Got in by uploading a malicious XSLT that wrote a Python file the server’s cron ran, giving me a www-data shell. Grabbed the SQLite creds, cracked the MD5 to become fismathack, then privesc’d: need...

Hostsbusters is Linux B2R challenge consists of 8 total flags. Required 2 lateral movement before we can escalate to root. Some of the flag was not covered in my writeup because i was tasked to gai...

Web The Gates of Broken Names [Easy] Description Challenge This challenge required us to signed up and logged in to authenticated. Users can reviews other users Publicly Published Chronic...

Enumerated subdomain, chained an unauthenticated IDOR to leak creds, used CVE-2024-56410 with stored-XSS to hijack session, abused weak CSRF to auto-create an admin privilege accounts, bypassed rep...

Exploited a CrushFTP auth-bypass to create an admin user, uploaded a web shell to get www-data, discovered credentials in an Erlang start script, SSHed to the local Erlang daemon on 127.0.0.1:2222,...

Found a web app that runs JavaScript, and spotted a vulnerable js2py version. Using that flaw we got a shell as the app user, found credentials in the database to become marco, and then used a back...

Chained a stored XSS and LFI to access source and credentials, injected a shell via an ImageMagick transform to get RCE, decrypted backups to obtain passwords, and abused the charcol backup tool to...

Discovered ISAKMP on UDP/500 and used ike-scan Aggressive to capture a PSK-derived hash, which was cracked to recover the PSK. Logged in via SSH as user ike, identified sudo 1.9.17 vulnerable to a ...

Lame is an easy Linux machine where we enumerate several old network services, rule out a few tempting rabbit holes, and finally abuse a legacy file-sharing service to gain a shell and move straigh...

My write-up covers the challenges I solved mainly in Web, OSINT and Crypto categories involving JWT cracking, LFI, SQLi, SSTI, XXE, command injection, clickjacking, and OSINT tracing using tools li...