Myles Nieman
← All writeups

Linux

14 writeups

Bucket

Medium

A web application backed by a locally exposed S3-compatible bucket allows unauthenticated file uploads; uploading a PHP web shell through the bucket …

Linux

RedPanda

Easy

A Spring Boot search page reflects user input into a Server-Side Template Injection sink, giving RCE as woodenk; a root-owned log-parser cron is then …

Linux

Resource

Hard

A zip-upload feature on an SSH key management web app is exploited via a PHP pearcmd LFI-to-RCE trick to land a webshell as www-data; uploaded zip …

Linux

Sea

Easy

A WonderCMS site’s contact form SSRF is weaponized to deliver CVE-2023-41425, landing a shell as www-data; a password hash found in the CMS …

Linux

Deputy

Medium

A exposed .git directory leaks Terraform IAM ARNs; a case-sensitivity bug in the event-role API lets those ARNs cross account boundaries, eventually …

Linux

TemplTrap

Easy

A Langflow AI server exposed on port 80 is exploited via CVE-2026-0770 (SSTI RCE) for an initial shell as karen; screen 5.0.0 setuid-root logging …

Linux

Interpreter

Medium

Mirth Connect 4.4.0 is vulnerable to CVE-2023-43208 (unauthenticated RCE); database credentials in mirth.properties lead to a PBKDF2-hashed password …

Linux

BloodFlow

Very Easy

A publicly exposed n8n workflow automation instance is vulnerable to CVE-2026-21858, an unauthenticated arbitrary file read to RCE chain, yielding a …

Linux

Data

Easy

An unauthenticated Grafana path-traversal (CVE-2021-43798) exposes the SQLite database, leaking PBKDF2 password hashes that crack to yield SSH access; …

Linux

WingData

Easy

Wing FTP Server 7.4.3 exposes an unauthenticated RCE endpoint; cracking the salted password hashes from its XML config yields SSH access as a system …

Linux

Facts

Easy

A Ruby on Rails app running Camaleon CMS 2.9.0 is compromised via mass-assignment privilege escalation to admin, then an LFI in the admin …

Linux

ReactOOPS

Very Easy

A vulnerable React application is exploited via CVE-2025-55182 (react2shell), yielding unauthenticated remote code execution and a shell that reads …

Linux

Broker

Easy

A default-credentialed Apache ActiveMQ 5.15.15 console reveals a version vulnerable to CVE-2023-46604 (OpenWire deserialization RCE); a sudo-allowed …

Linux

Lantern

Hard

A Skipper proxy CVE-2022-38580 SSRF exposes an internal Blazor WebAssembly app whose DLL contains base64-encoded admin credentials; those credentials …

Linux