Starting-Point

IDOR in a cookie flips guest to super-admin, a SUID binary with system() calls cat via $PATH — two rookie mistakes that cascade to root.…

Administrator with an empty password on a Windows box — SMB signing disabled, psexec drops SYSTEM in 15 minutes flat. The most honest failure mode in Active Directory.…

Virtual host discovery finds the Magento admin panel on a non-default hostname; qwerty123 completes the chain — two recon steps, one flag.…

Anonymous FTP leaks credentials; SSH login reveals a PostgreSQL container reachable via local port forwarding — the flag is a database row.…

PHP LFI forces the server to issue a NetNTLMv2 request to a rogue Responder listener; the captured hash cracks to Administrator in seconds.…

SVG with embedded JavaScript uploads to a ticketing system. When the admin previews the attachment, XSS fires in their browser and exfiltrates session cookie. Cookie replay gives admin access and SSH credentials.…

Anonymous FTP drops a credentials file; those credentials unlock an HTTP admin panel — two individually boring findings combine into a full chain.…

MariaDB root with no password on port 3306 — from initial banner grab to database enumeration to flag extraction, no exploit required.…

SQL injection in a login form — `' OR '1'='1` as username turns authentication into a formality and exposes the flag in one request.…