#privilege-escalation

6 posts

2 Sept 2022 · 18 min medium Windows WingData

HTB: WingData

A NULL byte in Wing FTP Server's login handler triggers Lua code injection for unauthenticated RCE, then a Python tarfile data filter bypass via PATH_MAX overflow writes an SSH key to root.

#htb #windows #web #api +1

26 Aug 2022 · 20 min hard Linux Pterodactyl

HTB: Pterodactyl

A critical LFI in Pterodactyl Panel's locale endpoint chains with pearcmd.php for unauthenticated RCE, then a PAM environment injection and udisks2 XFS resize race condition deliver root on openSUSE.

#htb #linux #pterodactyl-panel #web +1

19 Aug 2022 · 18 min medium Linux Kobold

An MCPJam Inspector RCE for initial access, PrivateBin template cookie LFI for container-level code execution, database password reuse across services, and a Docker management API that mounts the host root filesystem.

#htb #linux #web #ssrf +1

1 Jul 2022 · 17 min medium Linux Facts

HTB: Facts

A path traversal in Camaleon CMS exposes Rails master keys, SQLite databases, and authentication tokens, enabling admin takeover through cookie forgery on a Ruby on Rails 8 application.

#htb #linux #web #enumeration +1

25 Feb 2022 · 16 min easy Windows Arctic

HTB: Arctic

Adobe ColdFusion 8 on Windows Server 2008 R2 yields unauthenticated RCE through a three-part chain: directory traversal for credential extraction, FCKeditor file upload, and LFI-based CFML code injection. MS10-059 escalates to SYSTEM when JuicyPotato fails.

#htb #coldfusion #windows #directory-traversal +1

21 Jan 2022 · 16 min easy Windows Devel

HTB: Devel

Anonymous FTP write access to an IIS web root creates a trivial foothold. The real lesson is in the privilege escalation — unpatched Windows 7 with no service packs is a kernel exploit playground.

#htb #ftp #iis #aspx +4