HTB: WingData
A NULL byte in Wing FTP Server's login handler triggers Lua code injection for unauthenticated RCE, then a Python tarfile data filter bypass via PATH_MAX overflow writes an SSH key to root.
HTB: Pterodactyl
A critical LFI in Pterodactyl Panel's locale endpoint chains with pearcmd.php for unauthenticated RCE, then a PAM environment injection and udisks2 XFS resize race condition deliver root on openSUSE.
HTB: Kobold
An MCPJam Inspector RCE for initial access, PrivateBin template cookie LFI for container-level code execution, database password reuse across services, and a Docker management API that mounts the host root filesystem.
HTB: CCTV
Default credentials on ZoneMinder, a time-based blind SQL injection to extract bcrypt hashes, SSH password reuse, and a motionEye command injection running as root through a surveillance daemon's notification configuration.
HTB: Facts
A path traversal in Camaleon CMS exposes Rails master keys, SQLite databases, and authentication tokens, enabling admin takeover through cookie forgery on a Ruby on Rails 8 application.