37 writeups tagged with RCE
Unit conversion web app vulnerable to server-side formula injection, leading to arbitrary OS command execution.
Express.js prototype pollution vulnerability leads to remote code execution via deserialization of a crafted payload.
Neo4j Cypher injection bypasses authentication. APOC procedure abuse executes OS commands for initial access and privesc.
TeamCity authentication bypass combined with Bookstack SSRF to read internal files and chain into remote code execution.
MantisBT bug tracker on Debian with POP3. Credential enumeration via mail service and MantisBT RCE for shell access.
b2evolution blog CMS on Ubuntu. Authenticated file manager abuse and PHP filter injection lead to remote code execution.
Cacti network monitoring on Ubuntu. Exploited CVE-2022-46169 unauthenticated RCE in Cacti for initial shell access.
Centreon IT monitoring platform on Red Hat. Default credentials lead to authenticated RCE via malicious poller command injection.
Joomla CMS on CentOS with ProFTPD. Exploited a known Joomla CVE for unauthenticated RCE via the com_media upload component.
Self-hosted GitLab CE on CentOS. Exploited CVE-2021-22205 unauthenticated RCE via image upload to the GitLab instance.
Jenkins CI/CD server with no authentication. Exploited the Groovy script console to execute commands and gain a root shell.
FreePBX/Asterisk VoIP server on Ubuntu. Exploited FreePBX RCE CVE via the admin panel to gain a reverse shell and escalate.
Joomla CMS on CentOS with anonymous FTP. Exploited a Joomla authenticated RCE CVE via the template editor for code execution.
Drupal 9 on Debian. Exploited an authenticated RCE vulnerability with compromised admin credentials found via enumeration.
Dolphin CMS with a WordPress instance on port 81. Admin credential brute-force leads to plugin RCE and privilege escalation.
Windows 7 SP1 with Apache and multiple services. Enumerated web application vulnerabilities and exploited weak credentials for admin access.
Drupal 8 on CentOS. Exploited Drupalgeddon2 (CVE-2018-7600) for unauthenticated RCE and escalated privileges via SUID binary.
Quick.CMS v6.7 with a known authenticated RCE vulnerability. Admin credentials discovered via enumeration for initial access.
TikiWiki CMS Groupware on CentOS. Exploited a known CVE for unauthenticated remote code execution to gain a shell.
Webmin 1.991 on Ubuntu. CVE-2019-15107 arbitrary command execution via the password reset endpoint for instant root access.
FTP with anonymous access reveals helpdesk application credentials. SQL injection and file upload lead to remote code execution.
uftpd FTP server with anonymous access. Forum application vulnerability exploited to obtain a shell and escalate to root.
WordPress 4.7.2 on CentOS. Exploited outdated plugin for remote code execution and escalated via sudo misconfiguration.
OpenNetAdmin 18.1.1 RCE via command injection in web console. Internal Apache vhost with SSH key in password-protected page for lateral movement.
Joomla CVE-2023-23752 info disclosure leaks database creds. Authenticated template RCE for shell. Apport crash handler sudo exploit for root.
SSRF on a voting system bypasses firewall to reach internal file analysis service. PHP file upload for RCE, AlwaysInstallElevated for SYSTEM.
Gym Management Software RCE via unauthenticated file upload. CloudMe buffer overflow with port forwarding for privilege escalation.
WonderCMS CVE-2023-41425 XSS to RCE via theme upload. Credential reuse for lateral movement. Port-forwarded internal tool for command injection privesc.
Umbraco CMS with anonymous NFS mount exposing credentials. Authenticated SXSS/RCE via template. TeamViewer 7 password decryption for SYSTEM.
ResumeAI app with IDOR exposing all resumes. LimeSurvey RCE via authenticated plugin upload. Consul service token for SYSTEM shell via API exec.
Spring Boot Actuator exposes session cookies. Hijacked admin session to exploit command injection in SSH endpoint for reverse shell.
PHP 8.1.0-dev backdoor via User-Agentt header for RCE. Sudo knife binary used as a GTFOBin for instant root shell.
Drupal 7 authenticated RCE via Services module REST endpoint. MS15-051 kernel exploit escalates to SYSTEM.
HttpFileServer 2.3 RCE (CVE-2014-6287) via Rejetto HFS. Windows kernel exploit (MS16-032) for privilege escalation to SYSTEM.
Magento 1.9 SQLi creates an admin account; Magento Froghopper achieves RCE. Sudo vim executes a shell as root.
Nibbleblog CMS with guessable admin credentials leads to arbitrary PHP file upload and remote code execution.
The first HTB machine. Single Samba 3.0.20 exploit (CVE-2007-2447) for an instant root shell via username map script.
