HTB Starting Point — Crocodile
Anonymous FTP drops a credentials file; those credentials unlock an HTTP admin panel — two individually boring findings combine into a full …
HTB Starting Point — Sequel
MariaDB root with no password on port 3306 — from initial banner grab to database enumeration to flag extraction, no exploit required.
HTB Starting Point — Appointment
SQL injection in a login form — `' OR '1'='1` as username turns authentication into a formality and exposes the flag in one request.
HTB Starting Point — CCTV
CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.
HTB Starting Point — Bike
Handlebars SSTI in Node.js escalates from a reflected error to RCE via process.mainModule.require; each template injection primitive traced.
HTB Starting Point — Facts
DNS zone transfer (AXFR) exposes internal hostnames including a development subdomain. The dev site runs an unauthenticated API that returns …
HTB Starting Point — Pennyworth
Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No …
HTB Starting Point — Three
S3 subdomain discovery exposes a LocalStack bucket; a PHP webshell uploaded via the AWS CLI achieves RCE as www-data without any CVE.
HTB Starting Point — Included
LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives …