Meow: How to pwn the machine (Nmap, Telnet)
Use nmap and telnet to get the flag
Fawn: Pwn the machine (FTP)
Find the open FTP port and extract the flag!
Dancing: Pwn the machine (SMB)
How to retrieve the flag with SMB (Server-Message-Block)
Redeemer: Pwn the machine and capture the flag (Redis)
How to get the flag from the Redis database
Appointment: Use SQL-Injection to pwn the machine
How to extract the flag by logging in without a password
Sequel: Access a MariaDB instance with default credentials
Scan for the open ports, log into the database and get the flag!
Crocodile: Capture the flag! (FTP, Gobuster)
Get credentials via the open FTP port and use Gobuster to find the login file
Responder: Crack the password hash and login as admin
Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it
Three: Get a reverse shell via AWS S3
Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag
Archetype: From user to admin
Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec
Oopsie: Modify the login cookie, escalate privileges and get the flag!
Upload a PHP reverse shell, get user and then root privileges to pwn the machine
Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)
Crack the .zip archive, use sql injection and escalate your privileges to get the flags
Unified: Exploit Log4j, modify a MongoDB entry and get the flags
Log4j exploitation, HTTP request modification & privilege escalation
Explosion: Use xfreerdp to connect to the service
Make use of the poorly configured service and get the flag
Preignition: Use Gobuster and default credentials
Gobuster is used to find the login page of the server by dir busting
Mongod: Use the MongoDB cli to get the flag
MongoDB is a NoSQL database. Use the mongo cli to pwn the machine
Synced: Use Rsync to browse public shares
Rsync is a fast file copying tool. We will use it to download the flag
Ignition: Use Gobuster and a common used password
Modify the hosts file, do dir busting and try common passwords to get the flag
Bike: Exploit a Node.js template engine vulnerability
Insert malicious code to leave the sandbox and get the flag!
Funnel: Use local port forwarding to access the PostgreSQL DB
Since we can't interact with the DB directly, we use tunneling
Pennyworth: Remote command execution vulnerability
Default credentials help us to execute Groovy Script code to get a reverse shell
Tactics: Get the flag via Samba Client or psexec.py
Browse the Windows shares with default credentials and extract the flag
Included: Local file inclusion, reverse shell and privilege escalation
Use TFTP, get a reverse shell, build and upload an Alpine image with root
Markup: Use XXE Injection and privilege escalation to get the flag
Nmap, BurpSuite, Ncat, default credentials and misconfigurations
Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials
Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell
Sau: Use Server Side Request Forgery to pwn the machine
Exploit known vulnerabilities and capture the flags
Pilgrimage: Use various exploits to get the two flags
Git Repo Dump, Arbitrary File Read, Remote Code Execution
Topology: Use LaTeX Injection and Hashcat
Get the credentials and crack the password hash to get the flags
MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges
Get a reverse shell, break out of a Docker container and get the flags
Category tags: hack the box, penetration testing
