Linux

SQL injection in a login form — `' OR '1'='1` as username turns authentication into a formality and exposes the flag in one request.…

CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.…

Handlebars SSTI in Node.js escalates from a reflected error to RCE via process.mainModule.require; each template injection primitive traced.…

DNS zone transfer (AXFR) exposes internal hostnames including a development subdomain. The dev site runs an unauthenticated API that returns SSH credentials in plaintext.…

Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No escalation needed.…

S3 subdomain discovery exposes a LocalStack bucket; a PHP webshell uploaded via the AWS CLI achieves RCE as www-data without any CVE.…

LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives lateral movement to root-adjacent group.…

Anonymous rsync on port 873 delivers flag.txt with zero credentials; the real lesson is scanning beyond the top-1000 TCP ports.…

PHP strcmp() fed an array instead of a string returns 0 and bypasses login. A file manager upload gives shell. sudo find reads root.txt while find runs as root.…