Freelancer
HardAn IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …
OpenAD
HardA default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …
Playground
HardA Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …
Resource
HardA zip-upload feature on an SSH key management web app is exploited via a PHP pearcmd LFI-to-RCE trick to land a webshell as www-data; uploaded zip …
Search
HardA password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …
Pirate
HardStarting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …
Object
HardAn open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …
Blackfield
HardAnonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …
Lantern
HardA Skipper proxy CVE-2022-38580 SSRF exposes an internal Blazor WebAssembly app whose DLL contains base64-encoded admin credentials; those credentials …