https://blog.akmee.xyz/writeups/retired/Recent content in Retired machines on tomato's blogHugoen-ushttps://blog.akmee.xyz/writeups/retired/planning/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/planning/Planning is an easy Linux assumed-breached machine where initial access comes through CVE-2024-9264, a SQLi-to-RCE in Grafana. After landing in a Docker container, credentials leaked from environment variables give SSH access to the host. Privilege escalation involves finding a cleartext password in a readable database file and abusing a cron job manager running as root.https://blog.akmee.xyz/writeups/retired/scepter/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/scepter/Scepter is a hard Windows Active Directory machine where initial access comes from cracking encrypted .pfx files found on an exposed NFS share. From there, the path to root chains two ADCS vulnerabilities — ESC9 and ESC14 — abusing certificate template misconfigurations and UPN/email attribute manipulation to impersonate privileged users and ultimately DCSync the domain.https://blog.akmee.xyz/writeups/retired/environment/Mon, 05 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/environment/Environment is a medium Linux machine where breaking the login page leaks the Laravel version, leading to CVE-2024-52301 — an argument injection that lets you switch the app environment and bypass authentication. From the dashboard, a file upload filter bypass gives RCE. Root comes from decrypting a GPG backup to recover credentials and abusing BASH_ENV preserved via env_keep in sudoers.