Myles Nieman
← All writeups

Easy

15 writeups

RedPanda

Easy

A Spring Boot search page reflects user input into a Server-Side Template Injection sink, giving RCE as woodenk; a root-owned log-parser cron is then …

Linux

Sea

Easy

A WonderCMS site’s contact form SSRF is weaponized to deliver CVE-2023-41425, landing a shell as www-data; a password hash found in the CMS …

Linux

VulnEscape

Easy

An RDP kiosk running Microsoft Edge is escaped by adding a local HTML page and renaming PowerShell to msedge.exe; Remote Desktop Plus stores a masked …

Windows

TemplTrap

Easy

A Langflow AI server exposed on port 80 is exploited via CVE-2026-0770 (SSTI RCE) for an initial shell as karen; screen 5.0.0 setuid-root logging …

Linux

Data

Easy

An unauthenticated Grafana path-traversal (CVE-2021-43798) exposes the SQLite database, leaking PBKDF2 password hashes that crack to yield SSH access; …

Linux

WingData

Easy

Wing FTP Server 7.4.3 exposes an unauthenticated RCE endpoint; cracking the salted password hashes from its XML config yields SSH access as a system …

Linux

Facts

Easy

A Ruby on Rails app running Camaleon CMS 2.9.0 is compromised via mass-assignment privilege escalation to admin, then an LFI in the admin …

Linux

Succession

Easy

Given SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …

Windows

Broker

Easy

A default-credentialed Apache ActiveMQ 5.15.15 console reveals a version vulnerable to CVE-2023-46604 (OpenWire deserialization RCE); a sudo-allowed …

Linux

Return

Easy

A printer admin panel leaks credentials to Responder via a spoofed LDAP server address; the recovered svc-printer account belongs to Server Operators, …

Windows

Sauna

Easy

Staff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …

Windows

Toolbox

Easy

SQL injection in a PostgreSQL-backed login form yields an os-shell inside a Docker container; the Docker Toolbox VM is reachable via SSH with default …

Windows

Overcertified

Easy

An LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …

Windows

Forest

Easy

Anonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …

Windows

Active

Easy

Anonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …

Windows