BountyHunter
Easy Linux box exploiting an XXE to read files and Python eval in a root ticket validator.
Broadlight
Easy Linux web machine with a vulnerable Dolibarr CMS (CVE‑2023‑30253) and SUID root escalation via Enlightenment WM.
Buff
Easy Windows box exploiting Gym Management Software RCE then a CloudMe buffer overflow for PrivEsc.
Headless
Easy Linux box leveraging blind XSS in a contact form and a command injection for shell and PrivEsc.
Keeper
Easy Linux box abusing default creds on Request Tracker, KeePass dump (CVE‑2023‑32784) to retrieve root SSH key.
Perfection
Easy Linux box exploiting SSTI in a grade calculator, cracking hashes, and sudo-based PrivEsc.
Usage
Easy Linux box using blind SQLi to dump DB, Laravel file‑upload webshell, and local binary PrivEsc.