editor is an easy Linux machine with SSH open. It runs an old version of xwiki on top of a Jetty web server. I exploited CVE-2025-24893 to gain a foothold from xwiki. Once inside, I found SSH crede...

Era is a medium Linux box that highlights the danger of loose PHP wrapper implementations. The foothold involves enumerating a file storage vhost to exploit a logic flaw in password recovery, leadi...

mirage is hard windows machine where I only could get the user flag before it retired, for the foothold I hijacked an internally used dns entry and got initial user creds by tricking a user to conn...

outbound is an assume-breach easy linux box where I was given the credentials of tyler, I used his credentials to get a shell as www-data by exploiting CVE_2025_49113, an authenticated RCE in round...

voleur is an assume-breach medium windows box running active directory services with ntlm auth disabled as well as a linux instance running on wsl, where I was given the credentials of ryan.naylor,...

artificial is an easy linux machine, hosting a website to upload and run tenserflow models, I got foothold by uploading and running a model with a malicious lambda layer, once inside I cracked some...

tombwatcher is an assume-breach medium windows box where I was given the credentials of henry, from there I exploited 6 AD DACL mis-configuations to get the user flag, for priv esc restored a delet...

puppy is an assume-breach medium windows box where you’re given the credentials of levi.james, I started with exploiting a GenericWrite to add my user to the DEVELOPERS groups and gain access to t...

planning is an assume-breach box where you’re given the credentials of admin, which at first is not apparent where to use them. The box had a Grafana instance running that was vulnerable to CVE-202...

fluffy is an assume-breach box where you’re given the credentials of j.fleischman, for this box I exploited CVE-2025-24071 to get p.agila’s credentials, then I abused a few GenericWrites to work my...