - HackTheBox Writeup (10.10.10.206)
Medium-difficulty Linux box on exploiting CuteNews 2.1.2 CVE-2019-11447 and abusing Linux's official USB-creator tool to gain arbitrary file write as root.
Academy - HackTheBox Writeup (10.10.10.215)
Easy-difficulty Linux box about exploiting Laravel CVE-2018-15133 and privilege escalation with Composer.
Feline - HackTheBox Writeup (10.10.10.205)
Hard-difficulty Linux box on exploiting Apache Tomcat CVE-2020-9484 and abusing docker.sock exposure.
Doctor - HackTheBox Writeup (10.10.10.209)
A not-so-easy Linux box about advanced URL command injection and exploiting Splunk Universal Forwarder to gain root and persistence.
Worker - HackTheBox Writeup (10.10.10.203)
Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.