An exposed .git directory on a Backdrop CMS site leaks the database password, which is reused for a CMS admin account; an authenticated module-upload (CVE-2022-42092) drops a PHP webshell for code execution, and the same password reused once more grants SSH as a local user for the user flag.

Nibbleblog 4.0.3 was running with default credentials and an authenticated unrestricted file upload vulnerability (CVE-2015-6967) in the My Image plugin allowed uploading a PHP webshell that gave code execution as nibbler.

An exposed Spring Boot Actuator endpoint leaks a live admin session ID for instant dashboard access, an unsanitised username field in a patching form yields command injection (bypassing a whitespace filter with ${IFS}), and hardcoded PostgreSQL credentials inside the application JAR give up a bcrypt hash that cracks to a password reused by a local user for SSH.

An Apache web server with CGI enabled served a bash-based script at /cgi-bin/user.sh on a host running unpatched Bash, so injecting the Shellshock payload (CVE-2014-6271) into the User-Agent header returned a reverse shell as user shelly.

A guest-readable SMB share leaks a default new-hire password, RID-cycling enumerates the domain user list, and a password spray plus credentials chained through an AD description field and a hard-coded backup script lands a WinRM shell and the user flag.

A PHP webshell left in a publicly-accessible /dev/ directory on an Apache server provided unauthenticated command execution as www-data, landing the user flag without any authentication.

A Flask app exposes its Searchor 2.4.0 version in the footer; the library feeds user input straight into eval(), so a crafted search query yields command execution as svc, and plaintext credentials in the app's .git/config give a stable SSH shell and the user flag.

Apache Tomcat's Manager interface was exposed with default credentials (tomcat:s3cret), allowing upload of a malicious WAR file that executed a reverse shell directly as NT AUTHORITY\SYSTEM.

An exposed Apache ActiveMQ 5.15.15 OpenWire broker is vulnerable to CVE-2023-46604, an unauthenticated deserialization flaw that instantiates a Spring ClassPathXmlApplicationContext from an attacker-hosted XML file to run a reverse shell as the activemq user.

A product category filter concatenates user input directly into SQL. A UNION SELECT against the users table dumps plaintext credentials, and logging in as administrator solves the lab.

A Dolibarr CRM hidden behind a virtual host accepts default admin credentials and is vulnerable to CVE-2023-30253, where an uppercase

A PortSwigger Web Security Academy lab where a WAF blocks the obvious UNION attack — until you hide the payload from it by encoding the whole injection as XML character entities.

Devel is an easy-difficulty Windows 7 box exploited via anonymous FTP write access to an IIS web root. Uploading an ASPX webshell yields RCE, then MS11-046 escalates to SYSTEM.

A PortSwigger Web Security Academy lab on the second step of a UNION-based SQL injection — finding a column whose data type can hold the text you want to exfiltrate.

A PortSwigger Web Security Academy lab on the first step of every UNION-based SQL injection — learning how many columns the original query returns, using ORDER BY and UNION SELECT NULL.

A Drupal 7.54 Services REST endpoint accepted PHP-serialized objects as login credentials; a crafted SelectQueryExtender injected SQL to authenticate as admin, then a cache-poison payload replaced the login handler with file_put_contents to write a PHP webshell, landing a shell as nt authority usr.

Legacy is an easy-difficulty Windows XP box and a museum piece of SMB exploitation. An unauthenticated, unpatched Server service is vulnerable to MS08-067 (and MS17-010). A single netapi exploit overflows a stack buffer and executes code as NT AUTHORITY\SYSTEM — there is no separate privilege escalation, so both flags fall from one shell.

An unpatched Windows 7 SMBv1 server is vulnerable to EternalBlue (MS17-010); a single unauthenticated kernel-pool overflow returns a SYSTEM shell, making both flags trivially reachable — this post covers recon through the user flag.

An end-of-life Samba 3.0.20 server with the 'username map script' option enabled passes the SMB logon username through a shell, so a username containing backticked shell metacharacters yields command execution as root (CVE-2007-2447) — one exploit lands a root shell and both flags.

Access is an "easy" difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.