Individual CTF

README.md

Baby File Inclusion [BlackBox]

This is an old-school PHP trick "nothing fancy", "nothing new".
Error messages are fully enabled.
If you are a CTF player, don’t rely on throwing everything into an LLM and hoping for an answer. Understand the behavior.
Reminder⚠️: Black box challenge

README.md

BabyPentest [BlackBox]

Previously, you learned web shell techniques through the BabyShell challenge. But these two challenges are unrelated XDD. In this one, you’ll attempt to use penetration testing skills and privilege escalation to become a “BabyPentest”. Your mission is to hack, not to read articles.
Reminder⚠️: Black box challenge

README.md

Try Harder

In penetration testing or internal security assessments, Active Directory (AD) enumeration is a critical step. Many security professionals choose PowerShell Remoting (WinRM) to execute remote commands during AD enumeration, but this can lead to the Kerberos Double-Hop issue, affecting the functionality of certain AD enumeration tools.
If you've completed OSCP, you might not necessarily know why RDP (Remote Desktop Protocol) is a better choice, but you'll definitely find a clue for the flag.
BTW, GenericAll is a special AD permission that can be used for privilege escalation. Ex.stephanie
💡 Try Harder: GitHub - Chw41/OffSec-Certification

README.md

BabyShell

BabyShell is a Capture The Flag (CTF) challenge designed to test your skills in exploiting a simple web shell technique. The challenge involves leveraging the getTime() function to retrieve the current time, which is crucial for solving the puzzle.

README.md

Finding Toyz

Embark on a easy virtual journey through a Taichung prison maze inspired by recent events involving Toyz, a prominent esports figure sentenced to over four years for cannabis trafficking in Taiwan. Navigate the challenges of this CTF web challenge and locate Toyz within the intricate confines of the prison. Proceed to "Find Toyz" now to obtain the flag.