https://blog.akmee.xyz/categories/writeups/Recent content in Writeups on tomato's blogHugoen-usMon, 20 Apr 2026 14:48:49 -0300https://blog.akmee.xyz/writeups/active/cctv/Thu, 19 Mar 2026 12:35:58 -0300https://blog.akmee.xyz/writeups/active/cctv/CCTV is an easy Linux machine built around two real-world open-source camera management platforms. The attack path starts with default credential reuse on a ZoneMinder instance, leads into exploiting a blind SQL injection vulnerability to extract and crack credentials from the database, and finishes with privilege escalation through a motioneye service running as root.https://blog.akmee.xyz/writeups/active/pirate/Thu, 19 Mar 2026 12:35:58 -0300https://blog.akmee.xyz/writeups/active/pirate/Pirate is a hard Windows Active Directory machine that covers a wide range of modern offensive techniques across two network segments. The attack path demands solid enumeration skills and a good understanding of how Kerberos, NTLM, and AD delegation mechanisms behave under the hood. Expect to work through legacy misconfigurations, credential abuse, network pivoting, and a creative privilege escalation chain before landing on the Domain Controller.https://blog.akmee.xyz/writeups/active/interpreter/Thu, 05 Mar 2026 00:00:00 +0000https://blog.akmee.xyz/writeups/active/interpreter/Medium Linux machine exploiting CVE-2023-43208 (Mirth Connect RCE) for initial access, followed by MySQL credential leakage, PBKDF2 hash cracking, and an f-string eval SSTI in a local Flask server to escalate to root.https://blog.akmee.xyz/writeups/retired/planning/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/planning/Planning is an easy Linux assumed-breached machine where initial access comes through CVE-2024-9264, a SQLi-to-RCE in Grafana. After landing in a Docker container, credentials leaked from environment variables give SSH access to the host. Privilege escalation involves finding a cleartext password in a readable database file and abusing a cron job manager running as root.https://blog.akmee.xyz/writeups/retired/scepter/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/scepter/Scepter is a hard Windows Active Directory machine where initial access comes from cracking encrypted .pfx files found on an exposed NFS share. From there, the path to root chains two ADCS vulnerabilities — ESC9 and ESC14 — abusing certificate template misconfigurations and UPN/email attribute manipulation to impersonate privileged users and ultimately DCSync the domain.https://blog.akmee.xyz/writeups/retired/environment/Mon, 05 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/environment/Environment is a medium Linux machine where breaking the login page leaks the Laravel version, leading to CVE-2024-52301 — an argument injection that lets you switch the app environment and bypass authentication. From the dashboard, a file upload filter bypass gives RCE. Root comes from decrypting a GPG backup to recover credentials and abusing BASH_ENV preserved via env_keep in sudoers.