mirage is hard windows machine where I only could get the user flag before it retired, for the foothold I hijacked an internally used dns entry and got initial user creds by tricking a user to conn...

outbound is an assume-breach easy linux box where I was given the credentials of tyler, I used his credentials to get a shell as www-data by exploiting CVE_2025_49113, an authenticated RCE in round...

voleur is an assume-breach medium windows box running active directory services with ntlm auth disabled as well as a linux instance running on wsl, where I was given the credentials of ryan.naylor,...

artificial is an easy linux machine, hosting a website to upload and run tenserflow models, I got foothold by uploading and running a model with a malicious lambda layer, once inside I cracked some...

tombwatcher is an assume-breach medium windows box where I was given the credentials of henry, from there I exploited 6 AD DACL mis-configuations to get the user flag, for priv esc restored a delet...

puppy is an assume-breach medium windows box where you’re given the credentials of levi.james, I started with exploiting a GenericWrite to add my user to the DEVELOPERS groups and gain access to t...

planning is an assume-breach box where you’re given the credentials of admin, which at first is not apparent where to use them. The box had a Grafana instance running that was vulnerable to CVE-202...

fluffy is an assume-breach box where you’re given the credentials of j.fleischman, for this box I exploited CVE-2025-24071 to get p.agila’s credentials, then I abused a few GenericWrites to work my...

for this box, I exploited an XXE to get web credentials for tornado, then achieved code execution trough exploiting an SSTI, after getting a shell I injected a stager shellcode I wrote into a root ...

Codify recon I ran a simple nmap scan to find out port 22, 80 and 3000 are running on the machine $ nmap 10.10.11.239 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 13:40 +01 Nmap scan re...