~/writeups

as-rep-roastingbloodhoundsmbforcechangepasswordsebackupprivilege

AD Hard

A hard Active Directory box exercising the full offensive AD workflow — SMB share enumeration, Kerberos pre-authentication attacks, BloodHound-driven ACL analysis, and a backup-operator privilege path to the domain's secret store. A thorough tour of chaining delegated directory permissions into domain compromise.

Administrator

bloodhoundacl-abusepassword-resetdcsynckerberoasting

AD Medium

An Active Directory box starting from a foothold credential, exercising BloodHound-driven enumeration and a chain of ACL abuses — delegated password resets, targeted Kerberoasting, and DCSync — to walk outbound object-control rights up to full domain compromise.

Cicada

smbpassword-sprayldapsebackupprivilegerid-cycling

A beginner-friendly Active Directory box covering core domain reconnaissance — SMB share enumeration, password spraying, LDAP and RID-based user discovery, and a backup-operator privilege path to the domain's secret store. A clean introduction to turning a low-privilege foothold into domain compromise.

Nibbles

nibbleblogcve-2015-6967file-uploaddefault-credssudo

Linux Easy

An easy Linux box that rewards methodical web enumeration — uncovering a hidden, vulnerable blogging CMS for a foothold, then escalating through a classic writable-script sudo misconfiguration. A solid primer on CMS exploitation and Linux sudo privilege escalation.

Jerry

tomcatwar-uploaddefault-credsmsfvenomreverse-shell

An easy Windows box centered on a misconfigured Apache Tomcat server — exercising default-credential checks and abusing the web application manager's deployment feature for code execution. A quick lesson in why exposed management interfaces are dangerous.

Active

gpp-cpasswordkerberoastingsmbactive-directoryldap

A beginner-friendly Active Directory box covering the domain-attack fundamentals: anonymous SMB enumeration, a legacy Group Policy Preferences credential exposure, and Kerberoasting — a clean introduction to chaining small AD misconfigurations into full domain compromise.

Pilgrimage

exposed-gitimagemagickcve-2022-44268binwalkcve-2022-4510

Linux Easy

A Linux web box centered on an image-shrinking service: it tests source-code recovery from an exposed version-control directory, exploitation of an image-processing library, and abuse of a root-run file-analysis tool for privilege escalation.

SecNotes

csrfsmb-uploadphp-webshellwsl-bash-history

A Windows IIS box centred on a custom PHP notes application, exercising client-side request forgery against an authenticated action, credential discovery, and abuse of writable SMB shares for web-shell upload. Privilege escalation explores a Windows Subsystem for Linux install and the credential trails left behind in shell history.

Keeper

default-credentialsrequest-trackerkeepasscve-2023-32784putty-key

Linux Easy

A Linux box centred on a public-facing IT ticketing application and credential-store hygiene. It exercises virtual-host discovery, default-credential hunting against a web app, recovering secrets from a leaky password manager, and pivoting between SSH key formats to escalate.

Jeeves

jenkinsgroovy-rcekeepasskdbx-crackalternate-data-streams

A Windows box centered on a forgotten Jenkins automation server exposed on a non-standard port. It exercises web content discovery, abusing a CI/CD scripting console for command execution, cracking an offline password-manager database, and Windows credential reuse plus NTFS alternate data streams for the final loot.

Heist

cisco-type7smbrpc-enumwinrmfirefox-procdump

An easy Windows box centered on credential hunting across a support portal, leaked network-device configs, and a logged-in desktop application. It exercises Cisco password recovery, SMB/RPC user enumeration, password spraying, and dumping secrets from process memory — a tidy lesson in chaining harvested credentials toward full compromise.

Querier

xlsm-macromssqlresponder-ntlmxp-cmdshellpowerup-gpp

A medium Windows box built around a Microsoft SQL Server instance — exercising SMB share enumeration, secrets hidden in an Office macro, MSSQL client interaction, NTLM hash capture and offline cracking, and a Windows privilege-escalation audit with PowerUp. A well-rounded tour of MSSQL attack paths and Windows credential hygiene failures.

Chatterbox

achatbuffer-overflowseimpersonateregistry-creds

A Windows 7 box centered on a vulnerable third-party chat service, exercising memory-corruption exploitation against a custom network daemon and post-exploitation enumeration that surfaces stored credentials for privilege escalation and credential reuse.

Forest

as-rep-roastingkerberoastingbloodhounddcsyncacl-abuse

A domain-controller Active Directory box exercising anonymous LDAP enumeration, Kerberos pre-authentication credential attacks, and BloodHound-driven ACL analysis. It is a tidy introduction to mapping AD relationships and chaining group/ACL misconfigurations into full domain compromise.

Sauna

as-rep-roastingbloodhoundkerberoastingautologon-credsdcsync

An Active Directory domain controller that rewards careful enumeration — turning names harvested from a public website into a username wordlist, abusing Kerberos pre-authentication weaknesses, hunting for cached credentials in the Windows registry, and mapping replication rights in BloodHound to reach full domain compromise.

ServMon

nvms-1000lfianonymous-ftpnsclientssh-tunnel

A Windows host exposing a mix of legacy network-monitoring software alongside FTP, SSH, and a locally-bound management console. It exercises anonymous file-share enumeration, web path-traversal/LFI against a vulnerable surveillance app, password reuse and credential hunting, and privilege escalation through an over-privileged service reachable via an SSH tunnel.

Return

ldap-relayprinter-credsserver-operatorswinrmprivilege-escalation

A short Active Directory box centered on a network printer's administration interface and the credentials it exposes through LDAP authentication. It exercises capturing service-account credentials by redirecting an appliance's directory binds, then chaining a privileged Windows group membership into SYSTEM-level service abuse for full domain compromise.

SolidState

apache-jamesdefault-credentialscve-2015-7611smtprestricted-shell-escape

Linux Medium

A medium Linux box centred on a legacy mail stack — exercising SMTP/POP3 service enumeration, abuse of an exposed remote-administration interface guarded only by default credentials, and credential discovery hidden in mailbox contents. Privilege escalation tests restricted-shell escape and the abuse of a privileged scheduled task. A solid primer on mail-server tradecraft and Linux cron-based root paths.

Poison

lfilog-poisoningvncssh-tunnelingencrypted-archive

Linux Medium

A FreeBSD web host exercising local file inclusion and path traversal against a script-testing endpoint, layered encoding of a recovered secret, password reuse against an encrypted archive, and pivoting through SSH-tunneled internal services to reach a locally-bound remote desktop. Tests source-disclosure enumeration, credential recovery, and port-forwarding tradecraft.

Arctic

coldfusioncve-2009-2265jsp-shellchurrasco

An easy Windows box built around a legacy Adobe ColdFusion application server — exercising service fingerprinting on a non-standard port, research into known web-application vulnerabilities, and offline hash cracking, followed by a classic Windows token-impersonation privilege escalation against an older Server 2008 host.

Access

ftpmdb-accesspst-crackrunassavedcreds

A beginner-friendly Windows box centred on credential hunting through legacy file formats: anonymous FTP access leads to a Microsoft Access database and an encrypted archive, while privilege escalation explores stored Windows credentials. A clean introduction to pivoting between forgotten artifacts and abusing cached secrets.

Netmon