This machine begins w/ a web enumeration, discovering exposed.php, a webpage that allows users to curl any webpages and display it. However, due to the insufficient input sanitization, it is susceptible to command injection, allowing us to download a reverse shell onto the popcorn.htb a...

This machine begins w/ web enumeration, discovering a .php file that allows user to rename files. There is a lack of input sanitization, allowing users to rename any file on the entire system by using directory traversal (../), similar to LFI. There is a web application that allows user...

This machine begins w/ a DNS enumeration, revealing a domain name raspberrypi.local, suggestings that our target could be running raspberry pi OS. After some web enumeration, there is a pi-hole running on port 80 and Plex Media Server running on port 43400, but both are rabbit-holes. Sim...

This machine begins w/ a webpage enumeration, a vulnerable GET parameter ?cod= is susceptible to SQLi, through the SQLi, we are able to extract DBMS user DBadmin’s hash, and crack it w/ hashcat. Next, we are able to insert a web shell through phpmyadmin portal, allowing us to obtain a lo...

This machine begins w/ a web enumeration, discovering a page where users can only upload images onto the system due to the filters in place, however it can be bypassed by changing the content type (1), filename (2) and adding a GIF header (3), allowing us to upload php-reverse-shell.php...

This machine begins w/ a web enumeration, revealing magento v1.9.0 , that is susceptible to RCE, allowing us to obtain a www-data shell. User www-data has a sudoers entry of vi, vi has a GTFOBins entry, allowing us to spawn bash, privilege escalating to root. Column ...

This machine begins w/ a network enumeration w/ nmap, a domain name is enumerated friendzone.red, DNS enumeration w/ dig is carried out to enumerate subdomains. uploads.friendzone.red & administrator1.friendzone.red. Next, there are 2 file share discovered, Development - RW access &...

This machine begins w/ network enumeration w/ nmap, detecting Unrealircd running on port 6697, it is susceptible to a backdoor command execution, allowing us to obtain an irc user shell. For the privilege escalation part, an unknown suid binary viewuser is enumerated is found after enum...

This machine begins w/ a finger user enumeration, revealing user sunny, sammy on sunday.htb, allowing us to bruteforce w/ hydra, obtaining a low-privilege/sunny shell. On the home directory of user sunny, .bash_history reveals an interesting file /backups/shadow.backup, containing hashe...