An easy-rated Active Directory box involving AS-REP roasting for initial access, and abusing transitive group memberships with WriteDacl to achieve DCSync and full domain compromise.

An easy-rated Active Directory box involving SMB enumeration and GPP passwords for initial access, and kerberoasting to obtain administrator access.

The target is compromised via Remote Code Execution (RCE) in CuteNews v2.1.2 through a vulnerable avatar upload feature. Privilege escalation is achieved by abusing SUID permissions on /usr/sbin/hping3, enabling root-level command execution.