For the Hack Smarter Security room, we leveraged a file disclosure vulnerability in Dell OpenManage Server Administrator to obtain credentials and establish a SSH session. Subsequently, we hijacked...

Hack Back started with reverse-engineering an executable file to discover an email address and a password. After that, we used these credentials to send a phishing email and obtain a shell. Lastly,...

Extracted began with inspecting a packet capture and discovering a PowerShell script within it. Upon examining the script, we noted that it extracted the memory dump of a KeePass process along with...

Extract started with discovering a Server-Side Request Forgery (SSRF) vulnerability and using it to discover an internal web application. By bypassing authentication on this internal application du...

Exfilibur begins by exploiting multiple vulnerabilities in BlogEngine.NET to discover a password and also achieve remote code execution. After using remote code execution to get a shell, it is poss...

El Bandito was a room dedicated to request smuggling, where we used two different methods of request smuggling to capture two flags. First, we abused a SSRF vulnerability to trick a NGINX frontend...

DX2: Hell’s Kitchen started with enumerating a couple of Javascript files on a web application to discover an API endpoint vulnerable to SQL injection. Using this to gain a set of credentials, we u...

Dodge started by inspecting the certificate of a https webserver to get a list of subdomains and enumerating these subdomains to find a PHP endpoint that allowed disabling the UFW firewall. After d...

Decryptify started with deobfuscating a JavaScript file to reveal a hardcoded password, which we used to access a code snippet responsible for generating invite codes. After that, by fuzzing the we...

CyberLens included using a command injection vulnerability in Apache Tika to get a foothold and abuse AlwaysInstallElevated to escalate to Administrator. Initial Enumeration Nmap Scan $ nmap -...