PingPong is a brutally complex Insane-rated Windows box featuring a bidirectional forest trust, cross-realm Kerberos pivoting through a Hyper-V internal network, JEA ConstrainedLanguage bypass via XmlDocument XXE, and a multi-stage AD CS certificate abuse chain spanning two domains.
Logging is a Windows Domain Controller box that chains credential recovery, shadow credentials, a DLL hijack scheduled task, and a full ESC17 WSUS MITM attack to achieve Domain Admin — all while navigating Protected Users restrictions and a disabled Update Orchestrator service.
Silentium chains two Flowise CVEs — an unauthenticated password reset token leak and authenticated RCE — with a Gogs symlink exploit to achieve root. A masterclass in chaining modern app vulnerabilities.
Garfield is a fiendishly complex Active Directory box that chains a hidden scriptPath ACE, logon script hijacking, RBCD against an RODC, and a forged RODC golden ticket to compromise a full Windows domain. If you want to understand how Read-Only Domain Controllers can be weaponized, this is the box for you.
DevArea chains a SOAP service SSRF through Hoverfly middleware RCE to foothold, then escalates via Flask session forgery, command injection, and a symlink/log-write trick to root. A deeply layered box with real-world misconfigurations at every turn.
Kobold chains an unauthenticated MCP server command injection with a sneaky newgrp trick that quietly grants Docker group membership — all without a single password prompt.
VariaType is a CVE-chaining masterpiece — three distinct vulnerabilities in font-processing tools combine to take you from unauthenticated to root. If you want practice identifying real-world supply-chain CVEs, this box delivers.
CCTV is a deceptively layered Easy box where default credentials are just the beginning — JWT forgery, daemon-based command injection, and a clever motionEye auth quirk all stand between you and root.
Interpreter chains a pre-auth deserialization RCE against a healthcare integration platform with a devious Python f-string injection to reach root — a box that rewards thorough enumeration and creative payload crafting.
Pirate is a brutal Hard-rated Windows Domain Controller that chains together gMSA password extraction, ADFS internals abuse, NTLM relay over a Hyper-V double-pivot, and SPN hijacking to reach Domain Admin — a genuine enterprise attack simulation.