SquareZero

Lustrous is a Medium-difficulty Windows Active Directory lab that focuses on Kerberos abuse, credential decryption, and privilege escalation via Backup Operators. Initial access is achieved through AS-REP roasting of a user account, followed by a Kerberoast attack to recover service account credentials. Local enumeration uncovers an encrypted PSCredential file, which reveals Administrator credentials upon decryption. Using BloodHound, a privileged user in the Backup Operators group is identifie ...

Heron is a Medium-difficulty Windows machine that emphasizes internal network pivoting, Kerberos abuse, and Resource-Based Constrained Delegation (RBCD) in a restricted environment. Initial access is gained through a jumpbox over SSH, with proxying set up via FoxyProxy and ProxyChains to access an internal web app leaking user emails. An AS-REP roasting attack leads to the compromise of a user account, which has read access to SYSVOL and exposes a GPP password for a local admin. Password sprayi ...

Intercept is a multi-layered, hard-difficulty Windows machine that emphasizes lateral movement, NTLM relay attacks, and advanced certificate abuse techniques. Initial enumeration reveals an SMB share allowing write access, leading to the extraction of autologon credentials and NTLMv2 hashes via Autologon64 and slinky. These credentials are cracked and used to stage a relay attack over HTTP using a WebDAV listener. LDAP signing is disabled, making NTLM relay via ntlmrelayx and dnstool.py possibl ...

Puppet is a medium-difficulty, multi-stage Windows and Linux hybrid machine that highlights C2 beacon abuse, PrintNightmare exploitation, UAC bypasses, and Puppet service misconfigurations. Initial enumeration reveals open FTP access hosting a Sliver beacon configuration and binary. Launching the client triggers a beacon callback from a compromised Windows host. With Sliver access, PrintNightmare is exploited to gain local admin, followed by a UAC bypass via SSPI token impersonation. Credential ...

Mythical is a medium-difficulty Windows lab that simulates a post-breach assessment within a network hardened after a prior ransomware attack. Initial access is gained through a pre-established Mythic C2 session, allowing enumeration of internal infrastructure via a VPN tunnel. Backup misconfigurations expose sensitive data over rsync, leading to credential recovery from a KeePass database. Active Directory misconfigurations are exploited by escalating an ESC4 certificate template to ESC1, enab ...

PUSH is a multi-staged Windows machine that requires a blend of service enumeration and abuse of enterprise-level misconfigurations. Initial access is achieved via an anonymously accessible FTP server exposing .git contents, from which valid credentials are extracted. These are used to interact with a ClickOnce application hosted on a writable SMB share, allowing us to backdoor a DLL and gain execution as Kelly.Hill. BloodHound analysis reveals WriteAccountRestrictions on MS01, enabling a resou ...

XEN is a medium difficulty machine that starts with a public-facing web service where a directory enumeration reveals a Citrix XenApp installation. After bypassing the XenApp interface, a login portal is found, and a phishing attack is used to gather valid credentials. The SMTP service is also exploited to enumerate users, providing more targets for the attack. Once inside the Citrix portal, an attacker downloads the configuration file and uses a 32-bit Citrix Receiver to gain access. Further, ...

Sendai is a medium difficulty machine that requires thorough enumeration of SMB and LDAP services. Initial access is gained through a null session, revealing a shared file indicating that employees must change their passwords upon login. Using RID brute-forcing, I enumerate domain usernames and identify accounts with the STATUS_PASSWORD_MUST_CHANGE error. Exploiting this, I reset passwords remotely and gain access to a configuration share containing credentials. With valid credentials, I analyz ...

Retro2 presents a easy difficulty challenge, where enumeration reveals several critical services, including LDAP and SMB. After gaining initial access via guest login, I discover a password-protected Microsoft Access .accdb file, which I decrypt using John the Ripper. Credentials retrieved from the file allow further exploitation. Utilizing the credentials, I identify vulnerabilities in the system: Zerologon and NoPac. Zerologon enables me to reset the Domain Controller password without credent ...

Breach is a Medium difficulty lab that simulates a real-world Windows Active Directory environment with layered security mechanisms. The attack begins with extensive enumeration, uncovering SMB shares accessible via guest login. By leveraging a shortcut file attack, the attacker captures NTLMv2 hashes, which are cracked to retrieve credentials. A Kerberoasting attack yields the hash of a service account, leading to Silver Ticket creation for elevated access to the MSSQL server. Privilege escala ...