AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.