Challenge Board
Log in to reveal challenge IPs.
𧩠CorpNet AD Lab · 2 Machines
A two-machine Active Directory lab. Enumerate the domain controllerβs SMB shares and a vulnerable employee portal, then chain credential leaks across both machines to achieve full domain compromise.
𧩠MegaCorp AD Lab · 2 Machines
A two-machine Active Directory lab focused on MS14-025 (GPP credential harvest). Start with an exposed backup config on the workstation, then pivot to the domain controller via SYSVOL to decrypt the service account password and achieve root.
Limited: online now
Ends in calculating...
A forgotten nameserver sits exposed on the network, its zone transfer restrictions never configured. What secrets does its DNS database hold β and can you leverage them to walk right through the front door?
Limited: online now
Ends in calculating...
The web server proudly serves its directory tree to anyone who asks. Hidden among the exposed files lies a credential that opens more than just a web page. Look closer β the index never lies.
Limited: online now
Ends in calculating...
An enterprise directory left open to anonymous queries. Someone forgot to lock the front gate β walk the tree, extract what was never meant to be public, and forge your path all the way to root.
Limited: online now
Ends in calculating...
The database administrator forgot the most important rule: always set a root password. Tap into the exposed data store, recover what was left in plaintext, and pivot your way to full control.
Limited: online now
Ends in calculating...
A Redis instance stands wide open β no authentication, no firewall, just raw access to an in-memory data store. The question isn't whether you can read it. The question is: can you turn a cache into a root shell?
Limited: online now
Ends in calculating...
An rsync daemon quietly exposes its modules to the world, no credentials required. Dig through the synchronized data, recover what was meant to stay private, and ride the drift all the way to root.
Limited: online now
Ends in calculating...
Two file-sharing services, two attack surfaces. Pivot between SMB and FTP to piece together the credentials that bridge your path to root. Neither service alone holds the answer β the key is in the crossing.
Limited: online now
Ends in calculating...
The mail server helpfully confirms which users exist β and the sysadmin made sure some of them have terrible passwords. Enumerate the recipients, guess the passphrase, and deliver yourself a shell.
Limited: online now
Ends in calculating...
A network management agent leaks far more than just metrics. Walk the MIB tree, read what the community string reveals, and follow the trail of exposed data straight to a root prompt.
Cleartext credentials over a legacy protocol β some habits never die. Authenticate through the old gateway, find what the sysadmin left behind, and walk the classic escalation path to root.
A TFTP server meant for network booting inadvertently serves up configuration files to anyone who asks the right filename. One leaked config is all you need β find the foothold, then find the path out.
CorpTech's internal AI assistant has its maintenance credentials baked directly into its system prompt. It's chatty, helpful, and completely unaware of what prompt injection means. Talk to it β carefully.
An internal employee portal shipped to production without a security review. Three unpatched vulnerabilities sit in the same PHP codebase β SQL injection, command injection, and an unrestricted file upload. Chain them to own the box.
A 32-bit SUID binary runs on this machine with every modern mitigation stripped away β no canary, no NX, no PIE, no ASLR. One vulnerable call to gets() is all that stands between you and a root shell. Develop the exploit.
The XSS Rat's personal research platform: a PHP blog engine with a dangerous API and a secrets-laden internal service. Chain stored XSS through to SSRF, extract admin credentials from an internal endpoint, and abuse a sudo GTFOBin to root. Nothing about this box is accidental β every quirk is a clue.