artificial is an easy linux machine, hosting a website to upload and run tenserflow models, I got foothold by uploading and running a model with a malicious lambda layer, once inside I cracked some...

tombwatcher is an assume-breach medium windows box where I was given the credentials of henry, from there I exploited 6 AD DACL mis-configuations to get the user flag, for priv esc restored a delet...

puppy is an assume-breach medium windows box where you’re given the credentials of levi.james, I started with exploiting a GenericWrite to add my user to the DEVELOPERS groups and gain access to t...

planning is an assume-breach box where you’re given the credentials of admin, which at first is not apparent where to use them. The box had a Grafana instance running that was vulnerable to CVE-202...

fluffy is an assume-breach box where you’re given the credentials of j.fleischman, for this box I exploited CVE-2025-24071 to get p.agila’s credentials, then I abused a few GenericWrites to work my...

for this box, I exploited an XXE to get web credentials for tornado, then achieved code execution trough exploiting an SSTI, after getting a shell I injected a stager shellcode I wrote into a root ...

Codify recon I ran a simple nmap scan to find out port 22, 80 and 3000 are running on the machine $ nmap 10.10.11.239 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 13:40 +01 Nmap scan re...

pilgrimage recon examining the I ran a simple nmap scan to find out port 22 and 80 are running on the machine $ nmap -v -oN ports -v 10.10.11.219 # Nmap 7.94 scan initiated Sat Jul 8 20:01:58 ...

b3dr0ck recon I added the machine’s IP to my /etc/hosts as bedrock.thm then ran an nmap scan to find ssh and http ports open $ sudo nmap bedrock.thm -v PORT STATE SERVICE 22/tcp open ssh...

recon I added the machine’s IP to my /etc/hosts as nope.thm then ran an nmap scan to find ssh and http ports open $ sudo nmap nope.thm -v PORT STATE SERVICE 22/tcp open ssh 80/tcp open http...