Logan Dawson

Garfield is a fiendishly complex Active Directory box that chains a hidden scriptPath ACE, logon script hijacking, RBCD against an RODC, and a forged RODC golden ticket to compromise a full Windows domain. If you want to understand how Read-Only Domain Controllers can be weaponized, this is the box for you.

DevArea chains a SOAP service SSRF through Hoverfly middleware RCE to foothold, then escalates via Flask session forgery, command injection, and a symlink/log-write trick to root. A deeply layered box with real-world misconfigurations at every turn.

Snapped is a brutal Hard box that chains a pre-auth Nginx UI backup endpoint disclosure into a command injection foothold, then escalates via a race-condition exploit in snap-confine that poisons the dynamic linker to achieve root.

Kobold chains an unauthenticated MCP server command injection with a sneaky newgrp trick that quietly grants Docker group membership — all without a single password prompt.

VariaType is a CVE-chaining masterpiece — three distinct vulnerabilities in font-processing tools combine to take you from unauthenticated to root. If you want practice identifying real-world supply-chain CVEs, this box delivers.

Principal chains a fresh CVE in pac4j-jwt — where encryption was mistaken for authentication — with SSH CA key abuse to go from zero to root on a Java Spring Boot platform.

Gavel chains an exposed git repo, a subtle PDO prepared statement SQL injection, and a creative PHP sandbox escape — overwriting the php.ini from inside the sandbox itself — to reach root.

AirTouch is a unique HTB medium box where you pivot through three network segments entirely over WiFi — cracking WPA-PSK, stealing session cookies from decrypted traffic, and pulling off a real-cert evil twin attack to capture MSCHAPv2 credentials.

CCTV is a deceptively layered Easy box where default credentials are just the beginning — JWT forgery, daemon-based command injection, and a clever motionEye auth quirk all stand between you and root.

Eighteen is a Windows Server 2025 Domain Controller box that chains MSSQL impersonation, Werkzeug hash cracking, and the newly-disclosed BadSuccessor vulnerability (CVE-2025-53779) to achieve full domain compromise — a rare chance to exploit a live DC in a lab environment.