Blog

Cicada is a Windows Active Directory box that involves SMB share enumeration, password spraying, and exploitation of SeBackupPrivilege. We will discover default credentials in an HR notice, perform RID brute‑forcing to enumerate users, spray passwords to gain initial access, then leverage backup operator privileges to dump and crack password hashes for domain administrator access.

Certified is a Windows Active Directory box that focuses on certificate template abuse and shadow credential attacks. We will exploit ESC9 vulnerability via a certificate template with no security extension, chain permissions through MANAGEMENT and CA_OPERATOR groups, and ultimately obtain domain administrator access.

LinkVortex is a Linux box that involves subdomain enumeration and source‑code disclosure via a .git directory. We will reuse hardcoded credentials, exploit a Ghost CMS arbitrary file read (CVE‑2023‑40028) to obtain SSH credentials, and escalate privileges through environment variable manipulation in a custom script.

Administrator is a Windows Active Directory box that demonstrates permission chaining, BloodHound enumeration, and password‑spraying. We will use a recovered PasswordSafe database for credential spraying, perform targeted Kerberoasting, abuse DCSync, and finally use pass‑the‑hash to gain domain administrator access.