Principal is a medium difficulty Linux box. The box involves a JWT exploitation to get authenticated access to API endpoints, which leads to remote access. With remote access, enumeration of the box shows there is a misconfiguration in a custom sshd config file and an unencrypted certificate authority that allows root access.
StreamIO is a medium difficulty Windows box. The box involves several web attacks (SQLi, LFI, RFI), MS-SQL database enumeration, credential harvesting, and DACL abuse to get privilege escalation.
Scrambled is a medium difficulty Windows box. The box involves enumerating a website for credentials, using those credentials to move laterally a couple times for additional access, then take advantage of weak serialization to catch a shell as SYSTEM.
Escape is a medium difficulty Windows box. The box involves pillaging SMB shares for low-privilege MS SQL credentials, capturing an NTLM hash from the service account, using that service account's access to move laterally, then abusing a weak certificate template that allows us to escalate privilege to Administrator.
Authority is a medium difficulty Windows box. The box involves pillaging SMB shares for credentials to a web application that uses LDAP for password changes, capturing credentials from the Active Directory (AD) account that is used to make those changes, then getting privilege escalation through AD Certificate Services (CS) and a Resource-based Constrained Delegation (RBCD) attack.
Sauna is an easy difficulty Windows box. The box involves enumerating a webpage to get possible user accounts, check for weak accounts that are ASREPRoast-able, then further enumerating the box to get access to an account that has privileges to perform a DCSync attack.
Timelapse is an easy difficulty Windows box. The box is focused primarily on enumeration, with little tool usage or “exploitation”. You enumerate an unrestricted SMB share, move laterally through finding plaintext credentials, enumerate the Administrator password with those credentials, and finally privilege escalate to Domain Admin through dumping the SAM.
Support is an easy difficulty Windows box. The box is focused on Active Directory (AD) Discretionary Access Control List (DACL) abuse into a Resource-Based Constrained Delegation (RBCD) attack. Initial access can be gotten by decompiling company-specific software and enumerating LDAP.
EscapeTwo is an easy difficulty Windows box. The box is focused on Active Directory (AD) Discretionary Access Control List (DACL) abuse, shadow credential attacks, and attacking a weak template for privilege escalation.
Administrator is a medium difficulty Windows box, it's focused on Active Directory (AD) Discretionary Access Control List (DACL) abuse, kerberoasting, and privilege escalation through DCSync.