144 writeups across 7 categories
Cacti LFI via CVE-2024-46987 reads configuration files and credentials. Sudo abuse on a custom binary escalates to root.
Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.
Custom network service with an authentication logic flaw. Protocol reverse engineering reveals a bypass path to root.
MSSQL enumeration with credential discovery, followed by Active Directory privilege escalation through ACL misconfigurations.
Unit conversion web app vulnerable to server-side formula injection, leading to arbitrary OS command execution.
Windows machine leveraging MSSQL linked server abuse and xp_cmdshell to gain initial foothold, then DPAPI credential decryption for escalation.
Active Directory environment with Shadow Credentials and Resource-Based Constrained Delegation abuse to achieve full domain compromise.
ImageMagick policy bypass enables SSRF and local file read to steal credentials. Sudo misconfiguration grants root access.
Express.js prototype pollution vulnerability leads to remote code execution via deserialization of a crafted payload.
Multi-challenge CTF covering AI chatbot prompt injection, LLM priority bypass, web vulnerabilities, and information disclosure across several themed web apps.
Grafana SSRF pivots to an internal Grafana instance. Credential reuse for SSH, then environment variable injection via root cron.
CVE-2025-24071 abuses .searchConnector-ms files to capture NTLMv2 hashes. Relay attack and ADCS ESC4 escalate to Domain Admin.
ISP file manager path traversal leaks app config with credentials. ISPConfig adduser API abuse leads to root.
AD enumeration with BloodHound reveals a password reset path. HR share credential reuse and GenericWrite abuse to reach Domain Admin.
Python code sandbox escape via restricted eval bypass reads SSH keys. Root via path traversal in the backy backup tool.
Active Directory machine exploiting misconfigured LAPS and ACL abuse chain to escalate from low-privileged user to Domain Admin.
Backdrop CMS with exposed .git repository leaks DB credentials. Password reuse for SSH. SUID bee binary grants root.
Neo4j Cypher injection bypasses authentication. APOC procedure abuse executes OS commands for initial access and privesc.
TeamCity authentication bypass combined with Bookstack SSRF to read internal files and chain into remote code execution.
MantisBT bug tracker on Debian with POP3. Credential enumeration via mail service and MantisBT RCE for shell access.
b2evolution blog CMS on Ubuntu. Authenticated file manager abuse and PHP filter injection lead to remote code execution.
Flask app path traversal via download endpoint reads arbitrary files including admin credentials. Magick ImageMagick CVE-2024-41817 for root shell.
Legacy Ubuntu server with Apache 2.2 and Dovecot POP3. Enumerated mail service for credentials enabling SSH access to root.
IPFire firewall appliance with DNSmasq on port 53. Default/weak credentials on the admin panel lead to command execution.
Cacti network monitoring on Ubuntu. Exploited CVE-2022-46169 unauthenticated RCE in Cacti for initial shell access.
Centreon IT monitoring platform on Red Hat. Default credentials lead to authenticated RCE via malicious poller command injection.
Food Magazine site on Ubuntu with Exim 4.91 SMTP. Exploited CVE-2019-10149 Exim privilege escalation (GHOSTCAT) for root.
Joomla CMS on CentOS with ProFTPD. Exploited a known Joomla CVE for unauthenticated RCE via the com_media upload component.
TeamSpeak 3 server on CentOS. Enumerated FTP for credentials and exploited a vulnerable web application for system access.
IIS 10.0 running Kartris eCommerce on Windows. SQL injection and .NET deserialization chain leads to code execution and privilege escalation.
Self-hosted GitLab CE on CentOS. Exploited CVE-2021-22205 unauthenticated RCE via image upload to the GitLab instance.
Jenkins CI/CD server with no authentication. Exploited the Groovy script console to execute commands and gain a root shell.
FreePBX/Asterisk VoIP server on Ubuntu. Exploited FreePBX RCE CVE via the admin panel to gain a reverse shell and escalate.
Abyss Web Server on Windows with VNC exposed. Brute-forced VNC password to gain GUI access and escalated to SYSTEM via service abuse.
Joomla CMS on CentOS with anonymous FTP. Exploited a Joomla authenticated RCE CVE via the template editor for code execution.
Drupal 9 on Debian. Exploited an authenticated RCE vulnerability with compromised admin credentials found via enumeration.
Apache Tomcat 8.0.47 on Windows with AJP exposed. Exploited Ghostcat (CVE-2020-1938) via AJP connector to read sensitive files and gain RCE.
XAMPP 1.8.1 on Windows with Apache and SSL. Exploited outdated XAMPP configuration and weak credentials for web shell upload.
GravCMS on Ubuntu. Unauthenticated scheduler RCE CVE allows arbitrary command execution as the web user, then sudo privesc.
Dolphin CMS with a WordPress instance on port 81. Admin credential brute-force leads to plugin RCE and privilege escalation.
Custom PHP forum on Fedora Linux with MariaDB. SQL injection bypasses authentication, leading to file write and shell upload.
MantisBT bug tracker with Samba shares on Ubuntu. Enumeration of SMB reveals credentials reused for MantisBT admin access.
FTP anonymous login exposes web application files. Abused file write via FTP to upload a PHP webshell for initial access.
Hiking Trails web application on Ubuntu. Directory traversal and file inclusion vulnerabilities lead to credentials and shell.
Windows 7 SP1 with Apache and multiple services. Enumerated web application vulnerabilities and exploited weak credentials for admin access.
Windows with FileZilla FTP and CMS Mini web app. FTP credential exposure and CMS RCE via file upload for initial foothold.
OpenEMR medical records application. Exploited a pre-auth SQL injection CVE and file upload for shell access.
Drupal 8 on CentOS. Exploited Drupalgeddon2 (CVE-2018-7600) for unauthenticated RCE and escalated privileges via SUID binary.
Windows 10 Enterprise with SMB and RDP exposed. Credential brute-force via SMB leads to remote code execution and full system access.
Quick.CMS v6.7 with a known authenticated RCE vulnerability. Admin credentials discovered via enumeration for initial access.
TikiWiki CMS Groupware on CentOS. Exploited a known CVE for unauthenticated remote code execution to gain a shell.
Webmin 1.991 on Ubuntu. CVE-2019-15107 arbitrary command execution via the password reset endpoint for instant root access.
FTP with anonymous access reveals helpdesk application credentials. SQL injection and file upload lead to remote code execution.
Wing FTP Server on Windows. Default admin credentials allow access to the web admin panel, leading to command execution via scheduled tasks.
Production web server with anonymous FTP access. Weak credentials and misconfigured permissions lead to full compromise.
uftpd FTP server with anonymous access. Forum application vulnerability exploited to obtain a shell and escalate to root.
WordPress 4.7.2 on CentOS. Exploited outdated plugin for remote code execution and escalated via sudo misconfiguration.
FTP server with anonymous access exposes backup credentials. Password reuse leads to SSH login and privilege escalation.
Development web server with FTP credentials leaked via anonymous login. Credential reuse and web shell upload for root.
Apache mod_rewrite CVE-2024-38472 XSS in redirect. Stored XSS steals admin cookie for Gitea access. SQLite injection and Gitea hook RCE for root.
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
IPMI 2.0 cipher 0 authentication bypass via RAKP attack dumps password hash. MariaDB CVE-2021-27928 RCE and Zabbix for lateral movement.
WordPress BuddyForms plugin SSRF for local file read. Grafana SQLite injection for credentials. Telescope log viewer arbitrary file read for root key.
ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.
Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.
Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.
SMB share contains ZIP with password-protected PFX certificate. Cracked PFX used for WinRM. LAPS password read via LDAP for Administrator.
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
HelpDeskZ GraphQL unauthenticated query exposes user creds. File upload bypass for PHP webshell. Kernel 4.4 exploit for root privilege escalation.
Magic Portfolio with SQLi bypass on login. File upload bypass with double extension for PHP webshell. mysqldump credential extraction and SUID sysinfo for root.
ASREPRoasting on user names enumerated from the bank website. DCSync attack via GenericAll rights for Domain Admin hash dump.
Azure AD Connect with user enumeration via RPC. Password spraying finds default creds. Azure AD Sync password extraction for Domain Admin.
Dolibarr CRM CVE-2023-30253 PHP injection for RCE. Enlightenment window manager SUID binary exploit for local privilege escalation to root.
Nagios XI SNMP credential leak, auth bypass CVE-2023-40931 for API key theft. SQL injection creates admin account for RCE via malicious script.
Pdfkit CVE-2022-25765 SSRF/command injection via URL parameter in PDF generation endpoint. Ruby bundler YAML deserialization for root.
Metabase pre-auth RCE CVE-2023-38646 via setup token SSRF for shell. Ubuntu OverlayFS CVE-2023-2640 local privilege escalation for root.
HardHat C2 framework exposed via reverse proxy misconfiguration. JWT forgery for admin access, Sliver C2 implant exploitation for lateral movement.
Apache ActiveMQ CVE-2023-46604 unauthenticated RCE via ClassInfo deserialization. Sudo nginx misconfiguration for arbitrary file read and root access.
OpenNetAdmin 18.1.1 RCE via command injection in web console. Internal Apache vhost with SSH key in password-protected page for lateral movement.
File upload bypass on torrent hosting site via content-type manipulation for PHP webshell. Kernel exploit or DirtyCow for privilege escalation.
Cisco IOS config file exposed via web portal with hashed passwords. Cracked hashes reused for RPC access, Looney Tunables for escalation.
Joomla CVE-2023-23752 info disclosure leaks database creds. Authenticated template RCE for shell. Apport crash handler sudo exploit for root.
SSRF on a voting system bypasses firewall to reach internal file analysis service. PHP file upload for RCE, AlwaysInstallElevated for SYSTEM.
hMailServer path traversal leaks admin hash. Outlook CVE-2024-21413 moniker link attack for NTLM relay, WinPEAS finds privesc vector.
SNMP v3 credential brute-force yields API secret. Command injection in backup API endpoint. PostgreSQL password enables lateral movement and sudo root.
Laravel admin panel SQL injection via search parameter. Malicious PNG for RCE via file upload. Wildcard file read on sudo binary for root flag.
Gym Management Software RCE via unauthenticated file upload. CloudMe buffer overflow with port forwarding for privilege escalation.
WonderCMS CVE-2023-41425 XSS to RCE via theme upload. Credential reuse for lateral movement. Port-forwarded internal tool for command injection privesc.
Umbraco CMS with anonymous NFS mount exposing credentials. Authenticated SXSS/RCE via template. TeamViewer 7 password decryption for SYSTEM.
APK reverse engineering reveals hardcoded API key for Swagger endpoint. Arbitrary file read on API leaks SSH key. Solar-PuTTY encrypted session cracking for root.
MSSQL with xp_cmdshell after credential spraying. ADCS ESC4 template modification for certificate impersonation to gain Domain Admin.
ResumeAI app with IDOR exposing all resumes. LimeSurvey RCE via authenticated plugin upload. Consul service token for SYSTEM shell via API exec.
Markdown XSS for stored cross-site scripting. SSRF via file:// to leak local web app source code, exposed internal site with writable path for root.
CIF file parser RCE via pymatgen CVE-2024-23346 arbitrary code execution. aiohttp path traversal CVE-2024-23334 for credential theft and lateral movement.
SMB guest access reveals default password in HR note. User enumeration + password spray, SeBackupPrivilege abuse for NTDS.dit extraction.
Shadow Credentials attack via WriteProperty on user object. ADCS ESC9 certificate template abuse to impersonate a privileged account.
Ghost CMS CVE-2023-40028 arbitrary file read vulnerability. Symlink traversal via config reveals credentials for lateral movement and sudo privesc.
daloRADIUS web interface default credentials expose user hashes. Cracked MD5 hash for SSH. Mosh binary sudo privesc for root shell.
FTP credentials from initial account. Targeted Kerberoasting via BloodHound paths, GenericWrite abuse, DCSync for Domain Admin hash.
ImageMagick CVE-2022-44268 arbitrary file read via malicious PNG. SQLite database exposes credentials. Binwalk CVE-2022-4510 for root shell.
LFI on Tomcat manager exposes credentials. WAR file deployed for RCE. ZIP password cracking, LXD container privilege escalation for root.
Spring Boot Actuator exposes session cookies. Hijacked admin session to exploit command injection in SSH endpoint for reverse shell.
Request Tracker default credentials expose SSH public key in ticket. KeePass 2.x CVE-2023-32784 memory dump extracts master password for root SSH key.
PHP 8.1.0-dev backdoor via User-Agentt header for RCE. Sudo knife binary used as a GTFOBin for instant root shell.
SQL injection via stored procedure triggers NTLM hash capture. Responder catches hash, crack for WinRM. Ubiquiti UniFi privesc via service abuse.
PHP RFI via language parameter loads SMB share for RCE. Lateral movement via credential in web config. CHM file drops reverse shell as Administrator.
Anonymous FTP reveals NVMS-1000 path traversal note. LFI reads credentials file, SSH pivoting to access NSClient++ for SYSTEM.
Maltrail 0.53 SSRF on a request-basket service. CVE-2023-27163 chained to unauthenticated OS command injection for initial access, sudo privesc.
Searchor 2.4.0 CLI eval() injection for code execution. Gitea instance found via Docker-compose, admin token for privileged script execution.
Site availability checker with .htaccess allowlist bypass. PHP phar deserialization for code execution, proc_open for shell, developer sudo suid binary.
MSSQL Silver Ticket attack via SPN enumeration. Responder captures NTLMv2 hash from SQL query, certificate auth for Domain Admin.
SMB anonymous access to SYSVOL leaks GPP-encrypted password. Kerberoasting the Administrator SPN cracks the hash for full domain access.
Oracle Database 11g with default credentials. ODAT tool for OS command execution. Volatility on a memory dump recovers the admin password.
IIS 6.0 WebDAV buffer overflow (CVE-2017-7269) for initial access. Token kidnapping / churrasco escalates to SYSTEM.
ColdFusion 8 arbitrary file upload RCE (CVE-2009-2265). MS10-059 (Chimichurri) token impersonation for privilege escalation.
WebDAV file upload with extension spoofing deploys an ASPX shell. Token impersonation via churrasco/juicy potato for SYSTEM.
Drupal 7 authenticated RCE via Services module REST endpoint. MS15-051 kernel exploit escalates to SYSTEM.
HttpFileServer 2.3 RCE (CVE-2014-6287) via Rejetto HFS. Windows kernel exploit (MS16-032) for privilege escalation to SYSTEM.
Anonymous FTP write access to IIS webroot allows ASPX webshell upload. Local kernel exploit for SYSTEM.
Demonstrates the full impact of EternalBlue (MS17-010). One Metasploit module gives SYSTEM on an unpatched Windows 7 SMB service.
Classic beginner box. MS08-067 (Netapi) and MS17-010 (EternalBlue) both yield SYSTEM directly with no privilege escalation needed.
SQL injection in hotel booking app. Sqlmap writes a PHP webshell. Sudo script with command injection, SUID systemctl for root.
PHP file upload bypass with double extension and MIME spoofing. Cron-executed user script for lateral move, ifcfg privesc to root.
DNS zone transfer reveals subdomains. SMB anonymous share leaks creds. LFI + PHP injection for RCE, Python lib hijack for root.
UnrealIRCd 3.2.8.1 backdoor for foothold. Hidden steganography in an image reveals credentials. SUID viewuser binary abuse.
Magento 1.9 SQLi creates an admin account; Magento Froghopper achieves RCE. Sudo vim executes a shell as root.
Gwolle Guestbook WordPress RFI via robots.txt discovery. Lateral move through sudo tar with --checkpoint shell execution.
Finger service enumerates valid usernames. Weak SSH credentials, troll binary, sudo wget for arbitrary file write to root.
PHP LFI escalated to RCE via Apache log poisoning. SSH tunneling exposes an internal VNC session running as root.
Heartbleed (CVE-2014-0160) memory leak extracts a base64-encoded RSA key passphrase. Root via tmux session hijack.
Node.js API endpoint exposes hashed admin credentials. MongoDB backup decryption and SUID binary analysis for root.
Apache James 2.3.2 arbitrary file read leaks user creds. Root via world-writable cron script executed by root.
pfSense 2.1.3 authenticated command injection (CVE-2014-4688). Credentials found via directory fuzzing on the web interface.
Brute-force phpLiteAdmin + LFI via chained PHP injection. Port knocking unlocks SSH, chkrootkit path hijack for root.
DNS zone transfer reveals hidden vhosts. SQL injection login bypass, OS command injection for shell, cron privesc.
Multiple valid paths: Elastix LFI to leak credentials, Webmin RCE, or Asterisk extension abuse. Great enumeration practice.
Nibbleblog CMS with guessable admin credentials leads to arbitrary PHP file upload and remote code execution.
phpbash webshell discovered via directory fuzzing. Lateral movement through sudo scriptmanager, cron-based root.
Shellshock (CVE-2014-6271) via a CGI endpoint found with gobuster. Sudo perl for a trivial privilege escalation.
Insane box chaining WordPress plugin creds, SMTP sniffing, RSA private key crack, and Vigenère cipher decode.
The first HTB machine. Single Samba 3.0.20 exploit (CVE-2007-2447) for an instant root shell via username map script.
