Linux

The target runs a version of NextGen Healthcare Mirth Connect that is vulnerable to CVE-2023-43208 which allows for initial foothold. DB enumeration reveals a user credential encrypted in PBKDF2-HMAC-SHA256 which requires some decoding and cracking. Thus, gaining user access. Then, acquired root by identifying an SSTI vulnerability of unsafe user input validation within a custom script for Mirth Connect

The target runs an outdated version of Wing FTP Server which is vulnerable to CVE-2025-47812 that allows for initial foothold. Gathering credentials by cracking a salted hash in the credential file that leads to the user flag. Then, acquired root by exploiting a sudo misconfiguration that allowed running a vulnerable Python version with a custom program that uses the tarfile module of which allows for path traversal, symlink escape & write access to system files (CVE-2025-4517 & CVE-2025-4138)

Discovered a running webpage that allowed for registration. After logging in, it was revealed an outdated version of Camaleon CMS instance which was vulnerable to CVE-2024-46987 (Authenticated Arbitrary File Read). Leveraging that vulnerability to grab SSH keys on getting initial access. Finally, gained root access by exploiting a sudo misconfiguration using the facter command/binary.

Discovered SNMP service on UDP port which reveals a daloRADIUS server web app with default credentials. Gained user access by credentials leak in the dashboard. User was allowed to run mosh-server with sudo permissions which enabled us to start a mosh-client and gain root access.

Gaining RCE on an SQLpad web app from CVE-2022-0944, escaping docker jail and getting user access. Discovered internal host that led to Chrome Debugger Pentesting. Acquiring credentials on a Froxlor Server Management Panel. Gaining root access afterwards by changing PHP-FPM commands to a bash SUID permission change.