Starting-Point

CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.…

Handlebars SSTI in Node.js escalates from a reflected error to RCE via process.mainModule.require; each template injection primitive traced.…

DNS zone transfer (AXFR) exposes internal hostnames including a development subdomain. The dev site runs an unauthenticated API that returns SSH credentials in plaintext.…

Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No escalation needed.…

S3 subdomain discovery exposes a LocalStack bucket; a PHP webshell uploaded via the AWS CLI achieves RCE as www-data without any CVE.…

LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives lateral movement to root-adjacent group.…

Anonymous rsync on port 873 delivers flag.txt with zero credentials; the real lesson is scanning beyond the top-1000 TCP ports.…

PHP strcmp() fed an array instead of a string returns 0 and bypasses login. A file manager upload gives shell. sudo find reads root.txt while find runs as root.…

Directory fuzzing surfaces a hidden admin.php that default credentials unlock; demonstrates why wordlist-based discovery precedes credential guessing.…