Creative was a simple and straight-forward room. First, we discover a virtual host with an SSRF vulnerability and use it to scan for internal web servers. Upon discovering an internal web server ru...

Bypass begins with discovering a set of instructions and following these instructions to acquire a password. This password allowed us to login to a web application and get to another login page, wh...

Clocky started with us finding a backup on a webserver that included another webserver’s source code. Reading the source code, we saw the application using time and username to create password rese...

El Bandito was a room dedicated to request smuggling, where we used two different methods of request smuggling to capture two flags. First, we abused a SSRF vulnerability to trick a NGINX fronte...

For the Hack Smarter Security room, we leveraged a file disclosure vulnerability in Dell OpenManage Server Administrator to obtain credentials and establish a SSH session. Subsequently, we hijac...

Chrome was a room all about decryption. As a start, we are given a packet capture file with SMB traffic. We are able to extract two files from this traffic: a .NET assembly file and a file encrypte...

Exfilibur begins by exploiting multiple vulnerabilities in BlogEngine.NET to discover a password and also achieve remote code execution. After using remote code execution to get a shell, it is poss...

Breaking RSA was a simple room about RSA, where we discover a public key on a web server along with a note stating the key is weak due to factors for modulus chosen to be numerically close. Using F...

Kitty started by discovering a SQL injection vulnerability with a simple filter in place. Bypassing the filter, we were able to dump the database and get some credentials. Using these credentials f...

After capturing a user’s hash with forced authentication by uploading a malicious file to a SMB share, we were able to crack the hash and get a set of credentials. Using these credentials to enumer...