Case files
- Case files
Walkthroughs
113 operator notes from lab sessions.
Difficulty
Focus
Jump to
Foundations
76 filesAD guest RID brute, Kerberoast, and Pass-the-Hash to SYSTEM
Foundations30 minFoundations Active Directory engagement: guest SMB enabled RID brute and username=password spray; Kerberoast cracked file_svc; backup share hashes Pass-the-Hash’d as FileServer$ via PsExec to SYSTEM.
Windows · Active Directory · Kerberos · Pass-the-Hash
Anonymous FTP note, SSH spray, and sudo less escape
Foundations22 minFoundations Linux engagement: anonymous FTP leaked usernames and a weak-password hint; Hydra recovered jake’s SSH secret; NOPASSWD less spawned a root shell via GTFOBins.
Linux · FTP · SSH · Privilege Escalation
Anonymous FTP wordlist to SSH and sudo tar abuse
Foundations20 minLinux host with anonymous FTP leaking a task note and password candidates; SSH spray as lin succeeded; misconfigured sudo for /bin/tar yielded root via GTFOBins checkpoint-action.
Linux · FTP · SSH · Privilege Escalation
Anonymous FTP, GPG key crack, and root shadow reuse
Foundations24 minFoundations Linux engagement: anonymous FTP exposed a GPG private key and encrypted shadow backup; cracked passphrase and root hash yielded direct SSH as root.
Linux · FTP · GPG · Password Cracking
Aria2 LFI, Tomcat WAR deploy, and Ansible path traversal
Foundations32 minFoundations Linux engagement: CVE-2023-39141 on Aria2 disclosed Tomcat credentials; WAR deploy yielded tomcat; sudo ansible-playbook wildcards pivoted to wilbur; internal gallery upload and TTY pushback completed root.
Linux · Path Traversal · Tomcat · Privilege Escalation
Auth and crypto failure categories with sequential IDOR revert
Foundations14 minFoundations web engagement: mapped unlimited login attempts to Identification and Authentication Failures and cleartext credentials to Cryptographic Failures, then used an IDOR on sequential user objects to locate and revert malicious changes.
OWASP · IDOR · Authentication · Cryptography
Authoritative DNS TXT disclosure for a gated domain query
Foundations12 minFoundations network engagement: host answered DNS only for givemetheflag.com; dig/nslookup against the target returned a TXT record containing the secret.
DNS · Network Enumeration · Information Disclosure
Base58 ticket, FTP stego chain, and sudo pkexec root
Foundations26 minFoundations Linux engagement: island path enumeration and Base58 decoding unlocked FTP; steghide and zip contents yielded slade’s SSH password; sudo pkexec completed root.
Linux · FTP · Stego · Privilege Escalation
CIA triad and privilege principles for control design
Foundations12 minFoundations governance engagement: mapped Confidentiality, Integrity, and Availability to control objectives and privilege design so architecture decisions stay balanced under real threats.
CIA Triad · Governance · Access Control
CIA triad as a security mindset with balance exercise
Foundations12 minFoundations governance engagement: drilled Confidentiality, Integrity, and Availability as a balanced security mindset; completed the interactive exercise recovering THM{CIA_IS_ABOUT_BALANCE}.
CIA Triad · Security Mindset · Governance
Client-side login check with hardcoded reversed password
Foundations12 minFoundations web engagement: CyberHeroes login validated entirely in JavaScript; username and ReverseString password were recoverable from page source.
Web · Client-Side Auth · JavaScript
CMS upload RCE, credential pivots, and hosts-file curl hijack
Foundations28 minFoundations Linux engagement: castle CMS on port 85 accepted a PHP upload after allowlisting; database and env secrets pivoted toad→mario; rewriting /etc/hosts hijacked a root curl of counter.sh for a reverse shell.
Linux · CMS · Web · Privilege Escalation
CMSMS SQLi CVE-2019-9053, SSH on 2222, and sudo vim root
Foundations24 minFoundations Linux engagement: unauthenticated CMS Made Simple SQLi dumped and cracked mitch’s password; SSH on port 2222 yielded a shell; NOPASSWD vim completed root.
Linux · CMS · SQL Injection · Privilege Escalation
Customer API IDOR exposing usernames and emails by id
Foundations20 minFoundations web engagement: account UI loaded /api/v1/customer?id= without ownership checks; swapping ids disclosed adam84 and j@fakemail.thm plus encoded/hashed ID patterns.
Web · IDOR · API · Access Control
DNS to browser: request path, CDN, WAF, and virtual hosts
Foundations16 minFoundations web engagement: synthesized the full client request path — DNS resolution, HTTP to the origin, HTML/JS/CSS rendering — plus load balancers, CDN, databases, WAF, and virtual hosts; ordered the stack to recover the engagement artifact.
DNS · HTTP · Web Architecture · WAF
Double-extension upload webshell and cron PATH hijack
Foundations26 minFoundations Linux engagement: CV upload accepted shell.pdf.php; webshell as www-data; .bash_history and cron.d/persistence showed a relative pkill — planting ~/bin/pkill caught the next root cron for a reverse shell.
Linux · File Upload · Webshell · Privilege Escalation
ELF header anti-analysis patch and static password recovery
Foundations18 minFoundations reversing engagement: deliberately broken ELF EI_DATA prevented execution; patching MSB to LSB allowed radare2 analysis that recovered the hardcoded password string.
Reverse Engineering · ELF · Static Analysis
Encoding ladder, audio spectrogram, stego, and nested archive
Foundations24 minFoundations crypto/stego engagement: multi-encoding decode chain, spectrogram plaintext, image stego, and nested archive inspection recovered hidden strings.
Cryptography · Steganography · Encoding · OSINT
EternalBlue SMB RCE, SYSTEM Meterpreter, and NTLM hash crack
Foundations26 minFoundations Windows engagement: MS17-010 EternalBlue via Metasploit yielded SYSTEM; hashdump recovered Jon’s NTLM; rockyou cracked alqfna22 and located admin artifacts.
Windows · SMB · Metasploit · Password Cracking
FreeSWITCH event-socket RCE and OpenClinic service binary hijack
Foundations28 minFoundations Windows engagement: unauthenticated FreeSWITCH mod_event_socket on 8021 (EDB-47799) executed commands as Nekrotic; OpenClinic GA LPE (EDB-50448) replaced mysqld.exe for a SYSTEM shell after reboot.
Windows · VoIP · FreeSWITCH · Privilege Escalation
FTP base64 credential, sudo bees pivot, and cron quotes reverse shell
Foundations22 minFoundations Linux engagement: anonymous FTP yielded a base64-encoded personal password for Weston; sudo bees impersonated Cage; a world-writable cron quotes file delivered a reverse shell and root mailbox credentials.
FTP · Privilege Escalation · Cron · Credential Recovery
FTP webroot write, PCAP credential recovery, and cron script abuse
Foundations32 minAnonymous FTP mapped into Apache /files/ftp/, enabling a PHP reverse shell as www-data. An incident PCAP leaked lennie’s password. Root cron invoked a user-writable /etc/print.sh we replaced with a reverse shell.
Linux · FTP · Web · Privilege Escalation
Fuel CMS 1.4.1 pre-auth RCE and database.php root password reuse
Foundations20 minFoundations Linux engagement: Fuel CMS 1.4.1 (CVE-2018-16763) accepted pre-auth PHP evaluation via /fuel/pages/select filter; reverse shell as www-data; root password reused from application/config/database.php.
RCE · CMS · Credential Reuse · Privilege Escalation
Guest login IDOR to admin profile via user parameter
Foundations14 minFoundations web engagement: HTML comment leaked guest:guest; profile.php?user= accepted horizontal privilege escalation to the admin profile.
Web · IDOR · Access Control
Hash identification and rockyou cracking ladder
Foundations20 minFoundations crypto engagement: classified MD5/SHA1/SHA256/bcrypt and salted digests, then recovered plaintexts with rockyou via hashcat and john — companion briefing to Crack the Hash Level 2.
Password Cracking · Hashcat · John · Hash Identification
Hidden web secret, stego credentials, and Screen 4.5.0 root
Foundations28 minFoundations Linux engagement: corrupted JPEG and secret brute led to steghide payloads; ROT13 username joker plus banner stego unlocked SSH; Screen 4.5.0 SUID (EDB-41154) completed root.
Linux · Steganography · SSH · Privilege Escalation
HTTP literacy: URLs, methods, status codes, and API lab flags
Foundations24 minFoundations web engagement: mapped URL anatomy, HTTP request/response structure, methods and security headers, then exercised GET/POST/DELETE against a lab API to recover three engagement artifacts.
HTTP · Web Fundamentals · API · Security Headers
Hydra HTTP-POST form and SSH password spray for Molly
Foundations14 minFoundations network engagement: Hydra sprayed rockyou against Molly’s web login and SSH; both surfaces fell to weak passwords and yielded distinct engagement artifacts.
Brute Force · Hydra · SSH · Web Authentication
Icecast header overflow, UAC bypass, and SYSTEM token migration
Foundations26 minFoundations Windows engagement: Icecast on 8000 (CVE-2004-1561) yielded Meterpreter as Dark; bypassuac_eventvwr elevated integrity; migration into spoolsv.exe and kiwi recovered SYSTEM and credentials.
Windows · Icecast · Metasploit · Privilege Escalation
IDOR to EJS SSTI and sudoedit editor escape
Foundations28 minFoundations web engagement: vhost and low-priv login led to IDOR password disclosure; EJS CVE-2022-29078 yielded RCE as web; sudoedit with CVE-2023-22809-style editor injection rewrote sudoers for root.
Linux · Web · IDOR · SSTI · Privilege Escalation
Index-shifted Caesar reverse of a custom enc() function
Foundations14 minFoundations crypto engagement: recovered the plaintext by inverting a Python enc() that Caesar-shifted each alphabetic character by its string index; non-letters unchanged.
Cryptography · Python · Code Review
Jenkins Script Console RCE and Windows token impersonation
Foundations26 minFoundations Windows engagement: Jenkins on 8080 with admin:admin accepted Groovy RCE; Nishang reverse shell as bruce; Meterpreter Incognito impersonated BUILTIN\Administrators for SYSTEM-level access.
Windows · Jenkins · PowerShell · Token Impersonation
Kibana web-attack timeline from enum to database exfil
Foundations28 minFoundations DFIR engagement: Elastic logs reconstructed Nmap/Gobuster/Hydra, admin brute force, webshell upload, LFI credential theft, and phpMyAdmin export of customer_credit_cards.
DFIR · Log Analysis · Web Attacks · Incident Response
LFI log poison, writable cron, and SUID PATH hijack
Foundations28 minFoundations Linux engagement: mafialive.thm LFI with filter bypass enabled Apache log poisoning to RCE; world-writable cron pivoted to archangel; SUID backup resolved cp from PATH for root.
Linux · LFI · Log Poisoning · Privilege Escalation
Linux find-based artifact triage across planted filenames
Foundations22 minFoundations Linux engagement: SSH as new-user; find/grep/sha1sum/wc/ls -ln located planted files by group, IP content, hash, line count, UID, and world-execute bit.
Linux · Forensics · File Enumeration
Linux shell operations and Bash automation
Foundations22 minOperator baseline on a Linux host: shell inventory, filesystem navigation, and Bash automation used to gate access and search logs under elevated privileges.
Linux · CLI · Bash · Scripting
LLM command executor prompt injection to root file read
Foundations14 minFoundations AI engagement: nc to AI Command Executor on 1337; natural-language prompts generated sudo/root shell commands that listed and read /root/flag.txt.
LLM · Prompt Injection · AI Security
LLM system-purpose probe leaking policy and engagement secret
Foundations12 minFoundations AI engagement: a single natural-language probe for purpose, rules, and admin/creator caused the model to dump system-level instructions containing the secret — follow-on to Evil-GPT command-executor abuse.
LLM · Prompt Injection · AI Security · System Prompt Leak
Login rate-limit captcha bypass and credential spray
Foundations24 minFoundations web engagement: Werkzeug login enabled arithmetic captchas after failed attempts; a custom client solved captchas while spraying usernames then passwords to recover a valid session.
Web · Authentication · Brute Force · Captcha Bypass
Markdown-to-PDF SSRF iframe bypass of localhost admin
Foundations18 minFoundations web engagement: /admin was bound to localhost:5000; Markdown HTML iframes caused the PDF renderer to fetch the internal page and embed the secret in the download.
Web · SSRF · PDF · Access Control
MD5 room-id IDOR and missing zero index path
Foundations12 minFoundations web engagement: corridor door links used MD5 hashes of sequential integers; rooms 1–13 were linked, md5(0) was omitted from the UI but directly addressable and returned the secret.
IDOR · Web Enumeration · Hashing
Metasploit scan, SMB spray, EternalBlue, and pirate NTLM dump
Foundations28 minFoundations offensive tooling engagement: used msfconsole auxiliary scanners for ports/NetBIOS/SMB, cracked penny’s SMB password from rockyou, exploited a critical Windows service to Meterpreter, recovered flag.txt and pirate’s NTLM hash.
Metasploit · SMB · EternalBlue · Credential Access
Meterpreter post-ex: domain enum, hash crack, and secret file recovery
Foundations24 minFoundations post-exploitation engagement: in-memory Meterpreter on ACME-TEST/FLASH domain; enumerated user share speedster; dumped and cracked jchambers NTLM to Trustno1; located secrets.txt and realsecret.txt artifacts.
Meterpreter · Post-Exploitation · Credential Access · Windows
MQTT wildcard subscribe and backdoor CMD channel to flag
Foundations18 minFoundations IoT engagement: Mosquitto broker accepted wildcard subscribe; a base64-encoded backdoor advertisement exposed pub/sub topics and a CMD interface that executed cat flag.txt.
MQTT · IoT · Command Injection · Network Enumeration
Music-page path parameter LFI to filesystem flag
Foundations14 minFoundations web engagement: lo-fi music site passed page paths into a file include; directory traversal read /etc/passwd and the root-level engagement artifact.
Web · LFI · Path Traversal
Operator search and OSINT: engines, Shodan, CVE, and docs
Foundations18 minFoundations research engagement: evaluated sources, applied Google operators, queried Shodan/VirusTotal/HIBP, resolved CVE-2024-3094 to xz, and used man/Microsoft docs for command truth.
OSINT · Search · CVE · Documentation
Operator Vim toolkit: modes, motion, and edit commands
Foundations16 minFoundations tooling engagement: established Vim as the default remote editor — command/insert/visual modes, hjkl/we motion, insert/append, yank/delete/paste, search, and write/quit — for reliable work on constrained shells.
Vim · Linux · Operator Tooling
OSI and TCP/IP models with operator networking toolkit
Foundations16 minFoundations networking engagement: mapped OSI and TCP/IP layers to packet flow, then exercised ping, traceroute, dig/nslookup, and netstat/ss as the baseline operator toolkit for engagement scoping.
Networking · OSI · TCP/IP · DNS
PHP upload bypass and SUID Python privilege escalation
Foundations22 minFoundations Linux engagement: /panel rejected .php but accepted .php5 for a reverse shell as www-data; SUID /usr/bin/python spawned a root shell via GTFOBins.
Linux · Web · File Upload · Privilege Escalation
PostgreSQL weak auth, COPY PROGRAM RCE, and credential chaining
Foundations26 minFoundations database engagement: Postgres on 5432 accepted postgres:password; Metasploit COPY FROM PROGRAM yielded an OS shell; credentials in dark’s home and config.php chained to alison with full sudo.
Linux · PostgreSQL · Metasploit · Credential Reuse
Predictable SHA1 reset tokens, SSRF SQL dump, and MySQL hash reuse
Foundations30 minFoundations web engagement: Flask password-reset tokens were SHA1 of timestamp plus username; forged administrator access and SSRF dumped SQL; clarice SSH and cracked MySQL hashes reused as root.
Web · Crypto · SSRF · Privilege Escalation
Profile upload executes Python reverse shell as root
Foundations16 minFoundations web engagement: Werkzeug chat app accepted a .py profile upload that ran os.system reverse shell; callback returned root and the engagement artifact.
Web · File Upload · RCE
Red team vs pentest: TTPs, cells, and Lockheed Martin kill chain
Foundations20 minFoundations program engagement: briefed leadership on why vulnerability assessments and loud pentests do not measure detection; defined red/blue/white cells, crown jewels, TTPs, and mapped Mimikatz to Installation on the Lockheed Martin cyber kill chain.
Red Team · Adversary Emulation · Kill Chain · Detection
Rejetto HFS RCE and Windows service binary hijack
Foundations26 minWindows Server assessment: Rejetto HFS 2.3 (CVE-2014-6287) via Metasploit as bill; PowerUp identified a restartable LocalSystem service with a writable binary path; msfvenom service EXE replacement yielded SYSTEM.
Windows · CVE · Metasploit · Privilege Escalation
Repeating-key XOR known-plaintext attack and key brute
Foundations18 minFoundations crypto engagement: TCP service on 1337 returned hex XOR of a THM{} flag under a 5-character alphanumeric key; recovered four key bytes from known plaintext THM{, brute-forced the fifth, decrypted flag 1, and submitted the key for flag 2.
Cryptography · XOR · Known Plaintext · Python
ROE, ethics hats, methodologies, and ACME engagement close
Foundations18 minFoundations program engagement: defined White/Black Hat boundaries and Rules of Engagement; mapped Information Gathering, OSSTMM, and OWASP methodologies; closed a guided ACME infrastructure exercise with THM{PENTEST_COMPLETE}.
Penetration Testing · ROE · Ethics · Methodology
Samba enumeration, ProFTPd mod_copy, and SUID PATH hijack
Foundations28 minLinux host assessment: anonymous SMB and NFS exposure, unauthenticated ProFTPd 1.3.5 SITE CPFR/CPTO abuse to exfiltrate an SSH private key, then PATH hijack of a SUID menu binary to root.
Linux · SMB · FTP · Privilege Escalation
Sequential letter IDOR across the archive
Foundations16 minFoundations web engagement: love-letter app assigned sequential archive numbers; authenticated users could open other users’ letters by changing the numeric id.
Web · IDOR · Access Control
Silverpeas auth bypass to SSH and sudo via auth logs
Foundations28 minSilverpeas on 8080 vulnerable to CVE-2024-36042 (password parameter omission). Authenticated IDOR on notifications exposed SSH credentials for tim. Auth logs leaked tyler’s password; tyler had full sudo.
Linux · CVE · Web · Credential Access
SMB journal stego, SSH spray, and sudo pwfeedback overflow
Foundations32 minFoundations Linux engagement: anonymous SMB journal decoded to PNG stego; cracked archives and a cherry-blossom wordlist unlocked lily then johan; CVE-2019-18634 pwfeedback overflow completed root.
Linux · SMB · Steganography · Privilege Escalation
SMB user leak, SSH spray, and world-readable private key
Foundations26 minLinux assessment of BASIC2: anonymous Samba and a public /development path disclosed staff identities; Hydra recovered jan’s SSH password; kay’s world-readable id_rsa was cracked offline for lateral movement.
Linux · SMB · SSH · Credential Access
SOC email triage: headers, SPF/DMARC, and CAB-to-RAR payload hash
Foundations18 minFoundations DFIR engagement: analyzed a business-email-compromise lure — subject reference, spoofed From/Reply-To, originating IP ownership, DNS auth records, and a mislabeled CAB attachment whose true type was RAR with a confirmed SHA256.
Phishing · Email Headers · SOC · Malware Triage
SOC phishing triage across ten email red-flag patterns
Foundations20 minFoundations SOC engagement: classified ten inbox samples as phishing or legitimate by executive impersonation, macro attachments, survey links, credential-harvest pages, and look-alike payment URLs — closing with a verified triage artifact.
Phishing · SOC · Email Security · BEC
SSH key foothold, pspy sudo watch, and PATH password theft
Foundations22 minFoundations Linux engagement: provided frank SSH key; pspy showed root running bare sudo; PATH hijack of sudo captured frank’s password for root.
Linux · PATH Hijacking · Credential Theft · Privilege Escalation
SSH key from sitemap .ssh and sudo wget root exfil
Foundations18 minFoundations Linux engagement: HTML comment leaked user jessie; /sitemap/.ssh/id_rsa enabled key auth; sudo NOPASSWD wget posted /root/root_flag.txt to the operator listener.
SSH · Web Enumeration · Privilege Escalation · GTFOBins
Stored feedback XSS to admin browser reading local flag service
Foundations16 minFoundations web engagement: customer feedback was rendered in the staff browser on the same host that listened on :8080/flag.txt; a stored XSS payload coerced the admin context to fetch and exfiltrate the secret.
XSS · Web Security · Browser Exploitation
Stored XSS survey payload steals admin session cookie
Foundations16 minFoundations web engagement: matchmaking survey reflected/stored attacker HTML; a fetch beacon exfiltrated the admin cookie to an operator listener.
Web · XSS · Session Theft
Subdomain OSINT, GitHub footer leak, and commit-history secret
Foundations18 minFoundations OSINT engagement: marvenly.com → uat-testing subdomain; footer username notvibecoder23 → GitHub repo; git log and older commits recovered email, abandonment note, and buried artifact.
OSINT · Git · Information Disclosure
Unauthenticated Erlang/OTP SSH pre-auth RCE (CVE-2025-32433)
Foundations22 minFoundations network engagement: dual SSH listeners; Erlang/5.2.9 on 22 accepted CVE-2025-32433 pre-auth code execution via public PoC, writing lab.txt and delivering a reverse shell through os:cmd.
Network · SSH · RCE · Erlang
Unsigned JWT role and credit tampering in a gift shop
Foundations20 minFoundations web engagement: TryHeartMe stored role and credits in a client-side JWT; forging admin with inflated credits unlocked the hidden catalog item.
Web · JWT · Authorization · Session Tampering
User-Agent gate, FTP stego chain, and sudo runas bypass
Foundations28 minApache gated content on User-Agent C (agent chris). Hydra cracked FTP; binwalk/zip2john and steghide recovered james’s SSH password. CVE-2019-14287 sudo -u#-1 bypass yielded root.
Linux · FTP · Steganography · CVE
Vulnerability classes, CVSS prioritization, and research databases
Foundations16 minFoundations risk engagement: classified OS privilege escalation and cookie-auth bypass as Operating System and Application Logic flaws; briefed CVSS qualitative bands and the role of CVE/NVD/Exploit-DB in engagement research.
Vulnerability Management · CVSS · CVE · Risk
Web content and parameter fuzzing with ffuf
Foundations24 minOperator methodology for ffuf: directory and extension discovery, response filtering, GET/POST parameter and credential fuzzing, and Host-header vhost enumeration with noise reduction.
Web · Enumeration · ffuf
Web puzzle chain, FTP stego, and world-writable root cron
Foundations30 minFoundations Linux engagement: themed web puzzles and stego yielded FTP credentials; a local binary brute-forced kidman’s SSH password; a world-writable root cron script completed privilege escalation.
Linux · Web · Stego · Privilege Escalation
Windows desktop ops: NTFS, UAC, accounts, and Task Manager
Foundations16 minFoundations Windows engagement: documented Pro-only BitLocker, NTFS, %windir%, UAC, lab user tryhackmebilly memberships, Guest account, and Ctrl+Shift+Esc Task Manager access for operator fluency on Windows endpoints.
Windows · NTFS · UAC · Endpoint
Intermediate
33 filesAnyDesk 5.5.2 UDP discover RCE and setcap privilege escalation
Intermediate28 minIntermediate remote-access engagement: AnyDesk 5.5.2 format-string RCE over UDP discovery (CVE-2020-13160 class) yielded a shell; SUID setcap plus cap_setuid on a copied python3 completed root.
Linux · AnyDesk · RCE · Capabilities
Apache 2.4.49 path traversal and OMI host pivot
Intermediate28 minIntermediate container-to-host engagement: CVE-2021-41773 on Apache 2.4.49 yielded CGI RCE inside a container; CVE-2021-38647 (OMIGOD) against the Docker bridge gateway compromised the host.
Linux · Apache · Container · CVE
Audio stego, cipher chain, and outguess book-cipher finish
Intermediate28 minIntermediate OSINT/crypto engagement: spectrogram and cipher work recovered stego passphrases; outguess and SHA512 cracking led through Pastebin/Imgur to the final song identifier.
OSINT · Steganography · Cryptography · Hash Cracking
Brainfuck API RCE and OpenSSL engine shared-object root
Intermediate26 minIntermediate Linux engagement: /api/bf executed Brainfuck that spawned a reverse shell; a root systemd unit invoked openssl with a loadable engine — a malicious .so completed privilege escalation.
Linux · RCE · Brainfuck · Privilege Escalation
Cloud upload RCE, KeePass crack, and cron include overwrite
Intermediate28 minIntermediate Linux engagement: extension-bypass PHP upload via a cloud UI yielded www-data; KeePass cracking recovered sysadmin SSH; a root cron include of backup.inc.php completed privilege escalation.
Linux · Web · KeePass · Privilege Escalation
Coupon SQLi, WordPress theme RCE, and PATH hijack via bitcoin
Intermediate30 minIntermediate web engagement: coupon SQLi dumped WordPress hashes; theme editor RCE as www-data; Memcached held Orka credentials; sudo bitcoin resolved python from a writable PATH entry for root.
SQLi · WordPress · Memcached · Privilege Escalation
FTP stego, web panel RCE, and sudo vi to Fernet root
Intermediate28 minIntermediate themed engagement: anonymous FTP stego and a command panel yielded a shell; charlie’s SSH key from teleport; sudo vi escalated to root; a Fernet key from an earlier binary decrypted the root artifact.
Linux · Stego · Web · Privilege Escalation
Full-port nmap, FTP spray, and null-scan evasion
Intermediate22 minIntermediate network assessment drill: full TCP inventory, banner harvesting, Hydra against vsftpd on a non-standard port, and null-scan IDS evasion — methodology without a full boot-to-root.
Network · Nmap · FTP · Hydra
Hash identification, mutation rules, and scenario-driven cracking
Intermediate35 minIntermediate crypto engagement: haiti/hashcat/john workflow for exotic digests, John rule mangling and custom wordlists (Mentalist, CeWL, TTPassGen), then nine scenario hashes recovered from Password Advisor context.
Password Cracking · Hashcat · John · Wordlists
Haskell homework RCE, SSH key theft, and Flask FLASK_APP root
Intermediate26 minIntermediate Linux engagement: a Gunicorn homework uploader executed uploaded .hs files for RCE as flask; a readable prof SSH key yielded interactive access; sudo flask run with env_keep+=FLASK_APP spawned root Python.
Linux · Web · Haskell · Privilege Escalation
JBoss CVE-2010-0738 deploy and SUID pingsys injection
Intermediate26 minIntermediate Java middleware engagement: unauthenticated JBoss JMX console (CVE-2010-0738) accepted a Metasploit war deploy for a service shell; SUID pingsys command injection completed root.
Linux · JBoss · Metasploit · Privilege Escalation
JSmol2WP LFI, Hello Dolly backdoor, and multi-user sudo root
Intermediate32 minIntermediate WordPress engagement: JSmol2WP SSRF/LFI read wp-config and a Hello Dolly backdoor for RCE; MySQL hashes and SSH key pivots through diego/think/gege reached xavi with unrestricted sudo.
WordPress · LFI · SSH · Privilege Escalation
LFI to FTP write, cron pivots, and adm backup SSH key
Intermediate32 minIntermediate Linux engagement: robots and LFI exposed FTP credentials; writable FTP plus LFI yielded RCE; sudo, cron, and Python import hijacks moved laterally; an adm-readable backup key completed root over SSH.
Linux · LFI · FTP · Privilege Escalation
Login oracle, elFinder RCE, and sudo look key theft
Intermediate28 minIntermediate web engagement: Hydra against a login oracle found jose; elFinder CVE-2019-9194 yielded www-data; SUID pwm PATH hijack unlocked think; sudo look read root’s SSH private key.
Web · elFinder · SSH · Privilege Escalation
NFS UID match, session cookie forge, and LD_LIBRARY_PATH root
Intermediate30 minIntermediate misconfiguration chain: NFS share readable after matching UID 1003; FTP wordlist forged admin PHPSESSID; command injection to shell; sudo apache2 with env_keep LD_LIBRARY_PATH enabled library hijack to root.
Linux · NFS · Web · Privilege Escalation
NFS zip crack, nonstandard SSH, and tar capability read
Intermediate26 minIntermediate network engagement: banner and NFS hints led to a crackable backup zip with hades’ SSH key; SSH on 3333 landed in IRB then bash; tar with cap_dac_read_search archived root’s artifact.
NFS · SSH · Capabilities · Privilege Escalation
Node ping injection, SQLite credential dump, and Docker group escape
Intermediate28 minIntermediate Linux engagement: UltraTech’s Node /ping API accepted shell metacharacters; SQLite hashes cracked to SSH as r00t; docker group membership mounted the host for root.
Linux · Command Injection · Docker · Privilege Escalation
PHP path injection, container SUID escape, and internal SSH pivot
Intermediate30 minIntermediate container engagement: index.php path parameter enabled RCE as www-data; SUID crypt binary dropped root in-container; mike’s SSH key pivoted to host2 where MySQL credentials enabled su to root.
Linux · Container · Web · Lateral Movement
PHPS source leak, MFA spray, SSH key crack, and fail2ban root
Intermediate26 minIntermediate Linux engagement: /console exposed .phps sources and a weak MD5 password check; MFA brute and file browser yielded jason’s encrypted id_rsa; sudo to fred plus writable fail2ban actionban copied root.txt on SSH ban trigger.
Web Enumeration · SSH · Fail2Ban · Privilege Escalation
Pickle deserialization RCE, port knock SSH, and knockd root
Intermediate30 minIntermediate web engagement: insecure pickle unpickle on a game-rating endpoint yielded www-data; mail and knockd opened SSH as dev1; writable knockd.conf plus sudo restart planted a SUID bash as root.
Web · Deserialization · Port Knocking · Privilege Escalation
Rabbit-hole web enum, Python import hijack, and perl capabilities
Intermediate30 minIntermediate Linux engagement: themed path enumeration exposed SSH credentials; sudo Python imported attacker-writable random.py; SUID teaParty PATH-hijacked date; perl with cap_setuid completed root.
Linux · Web · Sudo · Capabilities
Restaurant CMS upload RCE and writable systemd reboot to root
Intermediate28 minIntermediate Linux engagement: Sourcecodester Restaurant Management System on a nonstandard HTTP port accepted an unauthenticated upload (EDB-47520); fstab credentials unlocked SSH as edward; a world-writable systemd unit plus sudo reboot rewrote sudoers for root.
Linux · Web · Systemd · Privilege Escalation
Restricted rzsh escape and local Ruby service to SUID bash
Intermediate26 minIntermediate SSH engagement: password spray into a restricted rzsh; Rails-style constantize abuse escaped the jail; a localhost Ruby console planted a SUID bash for root.
Linux · SSH · Restricted Shell · Privilege Escalation
SPIP CVE-2023-27372, AppArmor escape, and run_container abuse
Intermediate28 minIntermediate CMS engagement: unauthenticated SPIP RCE (CVE-2023-27372) stole think’s SSH key; AppArmor blocked /opt until an unconfined bash in /dev/shm; rewriting run_container.sh planted SUID bash.
Linux · SPIP · AppArmor · Privilege Escalation
SQL truncation admin, XXE credential theft, and sudo run.py overwrite
Intermediate28 minIntermediate Linux engagement: bank portal registration abused SQL truncation to seize admin; XXE on forms.php read acc.php credentials for SSH as cyber; a sudo-allowed run.py path was overwritten for root.
Linux · Web · XXE · Privilege Escalation
SQLi to PHP filter-chain RCE and systemd xxd plant
Intermediate30 minIntermediate web-to-root engagement: SQL injection unlocked an LFI endpoint; PHP filter chains delivered RCE; a writable authorized_keys and sudo over exploit.timer planted SUID xxd used to write root’s SSH key.
Linux · SQLi · PHP · Privilege Escalation
SSH cipher foothold, cron pivot, and sudo hostname spoof
Intermediate28 minIntermediate Linux engagement: multi-port SSH puzzle and Alphabet Cipher yielded jabberwock; writable cron script pivoted laterally; alice’s key and sudo -h ssalg-gnikool completed root.
Linux · SSH · Cron · Sudo
SSRF command injection, git secret recovery, and Docker API escape
Intermediate28 minIntermediate container engagement: nested SSRF into api-dev-backup enabled OS command injection and git history secrets; port knock opened Docker TCP 2375; host filesystem mount via alpine chroot recovered true root.
Web · SSRF · Docker · Container Escape
Stored XSS JWT theft, SQLi, tar checkpoint, and Docker escape
Intermediate30 minIntermediate application engagement: stored XSS stole an admin JWT; SQLi on /admin leaked messages; sudo backup as michael abused tar checkpoints; Docker mount escaped to host root.
Web · XSS · SQLi · Docker
Unauthenticated LFI to hardcoded admin API and database export
Intermediate22 minIntermediate web engagement: dating-app layout API accepted path traversal without auth; /proc and app source leaked a static admin token used to export the full SQLite user database.
Web · LFI · Source Disclosure · API Auth
Web easter-egg enumeration across twenty client-side and inject paths
Intermediate22 minIntermediate web engagement: recovered twenty engagement artifacts from a deliberately noisy web surface — bots, encoding, hidden DOM/JS, SQLi, cookies, embeds, and HTML/JS tampering — documented as a client-side and injection enumeration checklist.
Web Enumeration · Client-Side · Injection · OSINT
WordPress brute force, robot hash crack, and SUID nmap root
Intermediate28 minIntermediate Linux engagement: robots.txt leaked a wordlist and first artifact; Hydra recovered elliot’s WordPress password for a theme-editor shell; robot’s MD5 cracked for su; SUID nmap --interactive completed root.
Linux · WordPress · Hydra · Privilege Escalation
Writable rsync Conf, admin SQLi RCE, and loopback SSH key sniff
Intermediate24 minIntermediate Linux engagement: anonymous rsync module Conf allowed rewriting webapp.ini prod to dev; Union SQLi on /admin yielded OS shell as tom; tcpdump on lo captured a root SSH private key from an internal service.
Rsync · SQL Injection · Traffic Capture · Privilege Escalation
Advanced
4 filesDFIR: phish mailbox, PowerShell download cradle, AES C2, Admin NTLM
Advanced28 minAdvanced DFIR engagement: reconstructed attacker path from compromised email credentials through an IEX download cradle, recovered the initial AES C2 key, and documented the Administrator NTLM hash taken from the host.
DFIR · PowerShell · C2 · Credential Theft
Padding-oracle admin cookie, AES credential recover, and SUID SROP root
Advanced30 minAdvanced boot2root engagement: PadBuster forged an administrator session cookie; AES-CBC material from robots/iv.png and a secondary service recovered SSH creds; SUID binary buffer overflow / SROP yielded root.
Padding Oracle · Cryptography · Reverse Engineering · Binary Exploitation
PCAP Kerberos AS-REP roast and WinRM command reconstruction
Advanced35 minAdvanced DFIR engagement: Wireshark capture of an AD compromise — open-port SYN/ACK map, AS-REP etype 23 for larry.doe cracked to Password1!, WinRM traffic decrypted to recover SAM/SYSTEM dump commands and the planted artifact.
DFIR · Kerberos · WinRM · Active Directory
Process inject, hollow, thread hijack, and DLL injection techniques
Advanced22 minAdvanced Windows engagement: demonstrated tool-agnostic process injection, process hollowing, thread hijacking, and DLL injection against lab targets; documented APC/QueueUserAPC and TrickBot-style reflective hooking notes for detection engineering.
Windows Internals · Process Injection · Evasion · DFIR