PlayerTwo was an insane rated Linux box that was a hell of a journey. I debated about doing this writeup because I got the root flag in an unintended way but hey, it's still a win! First you had to get the correct vhost name in order to find a
ServMon was an easy rated Windows box that took me longer to solve than I expected given the rating. Sensitive files stored on an anonymous FTP server, a directory traversal vulnerability in a web server and some password spraying were used to gain a low privilege shell. From there, the
Monteverde was a medium difficulty Windows box in which lazy password practice combined with password spraying allowed access to a SMB share. An Azure XML file was found with another password which was again sprayed to get a shell. The compromised user was a member of the 'Azure Admins' group
Resolute was a medium rated Windows machine in which LDAP was queried for a list of users and an initial account password. This password was sprayed across the found usernames for a shell. Enumerating the system yielded a password for another user who was a member of the DnsAdmins group.
This blog is hosted on a server that I control and I check the logs pretty regularly to make sure things are on the up and up. While checking logs yesterday, I noticed a spike of referrals from a website I didn't recognize so I checked it out: Looks pretty