Linux

WingData chains two fresh CVEs — an unauthenticated RCE in Wing FTP Server and a Python tarfile filter bypass via PATH_MAX overflow — into a clean root. Don’t let the ‘Easy’ rating fool you.

Facts chains a Rails mass-assignment CVE in CamaleonCMS to admin access, leaks MinIO credentials hiding a backdoored SSH key, and escapes to root through Puppet’s facter tool — a satisfying end-to-end story about trusting your CMS too much.

Appointment is a deceptively simple box that teaches one of the most fundamental web vulnerabilities: SQL injection authentication bypass. One payload, one flag — but the lesson lasts a career.

Crocodile proves that the simplest misconfigurations can be devastating — an open FTP server hands you the keys to the web app if you know where to look.

Sequel is a dead-simple but instructive HackTheBox machine that highlights one of the most dangerous real-world misconfigurations: a MySQL/MariaDB instance exposed to the network with no root password.

A misconfigured S3-compatible bucket with an open write policy turns a static band website into a remote code execution opportunity. Here’s how subdomain enumeration and a single AWS CLI command led to a shell.

Oopsie chains credential reuse, a cookie-based IDOR, and a file upload to land a shell — then a SUID binary with an unsafe PATH gets us root. A masterclass in chained misconfigurations.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.

Vaccine chains together anonymous FTP access, zip cracking, hardcoded credentials, and a PostgreSQL SQL injection into a full compromise — then escapes to root through a classic vi sudo misconfiguration.

Meow is HTB’s gentlest introduction to penetration testing — a single open Telnet port, no password on the root account, and an immediate lesson in why legacy services are dangerous.