Planning is an easy Linux machine that demonstrates CVE-2024-9264 to get initial access and using crontab-ui to escalate privilege.

Fluffy is an easy Windows machine that demonstrates a CVE-2025-24071, Shadow Credentials technique, and ESC16 vulnerability on ADCS.

Nocturnal is an easy Linux machine that demonstrates command injection bypass and privilege escalation using CVE-2023-46818.

Puppy is a medium Windows machine. This is a grey box machine with a supplied credential. With the credential, we can take advantage of GenericWrite to get access to specific shares. Then, we found a KeePass database file that contains a valid credential for another user account. This user account has GenericAll to another user account that belongs to the Remote Management Users group. There will be a backup file that contains another credential inside the machine. Using the credential, we found a saved credential in the DPAPI that contains a credential for administrative user account.

Environment is a Linux machine. The box involves exploiting a Laravel web application vulnerability (CVE-2024-52301) to bypass authentication and upload a shell. It involves finding and decrypting a GPG backup file to obtain credentials, and finally escalating privileges to root by abusing sudo permissions and the BASH_ENV variable.

Haze is a challenging Active Directory machine characterized by vulnerable Splunk installation and security configurations. The machine involves CVE-2024-36991, decrypting Splunk secret, exploiting multiple ACL/ACE vulnerabilities, and abusing SeImpersonatePrivilege.

Code is an easy Linux machine that demonstrates a Python Jail / Sandbox escape and privilege escalation from backy program.

TheFrizz is a medium Windows machine. The box involves attacking a domain controller using Kerberos authentication, abusing Group Policy Objects (GPO), and leveraging the Recycle Bin. The attack path includes exploiting CVE-2023-45878 on Gibbon LMS, obtaining credentials, manipulating GPO settings, and finally achieving system access.