SeeTwo was a room about extracting a basic C2 client from a packet capture file and reverse engineering it to understand its functionality. Using the same packet capture file, we then extracted the...

Whiterose started with discovering a virtual host and logging in with the credentials provided in the room. After logging in, we accessed a chat and, by modifying a parameter to view old messages, ...

Rabbit Hole was a room about exploiting a second-order SQL injection vulnerability to extract the currently running queries from the database. The goal was to discover a password embedded in a SQL ...

Mountaineer started by discovering a WordPress instance and identifying a plugin vulnerable to authenticated RCE. By exploiting the nginx off-by-slash vulnerability to read files on the server, we ...

Extracted began with inspecting a packet capture and discovering a PowerShell script within it. Upon examining the script, we noted that it extracted the memory dump of a KeePass process along with...

Backtrack began by exploiting a path traversal vulnerability to read files on the server, which led to the discovery of Tomcat credentials. With these credentials, we used Tomcat to obtain a shell....

Brains was a room focused on an authentication bypass vulnerability in TeamCity (CVE-2024-27198). We began as an attacker, exploiting the vulnerability to achieve remote code execution (RCE) and ca...

Pyrat was a room centered around a Python program. Initially, we used the program to execute Python code and establish a foothold. Afterward, we discovered user credentials within the configuration...

K2 had us solve three machines in sequence, using our findings from the previous machines to tackle the next one. We began with Base Camp, where we targeted a web application and discovered severa...

The London Bridge began with fuzzing a web application to discover an endpoint. By fuzzing this endpoint for parameters, we identified one vulnerable to SSRF. Using this vulnerability to enumerate ...