Services like Tailscale and reverse shells won’t work until you relax the firewall to allow them… …

This guide will help you create an authenticated service for managing Qubes OS remotely

By design it will be:

• Encrypted
• Authenticated (with a key)
• Over Tor
• Works behind NAT/CGNAT
• No open ports required
• Accessible from any computer with a Tor Browser / Tails / Whonix

Boardlight is a Linux box featuring a Dolibarr CMS instance vulnerable to CVE‑2023‑30253, leading to remote code execution. We will exploit this vulnerability, reuse extracted credentials to gain user access, and escalate privileges via an outdated binary vulnerable to CVE‑2022‑37706.

Editorial is a Linux box that involves SSRF exploitation, internal port enumeration, git credential extraction, and privilege escalation via a GitPython vulnerability (CVE‑2023‑41040). We will discover an SSRF vulnerability in a book cover upload feature, use it to scan internal ports, retrieve API credentials, access a git repository to find production user credentials, and exploit a vulnerable sudo‑allowed Python script to gain root access.

Cicada is a Windows Active Directory box that involves SMB share enumeration, password spraying, and exploitation of SeBackupPrivilege. We will discover default credentials in an HR notice, perform RID brute‑forcing to enumerate users, spray passwords to gain initial access, then leverage backup operator privileges to dump and crack password hashes for domain administrator access.

Certified is a Windows Active Directory box that focuses on certificate template abuse and shadow credential attacks. We will exploit ESC9 vulnerability via a certificate template with no security extension, chain permissions through MANAGEMENT and CA_OPERATOR groups, and ultimately obtain domain administrator access.

LinkVortex is a Linux box that involves subdomain enumeration and source‑code disclosure via a .git directory. We will reuse hardcoded credentials, exploit a Ghost CMS arbitrary file read (CVE‑2023‑40028) to obtain SSH credentials, and escalate privileges through environment variable manipulation in a custom script.

Administrator is a Windows Active Directory box that demonstrates permission chaining, BloodHound enumeration, and password‑spraying. We will use a recovered PasswordSafe database for credential spraying, perform targeted Kerberoasting, abuse DCSync, and finally use pass‑the‑hash to gain domain administrator access.

Titanic is a Linux box that starts with a local file inclusion (LFI) vulnerability in a Flask web application. We will discover a subdomain, extract credentials from a Gitea instance, crack hashes, and escalate privileges via an ImageMagick configuration‑path vulnerability (GHSA‑8rxc‑922v‑phg8).

Dog is a Linux box featuring a Backdrop CMS web application. We will exploit source‑code disclosure via a publicly accessible .git directory, reuse MySQL credentials to gain user access, and escalate privileges through a custom bee binary that allows arbitrary command execution via its eval functionality.

TheFrizz is a hybrid box that combines web exploitation, database credential extraction, and Active Directory lateral movement. We will exploit a Gibbon CMS RCE (CVE‑2023‑45878), extract and crack hashes, use Kerberos authentication, and abuse Group Policy Objects (GPO) for privilege escalation.

Fluffy is a Windows Active Directory box that focuses on SMB share enumeration and NTLM hash capture. We will exploit CVE‑2025‑24071 via Responder, crack the obtained hash, then leverage shadow credentials and the ESC16 vulnerability to gain domain administrator access.

TombWatcher is a Windows Active Directory box that involves lateral movement through multiple user accounts, Kerberoasting, shadow credential attacks, and certificate template abuse. We will perform BloodHound enumeration, set a service principal name for Alfred, Kerberoast to obtain Alfred’s hash, then leverage GenericAll permissions to manipulate SAM, John, and CERT_ADMIN accounts, finally using ESC1 vulnerability to request a certificate as the domain administrator.

Hi, here are the writeups for the challenges I’ve made for the Military CTF 2025

I found a way to use GPU in your QubesOS VMs. Now cracking/rendering on Qubes might be more realistic than ever.

This is a repost of a beautiful parulin’s post with minor additions. Helpful if your phone doesn’t mount to the VMs using standard options

thanks to strellic for this challenge

If selecting a qube other than dom0 fails for backups and trying to choose a different qube causes error 127, try installing zenity in that qube.

You don’t need an intro, a conclusion and a journey just to write one post, the readers only want information. Just give the readers what they want

Here’s how to make helix-gpt work

This is how to automate and sync your backups across devices.

By using tunnels, you can forward only requests, without installing applications on the target machine

QubesOS is amazing for security, and equally amazing at making CTFs 10x harder than they need to be. It’s the firewall’s fault.

The reason why audio won’t work out of the box in minimal templates (debian-12-minimal, fedora-41-minimal) is that the package responsible for sending audio from VMs to your host (dom0 or sys-audio), pipewire-qubes, isn’t included in them by default.

When you try to run FreeRDP 3, you will likely get the BadAtom error.

QubesOS is built on the principle of isolation, and GPUs aren’t designed to meet the strict isolation requirements QubesOS demands because they prioritize performance instead.

Nix is great for keeping your system clean and your sanity slightly intact. But thanks to how QubesOS handles templates and persistence, it’s not plug-and-play.

After this guide, you will be able to:

• replace apt or pacman with the nixpkgs package repository, even if you don’t care about declarativity
• use home-manager to set up all your configs and apps declaratively with just one config file and use it on any machine
• use any nixpkgs package one time only and without bloat, fix dependency hell and weird dependencies