Planning is an easy Linux machine where web enumeration and a CVE-2024-9264 vulnerability lead to initial access, lateral movement, and full system compromise.
Fluffy is an easy Windows machine where initial credentials and CVE-2025-24071 lead to further user access, Active Directory enumeration, and ultimately Administrator compromise.
On Nocturnal, an IDOR exposed credentials that unlocked the admin panel and source code. A command injection led to a shell, cracked database hashes enabled SSH access, and exploiting ISPConfig CVE-2023-46818 provided root.
VulnEscape is an Easy Difficulty Windows machine where users exploit a Remote Desktop Server to connect as KioskUser0, bypass restrictions using Microsoft Edge, and uncover a password to gain admin access and capture the root flag.
Titanic is an easy Linux machine with a booking site and a Gitea instance. An arbitrary file read vulnerability allows access to Gitea's SQLite database, leading to cracked SSH credentials. A scheduled script using a vulnerable magick binary (CVE-2024-41817) is exploited for root access.
Cicada is an excellent beginner-friendly Windows box designed for those new to Windows pentesting, without requiring any knowledge of Active Directory or its attack vectors and strategies. It focuses on the early stages of enumeration, which are essential for tackling more advanced machines, as well as some basic manual checks you can perform once you obtain a user shell.
