Tier-1

DNS zone transfer (AXFR) exposes internal hostnames including a development subdomain. The dev site runs an unauthenticated API that returns SSH credentials in plaintext.…

S3 subdomain discovery exposes a LocalStack bucket; a PHP webshell uploaded via the AWS CLI achieves RCE as www-data without any CVE.…

LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives lateral movement to root-adjacent group.…