Machines

Principal chains a fresh CVE in pac4j-jwt — where encryption was mistaken for authentication — with SSH CA key abuse to go from zero to root on a Java Spring Boot platform.

Gavel chains an exposed git repo, a subtle PDO prepared statement SQL injection, and a creative PHP sandbox escape — overwriting the php.ini from inside the sandbox itself — to reach root.

AirTouch is a unique HTB medium box where you pivot through three network segments entirely over WiFi — cracking WPA-PSK, stealing session cookies from decrypted traffic, and pulling off a real-cert evil twin attack to capture MSCHAPv2 credentials.

Eighteen is a Windows Server 2025 Domain Controller box that chains MSSQL impersonation, Werkzeug hash cracking, and the newly-disclosed BadSuccessor vulnerability (CVE-2025-53779) to achieve full domain compromise — a rare chance to exploit a live DC in a lab environment.

MonitorsFour chains a fresh Cacti RCE vulnerability with an exposed Docker API to go from web login to full Windows host compromise — a great lesson in container escape methodology.

Overwatch chains MSSQL linked server credential capture via DNS poisoning with a WCF service PowerShell injection to go from unauthenticated to Domain Admin on a Windows Server 2022 DC.

Browsed is a devious medium Linux box where you weaponize a Chrome extension upload feature to chain browser automation, bash arithmetic injection, and Python bytecode poisoning into a full root compromise.

An Insane-rated Windows box chaining AngularJS CSTI, a subtle OAuth logical flaw, SQLite’s load_extension for DLL-based RCE, Edge DPAPI credential decryption, and .NET AppDomainManager injection to reach SYSTEM.

Fries is a Hard Windows box that takes you through a dense multi-layer attack chain: credential leaks in Gitea, authenticated RCE in pgAdmin, Docker CA key theft, LDAP credential poisoning, and finally ADCS certificate abuse to own the domain.

A Flask-based XML/XSLT converter with exposed source code, an unsanitized file upload, and a cron-powered RCE — topped off with a fresh needrestart CVE for root.