Machine begins with a subdomain enumeration, discovering dev.stocker.htb, where it is susceptible to a NoSQLi login bypass. Exploiting this vulnerability granted access to the cart checkout page, which was found to be vulnerable to a cross-site scripting to local file inclusion (XSS2LFI)...

The machine begins with a web enumeration which led to the discovery of a vulnerable version of WordPress 5.6.2 and a vulnerable plugin, Booking Press 1.0.10. The plugin Booking Press 1.0.10 was found to be susceptible to SQL injection, which allowed the extraction of WordPress user cre...

This machine begins w/ a web enumeration, /dev/.git is discovered, since .git is found, we are able to view the logs and commits of the git repository, providing us w/ the header needed to access dev.siteisup.htb (siteisup.htb found at index page) & the source code of checker.php a p...

This machine begins w/ a web enumeration, discovering bludit CMS running, it is vulnerable to a bruteforce protection bypass, directory traversal + image upload exec vulnerability. With cewl, a password word list is generated, to bruteforce against user fergus (revealed at todo.txt). Wit...

This machine begins w/ a web enumeration, discovering /search, where it is susceptible to a SSTI2RCE exploit due to insufficient input sanitization, allowing us to obtain a low-privilege/www-data shell. For the privilege escalation part, pspy is used to snoop on background processes, di...