Web

Oopsie chains credential reuse, a cookie-based IDOR, and a file upload to land a shell — then a SUID binary with an unsafe PATH gets us root. A masterclass in chained misconfigurations.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.

Vaccine chains together anonymous FTP access, zip cracking, hardcoded credentials, and a PostgreSQL SQL injection into a full compromise — then escapes to root through a classic vi sudo misconfiguration.

Archetype shows how a single misconfigured SMB share cascades into full domain compromise — SSIS config files, xp_cmdshell, and PowerShell history all play a role.

Dancing is a beginner-friendly Windows box that teaches the fundamentals of SMB enumeration. A misconfigured file share with anonymous access is all you need to grab the flag.

Browsed is a devious medium Linux box where you weaponize a Chrome extension upload feature to chain browser automation, bash arithmetic injection, and Python bytecode poisoning into a full root compromise.

An Insane-rated Windows box chaining AngularJS CSTI, a subtle OAuth logical flaw, SQLite’s load_extension for DLL-based RCE, Edge DPAPI credential decryption, and .NET AppDomainManager injection to reach SYSTEM.

Fries is a Hard Windows box that takes you through a dense multi-layer attack chain: credential leaks in Gitea, authenticated RCE in pgAdmin, Docker CA key theft, LDAP credential poisoning, and finally ADCS certificate abuse to own the domain.

A Flask-based XML/XSLT converter with exposed source code, an unsanitized file upload, and a cron-powered RCE — topped off with a fresh needrestart CVE for root.

NanoCorp chains a sneaky NTLM capture through a hiring portal’s file upload, Active Directory ACL abuse via BloodHound, and a Checkmk MSI repair privilege escalation — all on a fully patched Windows Server 2022 DC.