Starting-Point

RDP and WinRM both accept a blank Administrator password — attack surface is two services wide when credential assumptions fail at the front door.…

XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into the watched directory.…

MongoDB 3.6.8 without bind authentication exposes a sensitive_information database; the real lesson is why auth-on-by-default matters.…

Unauthenticated Redis on port 6379 leaks a flag key directly; includes a bonus RCE path via rogue-server module load for the curious.…

Anonymous FTP on vsftpd 3.0.3 — the misconfiguration is intentional, the lesson is recognising anonymous bind and scripting retrieval.…

Anonymous FTP yields a ZIP cracked with john. The PHP login is SQL-injectable. pg_dump in a sudo rule lets vi escape to root — classic sudo abuse.…

SMB null session on Windows delivers a flag from an exposed WorkShares share; the takeaway is unauthenticated SMB enumeration without Metasploit.…

Log4Shell in UniFi Network Application 6.4.54 — JNDI in the remember field hands over shell as root. MongoDB's default no-auth exposes admin password hash, cracked in seconds.…

Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.…