Blog

Certified is a Windows Active Directory box that focuses on certificate template abuse and shadow credential attacks. We will exploit ESC9 vulnerability via a certificate template with no security extension, chain permissions through MANAGEMENT and CA_OPERATOR groups, and ultimately obtain domain administrator access.

LinkVortex is a Linux box that involves subdomain enumeration and source‑code disclosure via a .git directory. We will reuse hardcoded credentials, exploit a Ghost CMS arbitrary file read (CVE‑2023‑40028) to obtain SSH credentials, and escalate privileges through environment variable manipulation in a custom script.

Administrator is a Windows Active Directory box that demonstrates permission chaining, BloodHound enumeration, and password‑spraying. We will use a recovered PasswordSafe database for credential spraying, perform targeted Kerberoasting, abuse DCSync, and finally use pass‑the‑hash to gain domain administrator access.

Titanic is a Linux box that starts with a local file inclusion (LFI) vulnerability in a Flask web application. We will discover a subdomain, extract credentials from a Gitea instance, crack hashes, and escalate privileges via an ImageMagick configuration‑path vulnerability (GHSA‑8rxc‑922v‑phg8).