This Blue Team Labs walkthrough details the investigation of reconstructing an attacker's chain of actions. The attacker gained initial access through SSH on a non standard port, exfiltrated sensitive files, and deleted files to cover up their tracks.

This Blue Team Labs walkthrough details the investigation of reconstructing the actions involved in a ransomware attack, including file exfiltration, persistence mechanisms established by the attacker, and efforts to conceal activity through clearing logs and disabling various services.

This Blue Team Labs walkthrough details the investigation of reconstructing the attacker's chain of actions. The attacker initially exploited CVE-2021-36934 and then used Impacket tools to obtain the administrator's nthash. With this hash, the attacker obtained command line access as nt authority system to exfiltrate administrator documents.

Despite sharing the same name, this Blue Team Labs walkthrough details the investigation of reconstructing the attacker's chain of actions by analyzing sysmon logs, network traffic, and memory artifacts. The attacker gained an initial foothold through a reverse shell and then exfiltrated NTLM password hashes. After leveraging compromised credentials from a user account, the attacker authenticated over SSH and continued to identify other privilege escalation opportunities.

This Blue Team Labs walkthrough details the investigation of reconstructing the attacker's chain of actions using Arkime network logs. The attacker exploited an SQL injection vulnerability on the web application to exfiltrate a surveillance video file which contained plain text credentials.

This Active Directory chain walkthrough details the exploitation of a directory traversal vulnerability to expose database credentials which were used to pivot and reset another user's password. Domain admin privileges were achieved by injecting a malicious .dll into an executable to obtain remote code execution. With these domain admin privileges, a golden ticket was forged to abuse a trusted relationship with another domain to obtain domain admin access on the second domain.

This walkthrough covers my experience participating in the June 2025 OWASP Denver capture the flag (CTF) challenge hosted during the monthly meetup. The main objective was to exploit a vulnerable web application to gain access to the Administrator account, with two additional side quests focused on lower-level vulnerabilities.

This walkthrough details the exploitation of a misconfigured FTP provisioning process and virtual host deployment. After registering a new FTP account on the web site, directory traversal was used to point the FTP account's home directory to another users .ssh folder. By uploading an SSH key there, we were able to log in as that user over SSH. We discovered a backend process that generated config files from user-submitted data. By injecting a payload into the user input field, we obtained remote code execution as root.

This walkthrough details the exploitation of a misconfigured PostgreSQL instance to gain an initial foothold. By identifying writable access to the PostgreSQL data directory, we were able to create a SetUID enabled shell and execute it through a scheduled root owned backup script. Privilege escalation was achieved by leveraging this misconfiguration to gain root level access.

This walkthrough details the exploitation of a misconfigured Zabbix instance using CVE-2024-2210 to gain an initial foothold. Privilege escalation was achieved by stealing credentials and using these credentials to login to a misconfigured TeamCity instance to obtain root level access.

This walkthrough details the exploitation of a misconfigured rsync service that exposed a SQLite database containing weakly hashed user credentials. After cracking a users password hash, we authenticated via FTP and set up SSH access by uploading a public key. We were able to pivot on the system by reusing credentials and by extracting a backup archive containing another user's password hash. Privilege escalation was achieved by injecting a reverse shell into a backup script which granted us root access when executed.

This walkthrough details the exploitation of a misconfigured rysnc module and a Gitea instance. The attacked started with discovering credentials in a rsync module which was used to authenticate to Gitea. On Gitea, we were able to upload a malicious webshell to gain remote code execution in a docker container. We then pivoted by uploading a Sliver Implant to the docker container, giving us access to the internal network. To obtain root level privileges, we were able to find credentials in a MYSQL data base, and use those credentials to create a DNS record to impersonate a user who had passwordless root access.

This walkthrough details the exploitation of a misconfigured Gitea instance. The attack started with discovering an access token in a previous commit and leveraging this access token to upload a webshell to gain an initial foothold. User level access was obtained by decrypting an encrypted password in a saved RDP session. Laslty, system level access was obtained by exploiting CVE-2023-49147.

This walkthrough details the exploitation of Active Directory misconfigurations. The attack begins with anonymous Guest access to enumerate SMB shares, followed by uploading NTLM theft files to capture and crack a user's password hash for initial access. Privilege escalation was achieved through Kerberoasting to extract a service account hash, which was then used to forge a Silver Ticket to impersonate an administrator to access MSSQL services. Lastly, SeImpersonate privileges were abused by using GodPotato to obtain a SYSTEM-level shell.

This walkthrough details the exploitation of a misconfigured LimeSurvey instance. The attack involved configuring a remote database to set up an instance of LimeSurvey, uploading a malicious plugin to obtain a shell in a Docker container, retrieving a password in the environment variables, reusing this password to obtain user-level access via SSH, and escaping a Docker container to obtain root level access.

This walkthrough demonstrates how Active Directory misconfigurations can be exploited to escalate privileges. The attack involved enumerating SMB shares, identifying a user with matching username and password, modifying a logon script in the SYSVOL share to gain a reverse shell, and abusing WriteDACL permissions to reset a privileged account’s password and create a new domain administrator to gain domain admin access.

This walkthrough demonstrates how Active Directory misconfigurations can be exploited to escalate privileges. The attack involved enumerating users via LDAP, identifying a default password stored in an account description field, changing a user's password to gain initial access, and abusing SeBackupPrivilege and SeRestorePrivilege to extract domain administrator credentials.

This walkthrough details the exploitation of a Local File Inclusion (LFI) vulnerability which revealed a command injection flaw in the websites code that was exploited to gain initial access. Through this initial access, a pswm file was discovered which contained user credentials with root-level privileges.

This walkthrough details the exploitation of a vulnerable Grafana instance. The attack involved retrieving a user hash from a SQLite database, cracking the hash to gain an initial foothold, and breaking out of a docker container to elevate privileges to root.

This walkthrough details the exploitation of Active Directory misconfigurations. The attack involved exploiting user accounts that required a password change upon their next login, abusing group membership privileges, and exploiting Active Directory Certificate Services (ADCS) misconfigurations to gain root level access.

This walkthrough details the exploitation of Active Directory misconfigurations. The attack involved extracting a hash from a Microsoft Access database file, changing the password on a pre-created computer account, and obtaining root level access by exploiting weak Windows server 2008 registry permissions.

This walkthrough details the exploitation of Active Directory misconfigurations. The attacked involved changing the password on a pre-created computer account and exploiting Active Directory Certificate Services (ADCS) to gain root level access.

This walkthrough details the exploitation of a misconfigured Java RMI (Remote Method Invocation) service. The attack involved using Beanshooter for enumeration and exploitation, leveraging Google Authenticator codes to bypass 2FA, and exploiting misconfigured adduser privileges to gain root level access.