Basic Pentesting is an introductory machine that walks through common enumeration and exploitation techniques. This lab demonstrates how exposed services, weak passwords, mismanaged credentials, and leaving sensitive files accessible can be leveraged go gain access to the machine.

Dreaming - inspired by The Sandman comic book - is a Pluck CMS-based machine that shows how weak credentials and an unpatched file upload vulnerability can be chained to gain remote command execution. It also highlights how improper sudo permissions and insecure coding practices - such as storing plaintext credentials - can lead to privilege escalation and full system compromise.

Billing demonstrates how an unpatched vulnerability in MagnusBilling can esaily be exxloited to gain remote command execution. This vulnerable machine also highlights how a misconfigured instance of Fail2Ban can be used to gain root access.

Lesson Learned is teaching a valuable lesson about which SQL queries should not be used when trying to bypass a simple login form. It also shows how improper handling of login responses and unsanitized SQL queries may lead to unauthorized access or potential loss of data.

Unified is introducing the exploitation of one of the biggest vulnerabilities of 2021, Log4Shell, also known as Log4j. This box demonstrates how to exploit Log4j in the widely used UniFi network monitoring system to gain reverse shell by manipulating a POST header.

Vaccine is a Linux machine built to demonstrate the importance of enumeration, and the dangers of chaining multiple vulnerabilities together such as SQL injection, password hash cracking, anonymous guest access and session cookie stealing.

Oopsie is a Linux (Ubuntu) box created to teach the impact of Information Disclosure and Broken Access Control vulnerabilities and chain together multiple vulnerabilities to escalate privileges on the target system.

Archetype is a Windows-based machine designed to teach key penetration testing techniques such as leveraging SMB to gain access, spawning a reverse shell and escalating privileges to complete the machine.

SQL injection (SQLi) is a vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This might allow an attacker to view, modify or delete sensitive data they are not authorized to access.

OS command injection (also known as shell injection) allows an attacker to manipulate user input to execute arbitrary operating system commands on the server running the web application. This often occurs when an application improperly passes unsanitized to system functions like exec(), system(), popen(), or relies on shell commands for functionality without proper input validation.