Trickster starts off by discovering a subdoming which uses PrestaShop. Dumping a leaked .git folder gives source code and admin panel is found. Chaining XSS and Theme Upload, www-data user is reach...

Breakme started by discovering a WordPress installation and logging in through brute-forcing the credentials. After logging in, we exploited a vulnerability in an installed plugin, which allowed us...

CERTain Doom began by discovering an arbitrary file upload vulnerability and combining it with CVE-2020-9484 to gain a shell within a container, which led to obtaining the first flag. Using the co...

TryPwnMe One was a room dedicated to binary exploitation (pwn), featuring seven challenges related to this subject. TryOverflowMe 1 We begin with TryOverflowMe 1, using the following reference ...

Hammer started with discovering a log file on the web application with fuzzing and an email address inside. With a valid email address in hand, we were able to request a password reset for the user...

U.A. High School began by discovering a PHP file on the web application and fuzzing to identify parameter names. Upon finding a parameter that allowed us to run commands, we utilized it to obtain a...

Block was a short room about extracting hashes from a given LSASS dump and using them to decrypt SMB3 traffic inside a given packet capture file. Initial Enumeration We are given a zip archive ...

Injectics started with using an SQL injection to bypass a login form and land on a page where we were able to edit some data. Also, by discovering another SQL injection with edit functionality, we ...

DX2: Hell’s Kitchen started with enumerating a couple of Javascript files on a web application to discover an API endpoint vulnerable to SQL injection. Using this to gain a set of credentials, we u...

New York Flankees started with using a padding oracle attack to discover a set of credentials and use them to gain access to an admin panel. On the admin panel, we were able to execute system comma...