Latest

The target runs a version of NextGen Healthcare Mirth Connect that is vulnerable to CVE-2023-43208 which allows for initial foothold. DB enumeration reveals a user credential encrypted in PBKDF2-HMAC-SHA256 which requires some decoding and cracking. Thus, gaining user access. Then, acquired root by identifying an SSTI vulnerability of unsafe user input validation within a custom script for Mirth Connect

The challenge provides Client Credentials that can be used to authenticate and enumerate available Key Vaults and secrets. Then, using an acquired SAS Token, the flag was retrieved from a blob in a storage container belonging to a storage account

The target runs an outdated version of Wing FTP Server which is vulnerable to CVE-2025-47812 that allows for initial foothold. Gathering credentials by cracking a salted hash in the credential file that leads to the user flag. Then, acquired root by exploiting a sudo misconfiguration that allowed running a vulnerable Python version with a custom program that uses the tarfile module of which allows for path traversal, symlink escape & write access to system files (CVE-2025-4517 & CVE-2025-4138)

The challenge provides Access Keys that allows for IAM enumeration that leads to an additional user policy from the Permission Boundary. The policy allows for a specific S3 bucket enumeration. From there, a KMS decryption key was found and is used to decrypt and download unauthorized sensitive files such as the flag

The challenge provides Access Keys that is used to authenticate as a user that has the sts:AssumeRole permission. It is then used to escalate privileges by impersonating a role that was created leading to an S3 bucket compromise revealing the flag