Apache Tomcat's Manager interface was exposed with default credentials (tomcat:s3cret), allowing upload of a malicious WAR file that executed a reverse shell directly as NT AUTHORITY\SYSTEM.

An exposed Apache ActiveMQ 5.15.15 OpenWire broker is vulnerable to CVE-2023-46604, an unauthenticated deserialization flaw that instantiates a Spring ClassPathXmlApplicationContext from an attacker-hosted XML file to run a reverse shell as the activemq user.

A product category filter concatenates user input directly into SQL. A UNION SELECT against the users table dumps plaintext credentials, and logging in as administrator solves the lab.

A Dolibarr CRM hidden behind a virtual host accepts default admin credentials and is vulnerable to CVE-2023-30253, where an uppercase

A PortSwigger Web Security Academy lab where a WAF blocks the obvious UNION attack — until you hide the payload from it by encoding the whole injection as XML character entities.

Devel is an easy-difficulty Windows 7 box exploited via anonymous FTP write access to an IIS web root. Uploading an ASPX webshell yields RCE, then MS11-046 escalates to SYSTEM.

A PortSwigger Web Security Academy lab on the second step of a UNION-based SQL injection — finding a column whose data type can hold the text you want to exfiltrate.

A PortSwigger Web Security Academy lab on the first step of every UNION-based SQL injection — learning how many columns the original query returns, using ORDER BY and UNION SELECT NULL.

A Drupal 7.54 Services REST endpoint accepted PHP-serialized objects as login credentials; a crafted SelectQueryExtender injected SQL to authenticate as admin, then a cache-poison payload replaced the login handler with file_put_contents to write a PHP webshell, landing a shell as nt authority usr.

Legacy is an easy-difficulty Windows XP box and a museum piece of SMB exploitation. An unauthenticated, unpatched Server service is vulnerable to MS08-067 (and MS17-010). A single netapi exploit overflows a stack buffer and executes code as NT AUTHORITY\SYSTEM — there is no separate privilege escalation, so both flags fall from one shell.

An unpatched Windows 7 SMBv1 server is vulnerable to EternalBlue (MS17-010); a single unauthenticated kernel-pool overflow returns a SYSTEM shell, making both flags trivially reachable — this post covers recon through the user flag.

An end-of-life Samba 3.0.20 server with the 'username map script' option enabled passes the SMB logon username through a shell, so a username containing backticked shell metacharacters yields command execution as root (CVE-2007-2447) — one exploit lands a root shell and both flags.

Access is an "easy" difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.

I’m going for my OSCP soon. I’ll be releasing a lot more posts focused on hacking and Offsec. I will be doing a bunch of HackTheBoxes to prepare. Stay tuned. There’s a lot more coming.

    Box Lights Out Difficulty Easy OS Linux Lights Out is an easy Linux box themed around a fake server Li...

I noticed that fast.com reported my connection at around 620 Mbps while command line tools like speedtest-cli were reporting closer to 109 Mbps. That discrepancy bothered me, so I spent an evening ...

A simple script to discover the maximum MTU supported by every device on your LAN — so you can confidently enable jumbo frames without breaking connectivity. Why Most home and lab networks run at...

A lightweight, real-time download scanner that quarantines new files in ~/Downloads, checks their SHA256 hash against VirusTotal, and only releases them once verified clean. Why Every file you do...

Device Info Model: F6D4230-4D1 Type: Consumer N150 Wi-Fi router (802.11b/g/n, 2.4 GHz) Year: 2009 (FCC approved January 2009, retail ~June 2009) Status: End-of-life / obsolete This is ...

AFW — An Application Firewall That Actually Makes Sense on Linux I don’t like running systems I don’t understand. And for years, one thing bugged me about every Linux desktop I’ve set up: outbound...