TombWatcher is a medium difficulty active directory box. It is an assumed breach box, thus we are given credentials, in this case for the henry user. This user is able to change the SPN of Alfred w...

Sauna is an easy Windows AD machine. This machine is running a website on port 80 which contains some team member names which can be used to generate a user wordlist. Using the kerbrute tool and th...

EscapeTwo is an easy assumed breached Active Directory machine. We are provided credentials for the user Rose which has access to the Accounting Department share which contains two spreadsheet file...

Heal is a medium difficulty Linux machine. This box only has two TCP ports open, ssh and http. The webpage has three different subdomains. One of them is vulnerable to a file disclosure which allow...

Voleur is a medium difficulty active directory box. It is an assumed breach machine which means we start with some credentials which we can use to enumerate the domain. This machine does not allow ...

Cypher is a medium difficulty Linux box. This machine only has two open TCP ports which are SSH and HTTP. The website presents with a description of a graph solution for mapping an organization’s d...

Cronos is a medium difficulty Linux machine. This box has only three TCP ports open; SSH, HTTP and DNS. DNS is configured in such a way that we are able to extract the domain name of this machine w...

Certified is a medium difficulty box. This is an assumed breach scenario, therefore, we start with some credentials for the judith user. This user has the WriteOwner ACL over the management group, ...

Puppy is a medium active directory Windows machine. We are given credentials for a low privilege user, levi.james, which we can use to start enumerating the active directory environment. We have so...

Delivery is an easy Linux machine. An initial port scan reveals three tcp ports open. Port 80 has a website running which directs us to an OSTicket instance. After sending a ticket we are given a v...