CTF Writeups

got into management_svc by abusing writerowner and genericall, and then exploited ESC9 vuln.

found users thru rid brute with guest access, aseproasted found creds, force changed creds for audit aco access forensics share, dumped lsass found creds for service accouint, winrm as servcice and dumped ntds …

Got creds, found backup file in mssql instance, got ravens password, rdp as raven and found certificate that was vulnerable.

Got initial access thjrough default creds found by enumerating pdf files, got in added our dns captured hash with responder and then passed the hash to grab pass of service acccount, used service account to …

Got creds, abused genericwrite then forechange pass and then cracked psafe file got creds, used it to abuse dsync nd got admin.

Got initial access via path traversal and then port forwarded w ssh, api broken cant get root.txt.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-02 06:19 CST Nmap scan report for 10.129.95.192 Host is up (0.0082s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE …

Got in thru exposed jenkins interface, privesc using hash found thru keepass.

Got in through discovered subdomain with a exploit, escalated w conf file cred reuse, and then esc to root using known exploit.

Analyzed binary thru smbshare found hardcoded creds, enumerated with ldapsearch using hardcded creds, then found a acc with genericwriteall abused that with RBCD.

found creds from snmpwalk, api logic for getting a page, api logic for creating user, ran check fgrom monitoring service to get the shell, privesc thru sudo-l.

Enumeration uncovered a DEV subdomain exposing a .git directory. Dumping the repository revealed valid Ghost CMS credentials, which gave authenticated access to the admin panel. Since the target was running …

Got access via exposed creds on git, then used an authenticated rce to get access, switched users and ran binary bee as sudo to get sudo perms.

old jenkins interface got creds with hydra and LFI that exposed creds under users.xml, grabbed root ssh key and decrypted it with the CLI.

found exposed endpoint that gave us a session, used session and got in with RCE that bypassed whitespacefiltering, found jar file with archive containing db creds, used db creds to find hashes, cracked hash for …

snmpwalk for creds, escalated with hidden site and known explot.

Found site that acceps url parameter, fuzzed it for SSRF on http://localhost, found file at port 5000, enumerated api end points at port 5000 to find the creds for inital access, elevatred priv by identifying …

Got initial access using a exploit.theme file, elevated privs with buffer overflow privesc vuln.