We exploit improper redirect to access an image upload page and use metadata command injection to get reverse shell. We use mysqldump to get user password. With relative path injection we exploit a SUID binary and get root shell.

We use SQL injection exploit for an old version of CMS Made Simple to get user password. We take advantage of write permissions in /usr/local/bin to create malicious executable and perform relative path injection.

Find user creds and sub-domains using SVN. Upload a malicious aspx file and get reverse shell. Find plaintext creds in a mapped drive. Exploit azure pipeline using YAML file and execute system command to get reverse shell as system.

We google a HTML comment to find the WebShell backdoor and add our SSH keys to login as webadmin. We exploit sudo permissions for Luvit to get sysadmin shell. We finally modify the files in /etc/update-motd.d/ directory and get root shell.

Exploit authentication bypass vulnerability in OpenBSD and create username cookie with jennifer as value to get her private SSH key. Use CVE-2019-19520 and CVE-2019-19522, privEsc exploit in OpenBSD to get root shell.

We get reverse shell using a RCE exploit for the CMS. We use chisel for local port forwarding and use the buffer overflow exploit for CloudMe to get an administrator shell.

We perform AS-REP Roasting using GetNPUsers.py script from Impacket and crack the hash using JTR. We login using Evil-WinRM and run WinPEAS to get the AutoLogon Creds for another user. BloodHound reveales that this user can perform DCSync Attack. We get the Administrator hash using mimikatz and use this hash to get a system shell via psexec.

We phish the employees and get a user's password, we read his emails and find another password. We login to FTP, upload a php file and get reverse shell. We then exploit pypiserver and are able to add our SSH keys to a user account. Finally we take advantage of sudo permissions for pip3 to get root shell.

We use SQL Truncation Attack to login as admin and take advantage of Reflected XSS in Dynamically Generated PDF to read the SSH private key of reader. Finally, we exploit a root process using logrotate and read root's SSH private key.

We exploit WordPress plugin to login as admin and get SMTP creds for user. Using POP3 commands, we read the user mails which contain creds for secret forum. We use an online tool to decode the messages using Vigenere Cipher and get SSH private key. Crack the SSH key password using JohnTheRipper. Finally, we use RSA to decrypt the encrypted text and get root.txt