DragonDrop ist dein monatliches Mini-Training zu neuen Inhalten aus der OffSec Learning Library – von OSCP über OSEP bis OSWE und mehr. Du musst nicht alles selbst durchforsten. Wir filtern das Beste raus, zeigen dir, was neu ist – und trainieren es gleich mit dir.
Wöchentlich kommen neue Inhalte zu über 7.800+ Stunden Text, 5.400+ Labs & 1.600+ Videos hinzu. Wer soll da den Überblick behalten?
Die meisten OffSec-Teilnehmer erreichen ihre Zertifizierung schneller, wenn sie sich regelmäßig mit aktuellem Content beschäftigen.
Immer up to date: Wir zeigen dir, was relevant ist – auch abseits prüfungsrelevanter Inhalte (z. B. Cloud Pentesting, ABAC, IMDSv2).
Hands-On statt Theorie: Kurzes, interaktives Mini-Webinar mit direkter Anwendung. Kein passives Zusehen – sondern aktives Mitlernen.
Explore a WordPress-based web application vulnerable to an unauthenticated Local File Inclusion via the Web Directory Free plugin (CVE-2024-3673). Gain insights into internal server configuration, uncover sensitive backend code, and exploit a Python deserialization flaw to obtain remote shell access. Further escalate privileges by leveraging a command injection vulnerability in an internal admin panel exposed through insecure session management. This lab tests your ability to enumerate web services, exploit file inclusion vulnerabilities, analyze Python source code, perform unsafe deserialization attacks, and escalate privileges through command injection and insecure role-based access controls.
https://portal.offsec.com/machine/cve-2024-3673-218008/overview/details
This lab guides learners through exploiting an authenticated file download vulnerability in the FileAway WordPress plugin (CVE-2025-2539) to retrieve sensitive configuration data. Armed with credentials, learners gain shell access and escalate privileges by abusing misconfigured backup scripts and the Veeam backup tool. The exercise culminates with privilege escalation through exposed credentials and unrestricted sudo access.
https://portal.offsec.com/machine/cve-2025-2539-217835/overview
This lab challenges learners to exploit a critical XXE vulnerability (CVE-2025-54988) in Apache Tika’s PDF module to extract a user’s private SSH key and gain server access. From there, learners enumerate PostgreSQL credentials to crack an admin password for Listmonk and ultimately achieve root by abusing Listmonk's file upload feature to overwrite /etc/passwd.
https://portal.offsec.com/machine/listmonk-218494/overview
CVE-2025-49844: Redis Use-After-Free in Lua Parser
https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/
redis-server.CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI)
https://portal.offsec.com/machine/cve-2024-46507-208696/overview
Wir schauen uns zusammen ein typisches AD-Set an: Von initial Foothold bis Domain Admin!
Dienstag, 30.09. PEN-200 / CraftStorm & CVE-2025-27636
CVE-2025-27636 is a critical remote code execution vulnerability in Apache Camel that affects the exec component. The flaw arises because Camel’s security filters only check certain sensitive HTTP headers in lowercase, failing to block the same headers submitted in mixed or uppercase casing. Attackers can exploit this oversight to execute arbitrary system commands via HTTP requests.
The Craftstorm lab centers on exploiting CVE-2025-32432 in CraftCMS 5.5.7, a critical remote code execution vulnerability triggered via a crafted request to the asset transformation endpoint. By abusing PHP session handling and object injection, attackers can execute arbitrary system commands. After gaining initial access as the web server user, further privilege escalation is possible due to overly permissive sudo permissions.
Freitag, 29.08. PEN-200 / OSCP Extra Mile: Offensive Cloud Lab 03.
The IT department of St Hubbins Hospital has hired us to conduct a security assessment of their website and cloud infrastructure. They are particularly interested in testing to make sure there is no unauthorized access to Protected Health Information (PHI). As part of the assessment, they will provide access to a DNS server with their public domains and a test account to access the hospital app.
Die OSCP+ (Penetration Testing with Kali Linux) Zertifizierung wurde aktualisiert, um moderne Bedrohungsszenarien, insbesondere im Bereich Active Directory (AD), stärker zu gewichten. Die Prüfung ist ein 24-stündiges Hands-on-Assessment, gefolgt von weiteren 24 Stunden für die Berichterstellung.
Initial Enumeration
Enumerate carefully
Enumeration is a cyclical approach
Make sure to read exploits prior to using them.
Check multiple exploits for the same vulnerability.
AD Enumeration
AD Exploitation
This lab simulates a real incident where an employee used the Tor network through the corporate VPN. The primary objective is to develop fundamental digital forensic investigation skills through correlation of logs from different sources.
https://portal.offsec.com/machine/vpn-tor-investigation-218100/overview
Lab
This lab delves into CVE-2026-24061, a newly disclosed vulnerability in the telnet daemon of GNU Inetutils, where attackers can bypass authentication by manipulating environment variables. Learners will perform a full port scan to uncover exposed services, focusing on telnet—a legacy protocol often overlooked in modern security postures. By analyzing telnet's behavior and its insecure environment variable handling, users will exploit the flaw to escalate privileges directly to root. This exercise reinforces the real-world dangers posed by outdated services and misconfigured daemons, offering critical insight into exploitation techniques and defense strategies.
Ideal for penetration testers, red teamers, and system administrators, this lab builds practical skills in network enumeration, vulnerability analysis, privilege escalation, and hardening legacy services. It also strengthens understanding of how environment variables can be abused if not securely handled—an often underestimated risk in system security.
Lab
This lab immerses learners in a realistic offensive security scenario centered on abusing an exposed AI-driven API within a modern application stack. Participants are tasked with identifying externally accessible services, profiling a vulnerable Letta AI deployment, and exploiting unsafe functionality to achieve remote command execution and an initial foothold on the target system. From there, the challenge shifts into post-exploitation, requiring careful local enumeration to uncover mismanaged configuration data containing an encrypted Juniper Type-9 password. By reversing this credential and reusing it to escalate privileges, learners progress from a low-privileged shell to full root access, mirroring real-world attack chains that combine application-layer flaws with weak credential handling.
Lab
Explore a WordPress-based web application vulnerable to an unauthenticated Local File Inclusion via the Web Directory Free plugin (CVE-2024-3673). Gain insights into internal server configuration, uncover sensitive backend code, and exploit a Python deserialization flaw to obtain remote shell access. Further escalate privileges by leveraging a command injection vulnerability in an internal admin panel exposed through insecure session management. This lab tests your ability to enumerate web services, exploit file inclusion vulnerabilities, analyze Python source code, perform unsafe deserialization attacks, and escalate privileges through command injection and insecure role-based access controls.
The session explored the following topics:
● NTLM vs Kerberos Authentication ● Authentication Attacks: No credentials ○ Password Spraying ○ AS-REP Roasting ● Authentication Attacks: Assumed breach ○ Kerberoasting ○ Cached credentials ○ Credential Guard
A Python Flask application exposes a vulnerable model upload endpoint that insecurely deserializes user-supplied data using the pickle module. This flaw, identified as CVE-2025-1716, enables remote code execution by uploading a malicious pickle file. Exploiting this weakness provides shell access as root on the target system.
The session explored the following topics:
● What is Active Directory, and how does it work ● What are domains and objects ● How permissions are managed ● Enumeration: Unauthenticated & Authenticated ● Automated Enumeration
This lab demonstrates a phishing attack leveraging CVE-2025-32390 in EspoCRM v9.0.7, where authenticated users can inject malicious HTML into knowledge base articles. By crafting a fake login form, attackers can trick users into submitting credentials, which are captured and used to gain unauthorized access. The challenge emphasizes post-authentication abuse and the dangers of trusting internal content blindly.
This lab simulates a full red team engagement against a fictional organization called DynamoDam, a regional energy company responsible for operating and maintaining critical hydroelectric dam infrastructure. DynamoDam supplies power to multiple municipalities and industrial customers and plays a key role in a broader energy distribution ecosystem that includes upstream generation partners, downstream grid operators, and government regulators.
As part of recent modernization efforts, DynamoDam has undertaken a significant upgrade of its internal IT and OT environments. These upgrades were driven by regulatory pressure, increasing demand for grid resilience, and the adoption of smart energy technologies. While these changes have improved efficiency and monitoring capabilities, they have also introduced new complexity, expanded attack surfaces, and potential misconfigurations.
Mission Objective
Your ultimate objective is to penetrate the layers of DynamoDam’s infrastructure, move laterally through both IT and OT environments, and ultimately reach the SCADA systems controlling turbine operations at the dam. The final goal is to force Turbine 1, which is currently running in maintenance mode, into an emergency shutdown by deliberately overloading it—simulating a high-impact operational disruption scenario.
The session explored the following topics:
The Cloud Automation & Security Foundations Assessment is a hands-on evaluation consisting of 5 practical questions, designed to be completed in approximately 120 minutes.
This assessment focuses on foundational cloud automation and security competencies essential for working with modern cloud environments. Learners will demonstrate their understanding of Infrastructure as Code principles, apply basic Terraform workflows, identify common IAM misconfigurations, follow secure practices for managing secrets, and use configuration management tools to perform ad-hoc operations. The assessment emphasizes real-world cloud administration and security scenarios, validating core skills required for secure cloud automation roles.
This lab targets a Server-Side Template Injection vulnerability in Yeti 2.1.11's export feature. By injecting malicious Jinja2 expressions into a custom export template, attackers gain remote code execution. The exploit enables enumeration of sensitive files and SSH key injection, leading to persistent root access on the host.
This lab explores a Server-Side Template Injection (SSTI) vulnerability in PyLoad 0.5.0.0, which allows authenticated attackers to execute arbitrary code. By modifying the download folder configuration and uploading a crafted template file, an attacker can inject malicious Jinja2 expressions to gain remote code execution. This vulnerability can be exploited to achieve full system compromise.
The session explored the following topics:
This module provides a comprehensive examination of leveraging Splunk to investigate and analyze a cyberattack targeting the cloud-based infrastructure of Rainy Day Financial, a leading financial services firm. Learners will engage with a realistic scenario centered around a report containing anomalous data within certain records. Through detailed analysis of application and cloud logs, learners will determine whether a cyberattack occurred and uncover the attacker’s activities if an incident is confirmed.
Learning Objectives
After completion of this module, students will be able to:
This lab focuses on exploiting a command injection vulnerability in Mocodo versions below 4.2.6. Due to improper sanitization in the generate.php and rewrite.php endpoints, an attacker can inject arbitrary commands via the transformation options in SQL conversion. By leveraging this flaw, an attacker can execute system commands, establish a reverse shell, and gain full control over the target system.
This lab centers on exploiting CVE-2024-55415 in Voyager v1.7.0, where authenticated access to the admin panel allows attackers to abuse the download handler in the Compass tool to read arbitrary files. By base64 encoding target paths, attackers can retrieve sensitive files such as SSH keys and escalate to root via SSH.
A vulnerable ClipBucket V5.5.1 instance allows an authenticated attacker to exploit CVE-2025-21624 via a command injection flaw in the Manage Playlist feature. By uploading a crafted PHP script as a cover image, an attacker can gain remote code execution, escalate privileges, and access sensitive files as root.
An insecure use of Python’s eval() function in the UpTrain AI dashboard allows remote attackers to inject and execute arbitrary code via user-supplied form data. By crafting a malicious payload, attackers can gain root access and SSH control over the server, fully compromising the system.
This lab blends web and system exploitation techniques. Learners start by discovering credentials via SNMP enumeration and pivot into SQL injection within a partner portal to extract admin credentials. With admin access, they bypass file upload restrictions to execute code via a webshell. Final privilege escalation is achieved through creative wildcard abuse in a root-executed cron backup script, leading to full root access.
This lab takes learners through a multi-stage exploitation chain beginning with an XXE injection in an XSLT transformation service, revealing sensitive internal paths and credentials. The challenge escalates through exploitation of a misconfigured ekuiper instance vulnerable to arbitrary file writes. Using JWT forgery and sudoers manipulation, participants achieve full root access by writing privileged files through authenticated API abuse.
This lab centers on exploiting a vulnerable WordPress plugin—Age Gate version 3.5.3—via an unauthenticated Local File Inclusion (LFI) vulnerability (CVE-2023-3132). Learners discover a non-standard port hosting WordPress, identify the plugin flaw, and exploit it to access sensitive files. Enumeration of SNMP reveals backup credentials, which are used to gain SSH access. Privilege escalation is achieved through a misconfigured SUID binary vulnerable to command injection.
A vulnerable Laravel application running Voyager v1.7.0 is exposed to an authenticated arbitrary file read vulnerability (CVE-2024-55425). Attackers who access the admin panel with default credentials can manipulate download queries to retrieve sensitive files such as private SSH keys. Successful exploitation leads to full root access via SSH login, highlighting the dangers of misconfigured access controls.
The Azure Object Storage module covers secure management of Microsoft Azure's blob storage, including authentication, private endpoints, and data protection techniques like snapshots and soft-delete. It explores configuration best practices and addresses common security pitfalls to ensure data integrity and minimize exposure risks within Azure environments.
https://portal.offsec.com/machine/cve-2025-30208_attack-213427/overview
This lab exploits CVE-2025-30208 in Vite v6.2.1, where the @fs handler fails to properly restrict access to files outside the allowed directories. By appending query parameters like ?raw, attackers can bypass security controls to read sensitive files such as root’s SSH key, enabling full remote access.
https://portal.offsec.com/machine/defend-cve-2024-55963-213440/overview
CVE-2025-30208 is a vulnerability in Vite v6.2.1 that allows an unauthenticated attacker to read arbitrary files via the @fs handler. In this lab, you will secure a vulnerable instance of Vite in order to obtain the flag.
https://portal.offsec.com/machine/cve-2024-55963_attack-213429/overview
This lab exploits CVE-2024-55963 in Appsmith versions before 1.52, where misconfigured PostgreSQL permissions allow execution of system commands using the COPY FROM PROGRAM SQL feature. By crafting a malicious plugin datasource and querying output via table rows, attackers achieve unauthenticated remote code execution directly from the web interface.
https://portal.offsec.com/machine/cve-2024-39914_attack-213431/overview
This lab targets CVE-2024-39914 in Fogproject v1.5.10, where an unauthenticated attacker can exploit unsanitized parameters in the PDF export functionality to execute arbitrary commands. A malicious payload spawns a PHP webshell, enabling remote command execution and access to sensitive files directly from the web root.
https://portal.offsec.com/machine/defend-cve-2024-39914-213441/overview
CVE-2024-39914 is a vulnerability in the FOG Project, an open-source cloning, imaging, and inventory management system. The vulnerability affects versions prior to 1.5.10.34 and allows an attacker to execute arbitrary system commands by exploiting improper input handling in the filename parameter sent to /fog/management/export.php. Specifically, the file packages/web/lib/fog/reportmaker.class.php fails to sanitize user-supplied input, resulting in a command injection vulnerability. In this lab, you will secure a vulnerable instance of the FOG Project in order to obtain the flag.
https://portal.offsec.com/machine/cve-2025-27636-213425/overview
Target a web application powered by Apache Camel v4.10 vulnerable to CVE-2025-27636—a header filter bypass flaw. Manipulate HTTP headers to inject commands into a misconfigured endpoint that executes system commands as root. Chain the vulnerability with remote file retrieval and achieve a reverse shell without requiring privilege escalation steps.
Neue CVE Labs:
→ CVE-2025-27636_Attack: https://lnkd.in/exPHWinw
→ Defend CVE-2025-27636: https://lnkd.in/edV-hqbR
→ CraftStorm_Attack: https://lnkd.in/eAYZQ9fw
→ Defend CraftStorm: https://lnkd.in/eY-z8AVA
Weitere Labs:
→ Infilo: https://lnkd.in/e7ZS73DG
Neue Module:
→ Cyber Governance Fundamentals: https://lnkd.in/eWhBgKRH
Neue Module:
→ PEN-200 | Extra Mile: Offensive Cloud Lab 03: https://lnkd.in/e_EdSH_j
→ EXP-301 | VMware Workstation Guest-To-Host Escape: https://lnkd.in/eNdA_Js5
Neue CVE Labs:
→ CVE-2025-24801: https://lnkd.in/eNfJXGfq
→ CVE-2025-27136_Attack: https://lnkd.in/emdzm_8e
→ Defend CVE-2025-27136: https://lnkd.in/e5YCCnWm
→ CVE-2025-45753_Attack: https://lnkd.in/ecjcZ2q3
→ Defend CVE-2025-45753: https://lnkd.in/e7YAGHWh
→ Sea CVE‑2025‑25520: https://lnkd.in/eiSNSC-f
Weitere Labs:
→ FTK Digital Forensics Lab: https://lnkd.in/ewppGeCS
War super, werde das Training unseren Kollegen empfehlen! Essen hätte besser sein können ;)
Daniel G.
Computer Science Student
Das Training hat sehr geholfen die Inhalte zu verstehen und sich auf die Prüfung vorzubereiten, Quasi Speed Run!
Thomas L.
Pentester
Die Möglichkeit das Training über mehrere Wochen auf 2x pro Woche a 4h aufzuteilen hat uns sehr geholfen das Training in den Arbeitsalltag zu integrieren.
Bhodan D.
Officer Cybersecurity
Hier findest Du den Link zur aktuellen Session.
Melde dich hier zum Newsletter an, um fortlaufend Updates zu erhalten.
Weitere Angebote zu unseren Trainings und OffSec Lizenzen findest du auf der Website.
Viel Erfolg!
