A hard TryHackMe box that chains WordPress brute-forcing, PHP webshell injection, credential harvesting from a plaintext file, and a Ligolo-ng pivot to an internal Jenkins instance — ultimately escalating to root via a plaintext password left in a Docker container.
A hard TryHackMe Active Directory box that chains anonymous SMB/LDAP enumeration, OSINT credential recovery from a public Git repository, Kerberoasting, and PrintNightmare (CVE-2021-1675) local privilege escalation to fully compromise the domain.
A hard TryHackMe box exploiting a known Joomla 3.7 SQL injection vulnerability to extract and crack admin credentials, followed by a PHP webshell for initial access and a yum sudo misconfiguration for privilege escalation to root.
A medium TryHackMe box chaining mass assignment, SSRF, and Jinja2 SSTI to gain initial access, then escalating to root by leveraging an exposed Erlang cookie to extract credentials from a misconfigured RabbitMQ service.
Hard Active Directory box Leverage credential reuse for initial access, identify a privileged user via BloodHound, hijack a scheduled script for lateral movement, then perform an RBCD attack to compromise the root domain controller
A hard Active Directory compromise that chained weak credential hygiene, SMB guest access, password spraying, AS-REP roasting, and registry credential leaks into a full BloodHound-guided escalation, ultimately abusing Kerberos delegation (RBCD) to impersonate Administrator and achieve domain compromise.
A medium difficulty web exploitation chain where exposed admin interfaces, logic flaws, and SQL injection were leveraged to reset credentials, ultimately escalating to admin access and achieving RCE via a vulnerable Twig SSTI.
