HTB

Anonymous FTP drops a credentials file; those credentials unlock an HTTP admin panel — two individually boring findings combine into a full chain.…

MariaDB root with no password on port 3306 — from initial banner grab to database enumeration to flag extraction, no exploit required.…

SQL injection in a login form — `' OR '1'='1` as username turns authentication into a formality and exposes the flag in one request.…

CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.…

Handlebars SSTI in Node.js escalates from a reflected error to RCE via process.mainModule.require; each template injection primitive traced.…

DNS zone transfer (AXFR) exposes internal hostnames including a development subdomain. The dev site runs an unauthenticated API that returns SSH credentials in plaintext.…

Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No escalation needed.…

S3 subdomain discovery exposes a LocalStack bucket; a PHP webshell uploaded via the AWS CLI achieves RCE as www-data without any CVE.…

LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives lateral movement to root-adjacent group.…