Web
Linux
Hard
BackTrack — TryHackMe
Path traversal on a Node static server leaks Tomcat creds → WAR deploy foothold. sudo ansible-playbook wildcard bypassed via fnmatch ../ for tomcat→wilbur. Double-extension + path-traversal upload bypass for wilbur→orville. SIGSTOP + TIOCSTI ioctl TTY pushback for orville→root.
Read writeup →
Web
Access Control
Medium
Support — TryHackMe
Password spray for a helpdesk foothold, a theme switcher hiding a local file disclosure, source-leaked secrets, a forged isITUser cookie (md5 of "true") for broken access control, IDOR to the admin account, and a "date" command that pipes straight into shell_exec for RCE.
Read writeup →
Web
Linux
Medium
Domino — TryHackMe
AES key hardcoded in frontend JS decrypts backup config. Hydra cracks DevOps credentials, session cookie forged for admin. JWT signature verification is commented out. RFI via eval() gives RCE. Password reuse and writable root cron finish the job.
Read writeup →
ICS / OT
Linux
Medium
Helix — Hack The Box
Anonymous NiFi write triggers CVE-2023-34468 H2 RCE. AES-GCM property decryption and a private key from a support bundle yield user. OPC UA reactor manipulation unlocks a NOPASSWD maintenance console for root.
Read writeup →
Web
Linux
Easy
Coldstart — TryHackMe
Anonymous FTP leaks source code. SSRF bypasses hostname allowlist to read internal admin notes. Wildcard injection in cron job escalates to root.
Read writeup →
Web
Linux
Medium
Silent Monitor — TryHackMe
SQLi auth bypass in both login fields. Command injection with newline WAF bypass for RCE. KeePass KDBX v4 database cracked with pykeepass to recover credentials.
Read writeup →
Web
Linux
Medium
Interceptor — TryHackMe
.bak source disclosure leaks admin credentials. OTP bypassed via mass-assignment. Client-side-only filter leaves feed importer open to backtick command injection.
Read writeup →
Web
Linux
Medium
Recruit Portal — TryHackMe
Exposed mail log leaks internal email hinting at config.php. SSRF via file:// reads credentials. Authenticated dashboard has raw SQLi — dumped with sqlmap for full admin access.
Read writeup →
Active Directory
Windows
Hard
Logging — Hack The Box
Shadow Credentials against an MSA, DLL hijack via scheduled task, ESC17 ADCS abuse and WSUS MitM for SYSTEM on a Windows Server 2019 DC.
Read writeup →
Web
Linux
Medium
DevArea — Hack The Box
JAR analysis, CVE-2022-46364 SSRF→LFI for credential extraction, Hoverfly command injection RCE, and writable bash binary replacement for root.
Read writeup →
Web
Medium
Conversor — Hack The Box
Input validation analysis on a conversion utility. Exploitation via crafted payloads to achieve unintended code paths and flag extraction.
Read writeup →
Web
Medium
Bookstore — TryHackMe
REST API enumeration through fuzzing, authentication bypass, and local file inclusion chain leading to remote code execution.
Read writeup →
No results found for that query.