DevArea chains a SOAP service SSRF through Hoverfly middleware RCE to foothold, then escalates via Flask session forgery, command injection, and a symlink/log-write trick to root. A deeply layered box with real-world misconfigurations at every turn.
Kobold chains an unauthenticated MCP server command injection with a sneaky newgrp trick that quietly grants Docker group membership — all without a single password prompt.
Principal chains a fresh CVE in pac4j-jwt — where encryption was mistaken for authentication — with SSH CA key abuse to go from zero to root on a Java Spring Boot platform.
CCTV is a deceptively layered Easy box where default credentials are just the beginning — JWT forgery, daemon-based command injection, and a clever motionEye auth quirk all stand between you and root.
Pirate is a brutal Hard-rated Windows Domain Controller that chains together gMSA password extraction, ADFS internals abuse, NTLM relay over a Hyper-V double-pivot, and SPN hijacking to reach Domain Admin — a genuine enterprise attack simulation.