For the Hack Smarter Security room, we leveraged a file disclosure vulnerability in Dell OpenManage Server Administrator to obtain credentials and establish a SSH session. Subsequently, we hijacked...

Chrome was a room all about decryption. As a start, we are given a packet capture file with SMB traffic. We are able to extract two files from this traffic: a .NET assembly file and a file encrypte...

Exfilibur begins by exploiting multiple vulnerabilities in BlogEngine.NET to discover a password and also achieve remote code execution. After using remote code execution to get a shell, it is poss...

Breaking RSA was a simple room about RSA, where we discover a public key on a web server along with a note stating the key is weak due to factors for modulus chosen to be numerically close. Using F...

Kitty started by discovering a SQL injection vulnerability with a simple filter in place. Bypassing the filter, we were able to dump the database and get some credentials. Using these credentials f...

After capturing a user’s hash with forced authentication by uploading a malicious file to a SMB share, we were able to crack the hash and get a set of credentials. Using these credentials to enumer...

Umbrella had an exposed Docker registry that allowed us to find database credentials. Using these database credentials to connect to the database and dumping the hashes, we were able to crack them ...

WhyHackMe has an FTP server that accepts anonymous logins. There is a note on this FTP server mentioning an endpoint on the webserver that contains user credentials and is only accessible by localh...

Dodge started by inspecting the certificate of a https webserver to get a list of subdomains and enumerating these subdomains to find a PHP endpoint that allowed disabling the UFW firewall. After d...