Scrambled presented a purely Windows-based path. There are some hints on a webpage, and from there the exploitation is all Windows. NTLM authentication is disabled for the box, so a lot of the tools I’m used to using won’t work, or at least work differently. I’ll find user creds with hints from the page, and get some more hints from a file share. I’ll kerberoast and get a challenge/response for a service account, and use that to generate a silver ticket, getting access to the MSSQL instance. From there, I’ll get some more creds, and use those to get access to a share with some custom dot net executables. I’ll reverse those to find a deserialization vulnerability, and exploit that to get a shell as SYSTEM. Because the tooling for this box is so different I’ll show it from both Linux and Windows attack systems. In Beyond Root, two other ways to abuse the MSSQL access, via file read and JuicyPotatoNG.

Box Info

Name Scrambled Scrambled
Release Date 11 Jun 2022
Retire Date 01 Oct 2022
OS Windows Windows
Base Points Medium [30]
Rated Difficulty Rated difficulty for Scrambled
Radar Graph Radar chart for Scrambled
First Blood User 1 hour, 06 mins, 15 seconds Wh04m1
First Blood Root 1 hour, 05 mins, 01 seconds Wh04m1


Scrambled was all about core Windows concepts. There are many tools in Linux to interact with these, but they almost all differ from the native tools in Windows used for the same purpose. For this machine, almost every step was different on Linux and Windows, so I’m going to show both! Select either one here, or navigate via the menu on the left side.

windows linux

From Windows

From Linux