An older Linux machine running a heavily-featured VoIP platform — a well-known local file inclusion vulnerability exposes a configuration file, and the credentials inside turn out to open more doors than expected.

A retro Linux box running a Minecraft-themed WordPress site — a forgotten plugin file hiding in plain sight contains the keys to the whole machine.

A Kubernetes cluster left partially exposed — a misconfigured node component allows unauthenticated command execution, and the resulting access is enough to spin up a privileged pod that reads the entire host filesystem.

Bind Shells With a bind shell, the target system has a listener started and awaits a connection from the attack system we can use Netcat to establish a bind shell 1234567# on…

A Linux machine hosting several internal services across subdomains — a vulnerable management tool hands over an initial foothold, and a misconfigured group permission opens the door to a straightforward Docker escape.

A Linux web machine built around font processing tools — leaking source code leads to credentials, and a chain of vulnerabilities in font libraries carries the attack from initial access all the way to root.

This module covers file transfer techniques leveraging tools commonly available across all versions of Windows and Linux systems.

A Linux machine running two vulnerable surveillance applications — a SQL injection in ZoneMinder leads to credentials, and an authenticated RCE in motionEye is leveraged to set a SUID bit and escalate to root.

A Windows Active Directory machine that chains Pre-Windows 2000 misconfigurations, gMSA credential abuse, NTLM relay with RBCD, and SPN manipulation to pivot from a low-privileged domain account all the way to Domain Admin.

A classic retired Windows machine that chains anonymous FTP write access with an unpatched kernel vulnerability to achieve full system compromise.