signed is an assume-breach medium windows box from season 9, where I was given the credentials of scott, I was able to leak mssqlsvc netntlmv2 hash using xp_dirtree and crack it, then use the crede...

CodePartTwo is an easy Linux box, hosting an open source js2py sandbox vulnerable to RCE via CVE-2024-28397 sandbox escape, I exploited the CVE to gain initial foothold as app then cracked hashes i...

Imagery is a medium Linux box, running a Flask Python application, I exploited a stored XSS to steal the admin cookie and log in as admin on the website, then exploited an LFI in the admin panel to...

editor is an easy Linux machine with SSH open. It runs an old version of xwiki on top of a Jetty web server. I exploited CVE-2025-24893 to gain a foothold from xwiki. Once inside, I found SSH crede...

Era is a medium Linux box that highlights the danger of loose PHP wrapper implementations. The foothold involves enumerating a file storage vhost to exploit a logic flaw in password recovery, leadi...

mirage is hard windows machine where I only could get the user flag before it retired, for the foothold I hijacked an internally used dns entry and got initial user creds by tricking a user to conn...

outbound is an assume-breach easy linux box where I was given the credentials of tyler, I used his credentials to get a shell as www-data by exploiting CVE_2025_49113, an authenticated RCE in round...

voleur is an assume-breach medium windows box running active directory services with ntlm auth disabled as well as a linux instance running on wsl, where I was given the credentials of ryan.naylor,...

artificial is an easy linux machine, hosting a website to upload and run tenserflow models, I got foothold by uploading and running a model with a malicious lambda layer, once inside I cracked some...

tombwatcher is an assume-breach medium windows box where I was given the credentials of henry, from there I exploited 6 AD DACL mis-configuations to get the user flag, for priv esc restored a delet...