Reverse-Shell

MonitorsFour chains a fresh Cacti RCE vulnerability with an exposed Docker API to go from web login to full Windows host compromise — a great lesson in container escape methodology.

A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.

Oopsie chains credential reuse, a cookie-based IDOR, and a file upload to land a shell — then a SUID binary with an unsafe PATH gets us root. A masterclass in chained misconfigurations.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.

Archetype shows how a single misconfigured SMB share cascades into full domain compromise — SSIS config files, xp_cmdshell, and PowerShell history all play a role.

NanoCorp chains a sneaky NTLM capture through a hiring portal’s file upload, Active Directory ACL abuse via BloodHound, and a Checkmk MSI repair privilege escalation — all on a fully patched Windows Server 2022 DC.