DevArea chains a SOAP service SSRF through Hoverfly middleware RCE to foothold, then escalates via Flask session forgery, command injection, and a symlink/log-write trick to root. A deeply layered box with real-world misconfigurations at every turn.
WingData chains two fresh CVEs — an unauthenticated RCE in Wing FTP Server and a Python tarfile filter bypass via PATH_MAX overflow — into a clean root. Don’t let the ‘Easy’ rating fool you.
Crocodile proves that the simplest misconfigurations can be devastating — an open FTP server hands you the keys to the web app if you know where to look.
Vaccine chains together anonymous FTP access, zip cracking, hardcoded credentials, and a PostgreSQL SQL injection into a full compromise — then escapes to root through a classic vi sudo misconfiguration.
Fawn is a beginner HackTheBox machine that demonstrates one of the most common real-world misconfigurations: anonymous FTP access left enabled with sensitive files sitting in the root directory.