Boardlight begins with a Dolibarr CMS instance. I’ll authenticate using default credentials and exploit a vulnerability that allows writing raw PHP code into pages to gain an initial foothold. From...

Forest is an easy Windows machine. It is a domain controller that allows us to enumerate users over RPC, attack Kerberos with AS-REP Roasting for a service account, and gain an initial foothold. Th...

Authority is a Windows Domain Controller. We accessed open SMB shares and found some Ansible playbooks. From there, we cracked some encrypted fields to extract credentials for a PWM instance.The ...

Shoppy was a easy linux machine, which was vulnerable to NOSQL injection. Exploiting NOSQL injection, we  got password hash of all users. After cracking the hash of one user, the Mattermost serve...

Photobomb was a easy rated linux box, where plaintext credentials was discovered after viewing the source code. These credentials then lead to a webpage with download  functionality that was vuln...

Querier was a medium box that involved retrieving MSSQL database credentials after analyzing macro-enabled Excel workbook. These credentials were then used to establish a connection to the MSSQL ...

Heist was an easy box that involved some password cracking and dumping Firefox’s processes.At first, we found a Cisco configuration file on the website that contained usernames and password hashe...

RECON NMAP Nmap shows multiple ports open. Since ldap, kerberos, DNS and SMB ports are open it’s probably a Domain Controller. Nmap script shows that the domain name is timelapse.htb $nmap -Pn...

Return was an easy box that involved exploiting a printer’s web administration panel to obtain LDAP credentials. These credentials can then be used to access WinRM. The account obtained through t...