StreamIO
An unauthenticated MSSQL UNION injection on watch.streamio.htb dumped all user password hashes; cracking them gave admin login, and the admin panel's debug parameter passed user input directly to PHP include(), enabling source disclosure via php://filter and Remote File Inclusion through master.php's eval(file_get_contents()) to land a reverse shell.