Using the provided credentials, we can log in via WinRM. Then, we collect information for Bloodhound. With this information, we change the password of Micheal user, then the password of benjamin. Benjamin is able to access the FTP service and retrieve a psafe3 file. After cracking the hash, we retrieve the credentials of Emily. Emily is able to perform targeted kerberoasting on Ethan. As Ethan, we can perform DCSync and retrieve the Administrator hash. Finally, we pop a SYSTEM shell via psexec.
In this box, we take advantage of exposed GPP. With the creds, perform kerberoasting. We are able to crack the TGS we kerberoasted, which is an administrator account. Using ps-exec, we can get a SYSTEM shell.
This blog post contains writeups for PHP-Redis (SSRF) and AJAX Amsterdam (Broken Access Control)
A writeup about how XSS can lead to RCE and how desktop apps can be vulnerable to XSS too
Writeup on a unique SSRF challenge in Reunion CTF 2026
