Sherlocks
| No. | Cases | Lessons Learned |
|---|---|---|
| 1. | Meerkat | Credential stuffing detection, Bonitasoft CVE exploitation, Packet filtering, Custom column value analysis |
| 2. | Bumblebee | SQLite3 file analysis, Epoch timestamp conversion, NGINX access.log parsing |
| 3. | Lockpick | Static malware analysis with Ghidra, Reverse engineering C-based malware, Python scripting for reversing encryption logic, JSON parsing automation |
| 4. | Constellation | Discord URL forensic analysis, URL unfurling techniques |
| 5. | OpTinselTrace-4 | Threat hunting and attacker IP identification, Port scanning detection, Printer hacking network forensics |
| 6. | Litter | PCAP network traffic analysis, DNS tunneling identification |
| 7. | Logjammer | Windows Event Log analysis using Event Viewer |
| 8. | Heartbreaker-Continuum | PEStudio and Ghidra for code size identification, VirusTotal for file metadata, Hex editor for obfuscated strings offsets, MITRE ATT&CK technique identification |
| 9. | Hyperfiletable | Parsing raw MFT data with analyzeMFT, Using MFTExplorer for ZoneID and file size analysis |
| 10. | Subatomic | File type identification with Detect It Easy (DIE), Unpacking Nullsoft Installer, Malware GUID identification, Debugging obfuscated JS in VSCode, Code review of Trojan Discord module |
| 11. | Tracer | Windows Event Log analysis, Prefetch file parsing with PECmd, $MFT analysis using MFTECmd, USN Journal ($J) analysis, Sysmon log investigation |
| 12. | Loggy | Using Ghidra, ANY.RUN, DIE for malware language identification, PEStudio and API Monitor for malicious function calls, FTP domain tracking, IDA graph analysis for disk writes |
| 13. | RogueOne | Memory forensics with volatility3, Detection of process spoofing |
| 14. | Recollection | Memory forensics with volatility3, Detection of alias IEX usage, Browser history dumping, Malicious filename identification |
| 15. | Brutus | Reviewing UNIX auth.log, Hunting suspect IP addresses, WTMP log analysis |
| 16. | Campfire-1 | DC security logs analysis via EventViewer, Kerberoasting attack analysis, Prefetch file conversion and timeline exploration with PECmd and Timeline Explorer, Identifying common Kerberoasting tools |
| 17. | SmartyPants | Windows RDP event log analysis, Event log explorer usage, Smart screen debug log review |
| 18. | Unit42 | Sysmon EventID definitions, Sysmon log analysis, UltraVNC infection investigation |
| 19. | BFT | Parsing raw MFT files with MFT Explorer and MFTECmd, Malicious file download hunting |
| 20. | Jingle Bell | Forensic analysis of Slack application SQLite database |
| 21. | TickTock | TeamViewer log analysis for C2 agent and attacker sessions, Prefetch log review, Sysmon log review for network connections, Windows Defender and PowerShell log inspection, Drive mounting and C2 hash identification, Raw MFT parsing and timeline exploration, Timestamp event extraction with Get-WinEvent |
| 22. | Jugglin | Forensic analysis of APMX64 files, API Monitor for function call interception, PowerShell module identification for data exfiltration |
| 23. | Ore | Reviewing Grafana and catscale artifacts, XMRIG process analysis, Hunting threat actor IPs via UNIX logs, Shodan threat intelligence use, Cronjob timing analysis with crontab.guru |
| 24. | Ultimatum | Catscale data acquisition review, Ultimate-member plugin CVE identification, Backdoor user and persistence activity detection |
| 25. | Pikaptcha | Registry hive analysis with Registry Explorer, Malicious PowerShell downloader analysis, Threat actor C2 server hunting, Reverse shell session timing, Phishing JS function identification, Lumma Stealer malware investigation |
| 26. | APTNightmare | Packet capture analysis with Wireshark, Nmap open port identification with Tshark, DNS zone transfer detection, Compromised subdomain and credential discovery, Memory analysis of web server with Volatility and Ubuntu profile, MITRE ATT&CK technique correlation, Debian package inspection with dpkg, Windows registry hive parsing with Regripper, Program execution artifact analysis, .lnk file examination, Registry hive cleaning, Disk image review with FTK Imager, Email phishing forensic analysis, Prefetch file analysis, Raw $MFT parsing, PowerShell and event log export, Timeline review, Encoded PowerShell command decoding, VirusTotal IOC identification, Cobalt Strike beacon analysis, Persistence task detection |
Binary Exploitation (PWN)
| No. | Challenges | Lessons Learned |
|---|---|---|
| 1. | racecar | Exploiting format string vulnerabilities to leak stack values |
| 2. | You know 0xDiablos | Buffer overflow exploitation, Return-to-win techniques |
| 3. | Jeeves | Local variable modification techniques |
| 4. | Space pirate: Entrypoint | Format string bugs, Local variable modification |
| 5. | Reg | Buffer overflow, Redirecting program execution |
| 6. | Space pirate: Going Deeper | Buffer overflow, Redirecting program execution |
| 7. | Bat Computer | Buffer overflow, Return-to-shellcode techniques |
| 8. | Blacksmith | Buffer overflow, Return-to-libc attacks |
| 9. | Shooting star | Buffer overflow, Return-to-libc attacks |
| 10. | HTB Console | Buffer overflow, Return-to-libc, Using .DATA section to write "/bin/sh\x00" strings |
| 11. | Optimistic | Buffer overflow, Integer overflow, Return-to-shellcode with alphanumeric payloads |
| 12. | Restaurant | Buffer overflow, Return-to-libc, Bypassing MOVAPS protection |
| 13. | Entity | Union structure manipulation, Type confusion vulnerabilities |
| 14. | Getting Started | Buffer overflow basics |
| 15. | Questionnaire | Binary exploitation concepts and questions |
| 16. | Nightmare | Format string bug exploitation, Global Offset Table (GOT) overwrite |
| 17. | Void | Buffer overflow, Return-to-dl-resolve technique |
| 18. | Fleet Management | Bypassing seccomp sandbox, Crafting custom shellcode |
| 19. | Vault-breaker | Abusing misconfigurations, XOR cipher decoding |
| 20. | Spooky Time | Format string bug exploitation, GOT overwrite |
| 21. | Space pirate: Retribution | Buffer overflow, Return-to-libc, Bypassing PIE and ASLR |
| 22. | Space | Buffer overflow, Small offset after EIP, Custom shellcode crafting |
| 23. | Leet Test | Format string bug, Overwriting local and global variables |
| 24. | Trick or Deal | Heap exploitation, Use-After-Free (UAF) |
| 25. | PwnShop | Buffer overflow, Return-to-libc, Bypassing PIE and ASLR, Stack pivoting |
| 26. | Finale | Open-Read-Write (ORW) ROP chain exploitation |
| 27. | Hellhound | Heap exploitation, House of Spirit technique (glibc 2.23) |
| 28. | Sacred Scrolls: Revenge | Buffer overflow, Return-to-libc, Base64 encoded payload, Bypassing MOVAPS (stack alignment) |
| 29. | Sick ROP | Sigreturn Oriented Programming (SROP) |
| 30. | What does the f say? | Format string bug, Bypassing PIE, Canary, and ASLR, Return-to-libc, Bypassing MOVAPS protection |
| 31. | Bon-nie-appetit | Heap exploitation, maia_arena address leak, Off-by-one (OOB) exploit, Tcache poisoning |
| 32. | Great Old Talisman | Buffer overflow, GOT overwrite |
| 33. | Spellbook | Heap exploitation, Leaking main_arena address, Fastbin dup attack, Overwriting __malloc_hook with one_gadget |
| 34. | Oxidized ROP | Rust buffer overflow, Local variable overwrite using Unicode characters |
| 35. | Regularity | Buffer overflow, Return to register |
| 36. | Writing on the Wall | Out-of-bounds write, read() vulnerability, Local variable overwrite |
| 37. | Execute | Direct code execution bug, Return to shellcode, Crafting custom shellcode to bypass bad bytes, XOR encoding /bin/sh strings |
| 38. | Rocket Blaster XXX | Buffer overflow, Return-to-win with 3 parameters |
| 39. | Sound of Silence | Return address manipulation with gets(), Passing system() as argument, Using GDB to trace parent process |
| 40. | r0bob1rd | Libc leak via array index clobbering, Format string bug to overwrite GOT entry for __stack_chk_fail(), OOB bug triggering __stack_chk_fail() call` |
| 41. | Assemblers Avenge | Return to shellcode, Crafting custom shellcode, Using printed /bin/sh strings |
| 42. | No Gadgets | Bypassing strlen() checks, Exploiting GLIBC 2.35 gadgets limitation, GOT overwrite using controlled RBP, Forging fake RBP with PLT stub |
| 43. | Kernel Adventures: Part 1 | Exploiting race condition vulnerabilities, Password hash cracking, Double fetch exploitation |
Machines
| No. | Machine Name | Lessons Learned |
|---|---|---|
| 1 | Blue | Metasploit, smbclient, EternalBlue, Meterpreter |
| 2 | Jerry | Tomcat exploitation, Msfvenom reverse shell, Metasploit usage |
| 3 | Lame | FTP, CVE exploitation, Backdoor, SMB, Remote Code Execution (RCE) |
| 4 | Netmon | FTP enumeration, Searchsploit usage |
| 5 | Photobomb | Command injection, Pwncat usage, PATH hijacking |
| 6 | Precious | Setting up simple Python server, PDFKit CVE exploitation, Pwncat, Ruby exploit, YAML exploit |
| 7 | Shoppy | Gobuster usage, NoSQL injection, MongoDB exploitation, Password hash cracking, Ffuf usage, Docker privesc via GTFOBins |
| 8 | Cap | Exploiting Python 3.8 cap_setuid, Wireshark usage, IDOR vulnerability |
| 9 | Busqueda | Server-side template injection (SSTI), Remote code execution (RCE), Gitea exploitation |
| 10 | Knife | PHP CVE exploitation, Knife binary GTFOBins |
| 11 | Bashed | Gobuster usage, Webshell deployment, Cronjob exploitation |
| 12 | Shocker | Gobuster usage, Shellshock attack, Perl binary exploitation |
| 13 | Beep | Dirbuster usage, Elastix webserver exploitation, FreePBX service exploitation |
| 14 | Blocky | Dirbuster usage, JADX-GUI for reverse engineering |
| 15 | Bank | Gobuster usage, Identifying failed hash or encryption methods, Msfvenom reverse shell |
| 16 | Nibbles | Gobuster usage, Nibble blog exploit, Techmint Linux monitoring script exploit |
| 17 | SteamCloud | Kubernetes exploitation, Pod forging |
| 18 | Keeper | WinDbg usage, KeePass key dumper (Keydumper), PuTTY key generation and usage (PuttyGen) |
| 19 | Optimum | Rejetto HTTP File Server exploit, Metasploit usage |
| 20 | Legacy | SMB CVE exploitation, Metasploit usage |
| 21 | Granny | Microsoft IIS 6.0 exploit, Metasploit usage |
| 22 | Grandpa | Microsoft IIS 6.0 exploit, Metasploit usage |
| 23 | Devel | ASPX reverse shell, Microsoft IIS 7.5 exploit, Metasploit usage |
| 24 | Horizontall | Generating SSH keygen, Port forwarding, Laravel 8.4.2 exploit |
| 25 | Validation | SQL injection (SQLi), PHP reverse shell |
| 26 | Nunchucks | Gobuster usage, Nunjucks template engine exploit, Perl binary exploitation, AppArmor Perl bugs |
| 27 | Late | Flask SSTI, SSH keygen, LinPEAS usage, Pspy64 |
| 28 | BountyHunter | Dirbuster usage, XXE exploitation, Abusing Python script misconfiguration |
| 29 | Mirai | Raspberry Pi server setup, Linux file recovery with dcfldd, Volume mounting |
| 30 | Armageddon | Drupal 7 service exploit, Dirty Sock exploit |
| 31 | Paper | WordPress exploitation, Password reuse, LinPEAS usage, Sudo exploit |
| 32 | MonitorsTwo | Cacti login page exploit, Hash cracking with John the Ripper, Listing SUID binaries, capsh GTFOBins |
| 33 | Inject | Directory traversal, Searchsploit usage, Spring Framework exploit, Pspy64, YAML forging |
| 34 | Sau | Request Baskets v1.2.1 exploit, SSRF, Maltrail v0.53 exploit |
| 35 | Pilgrimage | ImageMagick LFI, Git dumper usage, Binwalk CVE RCE |
| 36 | CozyHosting | Dirsearch usage, Base64 encoded bash reverse shell, JD-GUI, PostgreSQL, Hash cracking with John and Hashcat, sudo GTFOBins |
| 37 | Topology | LaTeX injection, Ffuf usage, Hash cracking with John, Pspy64, Forging PLT files to exploit Gnuplot binary cronjobs |
| 38 | Explore | ADB, Metasploit usage, ES File Explorer exploit, oHostKeyAlgorithms, Port forwarding |
| 39 | Previse | Dirbuster usage, Command injection, Hash cracking with John, Forging bash gzip, PATH hijacking |
| 40 | Broker | Apache ActiveMQ exploitation, Remote code execution (RCE) |
| 41 | Delivery | Email impersonation, Hash cracking using Best64 and John the Ripper |
| 42 | Codify | Virtual Machine 2 (VM2) exploitation, Hash identification, Hash cracking with John, Python bruteforce script creation |
| 43 | Analytics | Metabase login page exploit, Metasploit usage, LinPEAS usage, Local privilege escalation on Ubuntu 22.10 / 22.04 |
| 44 | Soccer | Dirsearch usage, H3K Tiny File Manager exploitation, WebSocket exploitation, SQLmap for blind SQLi, Privilege escalation using SUID doas, Forging dstat using Python |
| 45 | Timelapse | Enumerating public SMB shares with smbclient, Cracking Personal Information Exchange (PFX) files, OpenSSL, pfx2john, evil-winrm, Active Directory enumeration |
| 46 | Devvortex | Ffuf usage, Dirsearch usage, Joomla v4.2 CMS exploitation, Password hash cracking with John, apport-cli binary exploitation |
| 47 | Return | SMB service enumeration with smbclient and enum4linux, Abusing printer's network, evil-winrm, Group membership enumeration for svc-printer account, Msfvenom, Active Directory security group abuse, Metasploit usage |
| 48 | Irked | Unreal Engine 3.2.8.1 exploitation, Metasploit usage, LinPEAS usage |
| 49 | Perfection | WEBrick 1.7.0 exploitation, ERB and Ruby RCE, LinPEAS usage, Time-based password hash cracking with John |
| 50 | Headless | XSS, Cookie stealing, Command injection, Remote code execution (RCE), Abusing syscheck misconfiguration for root |
| 51 | Wifinetic | FTP anonymous login, WiFi network interface enumeration, WiFi network configuration dumping, WPS PIN brute forcing using Reaver |
| 52 | OpenAdmin | Dirsearch usage, OpenNetAdmin v18.1.1 exploit, Bash reverse shell, Abusing Apache2 internal misconfiguration, Password cracking with John, Port forwarding, Webshell deployment, SSH private key cracking, Privilege escalation in nano by resetting stdin/stdout/stderr |
| 53 | TraceBack | Gobuster usage, SSH key generation, Forging Lua scripts, SSH MOTD manipulation |
Web
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | Templated | LoveTok | Phonebook |
| 2. | Spookifier | looking glass | sanitize |
| 3. | baby auth | baby BonChewerCon | Full Stack Conf |
| 4. | baby interdimensional internet | Juggling facts | baby nginxatsu |
| 5. | baby todo or not todo | baby WAFfles order | BlinkerFluids |
| 6. | Orbital | Trapped Source | Passman |
| 7. | SpookTastic | CandyVault | HauntMart |
Forensics
Cryptography
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | BabyEncryption | xorxorxor | Android in the Middle |
| 2. | Weak RSA | Classic, yet complicated! | Brainy's Cipher |
| 3. | Gonna-Lift-Em-All | Ancient Encodings | Nuclear Sale |
Reversing
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | Impossible Password | Bypass | Behind the Scenes |
| 2. | WIDE | Baby RE | You Cant C Me |
| 3. | Find The Easy Pass | Baby Crypt | Ransom |
| 4. | Anti Flag | Ouija | Tear Or Dear |
| 5. | Rebuilding | Teleport | Hunting License |
| 6. | Shattered Tablet |
OSINT
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | Easy Phish | Infiltration | Money Flowz |
| 2. | Missing in Action | ID Exposed | 0ld is g0ld |
Mobile
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | Cat | Don't Overreact | APKey |
| 2. | Pinned | APKrypt | Manager |
| 3. | Anchored |
Misc
| No. | Column 1 | Column 2 | Column 3 |
|---|---|---|---|
| 1. | Canvas | fs0ciety | Milkshake |
| 2. | Hackerman | Da Vinci | Art |
| 3. | misDIRection | Emdee five for life | The secret of a Queen |
| 4. | Eternal Loop |