SquareZero

PUSH is a multi-staged Windows machine that requires a blend of service enumeration and abuse of enterprise-level misconfigurations. Initial access is achieved via an anonymously accessible FTP server exposing .git contents, from which valid credentials are extracted. These are used to interact with a ClickOnce application hosted on a writable SMB share, allowing us to backdoor a DLL and gain execution as Kelly.Hill. BloodHound analysis reveals WriteAccountRestrictions on MS01, enabling a resou ...

XEN is a medium difficulty machine that starts with a public-facing web service where a directory enumeration reveals a Citrix XenApp installation. After bypassing the XenApp interface, a login portal is found, and a phishing attack is used to gather valid credentials. The SMTP service is also exploited to enumerate users, providing more targets for the attack. Once inside the Citrix portal, an attacker downloads the configuration file and uses a 32-bit Citrix Receiver to gain access. Further, ...

Sendai is a medium difficulty machine that requires thorough enumeration of SMB and LDAP services. Initial access is gained through a null session, revealing a shared file indicating that employees must change their passwords upon login. Using RID brute-forcing, I enumerate domain usernames and identify accounts with the STATUS_PASSWORD_MUST_CHANGE error. Exploiting this, I reset passwords remotely and gain access to a configuration share containing credentials. With valid credentials, I analyz ...

Retro2 presents a easy difficulty challenge, where enumeration reveals several critical services, including LDAP and SMB. After gaining initial access via guest login, I discover a password-protected Microsoft Access .accdb file, which I decrypt using John the Ripper. Credentials retrieved from the file allow further exploitation. Utilizing the credentials, I identify vulnerabilities in the system: Zerologon and NoPac. Zerologon enables me to reset the Domain Controller password without credent ...

Breach is a Medium difficulty lab that simulates a real-world Windows Active Directory environment with layered security mechanisms. The attack begins with extensive enumeration, uncovering SMB shares accessible via guest login. By leveraging a shortcut file attack, the attacker captures NTLMv2 hashes, which are cracked to retrieve credentials. A Kerberoasting attack yields the hash of a service account, leading to Silver Ticket creation for elevated access to the MSSQL server. Privilege escala ...

Tengu is a Hard difficulty lab that focuses on exploiting a complex Windows-based environment, involving multiple stages of lateral movement and privilege escalation. The attack starts by discovering a vulnerable Node-Red instance, leading to remote code execution (RCE) through the exploitation of the exec function. The attacker decrypts MSSQL credentials and sets up an SSH tunnel for pivoting, gaining internal access to the MSSQL server. Active Directory enumeration with BloodHound uncovers ac ...

Kaiju is a Hard difficulty lab focused on exploiting a Windows-based network with multiple stages of lateral movement and privilege escalation. The attack begins with FTP access using default credentials, revealing a FileZilla config file and a KeePass database. After decrypting the FileZilla backup user’s password, SSH access is established, and the attacker manipulates the FileZilla configuration to access the system’s C: drive. From there, the KeePass database is targeted using a custom plug ...

Reflection is a Medium difficulty machine where enumeration and exploitation involve a thorough assessment of a Windows-based network. The user started by identifying open ports and services, leading to the discovery of an SMB share containing database credentials. These credentials were used to access MSSQL servers, where additional credentials were retrieved. By exploiting SMB relay vulnerabilities and using Bloodhound for Active Directory enumeration, the user identified privileges like Gene ...

Baby2 is a Medium difficult machine where I began with a Nmap scan revealing several open ports on the target, including SMB and LDAP. Access to SMB shares with a null password provided read/write permissions on the homes share, revealing user information and a VBS logon script in the SYSVOL share. The script was modified to execute a reverse shell, leading to access as the user Amelia Griffiths. Using BloodHound and PowerView, it was discovered that Amelia had WriteDACL rights over the GP ...

Retro is an easy difficulty machine where enumeration revealed a static website on port 80 and a Gitea instance on port 3000. Exploring Gitea, a repository by ellen.freeman contained a script with an exposed access token, leading to the cloning of a hidden “website” repository with CI/CD integration. A reverse shell was injected and executed, gaining access as ellen.freeman. In her Documents, a config file for mRemoteNG with encrypted credentials was found and decrypted, allowing access to ...