Introduction Hi everyone, I will share my journey of obtaining the CRTP and what to expect in the course and exam. <img src="https://hackmd.io/_uploads/H1gjA4JC6.png" style="display:block;float:none;margin-left:auto;margin-right:auto;width:60%"> Course The course starts off with introducing PowerShell, its built in security features and basics of active directory. The course, labs and exam mimic an assumed breach model whereby you have access to a domain joined user. You can connect to the user through the web browser or download a VPN file and RDP yourself. The course will teach the fundamentals of active directory such as organizational units (OUs), Group Policy Object, Access Control Lists (ACLs), and Domain Trusts. The attacking aspect of it like privilege escalation, abusing applications in the domain (Jenkins, MSSQL), AMSI bypass (payload crafted for you), how to evade AV by modifying tools (built for you), Kerberos based attacks (delegations, tickets, roasting) , Persistence, Forest Trust Abuse (inter and intra), Active Directory Certificate Services, and MSSQL database links are covered. I felt the course materials were concise and clear. I read through the slides and complemented it with the videos. I recommend to watch the videos as personally I feel I learn better with videos mixed with text instead of solely relying on text. The only complaint would be some slides go through the topic too quickly without explaining it further/in more depth. However, as this course is built for beginners, it is understandable. If you require more background/wonder how or why this attack works, you should definitely Google around and read up on it.

Writeups for Robbin (rentas 2024 quals) :D Question: Flag: RWSC{S1MPL3_4ND_L4ZY} We are given a PHP website that loads files through a GET parameter. A vulnerablity in PHP exists where RCE can be achieved if the attacker controls a path to used in include() which is the method the website uses to include files. image

DiceCTF2024 - Writeups Description can you login as admin? NOTE: no bruteforcing is required for this challenge! please do not bruteforce the challenge. Source Code const users = [...Array(100_000)].map(() => ({ user: `user-${crypto.randomUUID()}`, pass: crypto.randomBytes(8).toString("hex") })); db.exec(`INSERT INTO users (id, username, password) VALUES ${users.map((u,i) => `(${i}, '${u.user}', '${u.pass}')`).join(", ")}`);

Description Let's warm up! http://warmup.wargames.my Broswing to the application, it requires a password to be input. image Solution After browsing around, we can find that there is obsfucated JavaScript under http://warmup.wargames.my/static/script.min.js. Deobsfucating it reveals a secret endpoint which contains the flag.