Ssh

Gavel chains an exposed git repo, a subtle PDO prepared statement SQL injection, and a creative PHP sandbox escape — overwriting the php.ini from inside the sandbox itself — to reach root.

AirTouch is a unique HTB medium box where you pivot through three network segments entirely over WiFi — cracking WPA-PSK, stealing session cookies from decrypted traffic, and pulling off a real-cert evil twin attack to capture MSCHAPv2 credentials.

CCTV is a deceptively layered Easy box where default credentials are just the beginning — JWT forgery, daemon-based command injection, and a clever motionEye auth quirk all stand between you and root.

Interpreter chains a pre-auth deserialization RCE against a healthcare integration platform with a devious Python f-string injection to reach root — a box that rewards thorough enumeration and creative payload crafting.

A Minecraft panel hiding two CVEs and a SUSE-specific PAM trick — Pterodactyl chains a Laravel LFI into code execution, then escalates via a race-condition SUID mount flaw in udisks2.

WingData chains two fresh CVEs — an unauthenticated RCE in Wing FTP Server and a Python tarfile filter bypass via PATH_MAX overflow — into a clean root. Don’t let the ‘Easy’ rating fool you.

Facts chains a Rails mass-assignment CVE in CamaleonCMS to admin access, leaks MinIO credentials hiding a backdoored SSH key, and escapes to root through Puppet’s facter tool — a satisfying end-to-end story about trusting your CMS too much.

A misconfigured S3-compatible bucket with an open write policy turns a static band website into a remote code execution opportunity. Here’s how subdomain enumeration and a single AWS CLI command led to a shell.

Oopsie chains credential reuse, a cookie-based IDOR, and a file upload to land a shell — then a SUID binary with an unsafe PATH gets us root. A masterclass in chained misconfigurations.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.