conversor is an easy linux machine that involves web enumeration leading to a source code leak. The source code reveals a file upload path traversal vulnerability, which is exploited to write a P...

expressway is an easy Linux box running isakmp over UDP. By abusing aggressive mode, I cracked the pre-shared key and used it to authenticate via SSH. During post-exploitation, I discovered two d...

guardian is a hard Linux box, hosting a php based university website, this writeup involved leveraging default student credentials, session hijacking via CVE-2025-22131 (XSS) in phpspreadsheet, and...

Giveback is a medium Linux box from season 9, hosting a wordpress website on a kubernetes setup with a vulnerable plugin, which gives remote code execution on the wordpress pod, from there I found ...

soulmate is an easy Linux box running a crushftp instance vulnerable to CVE-2025-31161 auth bypass, I took advantage of it to add a new superuser so I can upload a revshell and get a shell as www-d...

signed is an assume-breach medium windows box from season 9, where I was given the credentials of scott, I was able to leak mssqlsvc netntlmv2 hash using xp_dirtree and crack it, then use the crede...

CodePartTwo is an easy Linux box, hosting an open source js2py sandbox vulnerable to RCE via CVE-2024-28397 sandbox escape, I exploited the CVE to gain initial foothold as app then cracked hashes i...

Imagery is a medium Linux box, running a Flask Python application, I exploited a stored XSS to steal the admin cookie and log in as admin on the website, then exploited an LFI in the admin panel to...

editor is an easy Linux machine with SSH open. It runs an old version of xwiki on top of a Jetty web server. I exploited CVE-2025-24893 to gain a foothold from xwiki. Once inside, I found SSH crede...

Era is a medium Linux box that highlights the danger of loose PHP wrapper implementations. The foothold involves enumerating a file storage vhost to exploit a logic flaw in password recovery, leadi...