Tier-2

IDOR in a cookie flips guest to super-admin, a SUID binary with system() calls cat via $PATH — two rookie mistakes that cascade to root.…

CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.…

Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No escalation needed.…

PHP strcmp() fed an array instead of a string returns 0 and bypasses login. A file manager upload gives shell. sudo find reads root.txt while find runs as root.…

XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into the watched directory.…

Anonymous FTP yields a ZIP cracked with john. The PHP login is SQL-injectable. pg_dump in a sudo rule lets vi escape to root — classic sudo abuse.…

Log4Shell in UniFi Network Application 6.4.54 — JNDI in the remember field hands over shell as root. MongoDB's default no-auth exposes admin password hash, cracked in seconds.…

Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.…