Writeups

Exploit exposed AJP on Tomcat 9.0.30 to read WEB-INF/web.xml, pivot through leaked SSH credentials, then turn sudo zip into a root command execution primitive.

Discover a forgotten support subdomain via TLS certificate SAN inspection, identify a dangling AWS S3 endpoint, and validate a subdomain takeover condition.

Recover the correct password from an ELF binary using static analysis — tracing scanf format strings, strcmp control flow, and .rodata resolution without ever running the binary.

Enumerate a deceptive default web page to uncover an exposed SSH private key, establish user access, then abuse a privileged wget binary to exfiltrate root-owned files via HTTP POST body injection.

Exploit an unsanitized epoch-to-UTC converter to achieve OS command injection via bash -c, read server-side Go source to confirm the vulnerability, and extract the flag from an environment variable.

Perform full-port scanning with service detection to discover credentials leaked on a non-standard high port, pivot into SSH access, and locate a world-readable flag through targeted filesystem enumeration.

Read a deployed smart contract's supposedly private storage slots directly via eth_getStorageAt JSON-RPC — no wallet, no transaction — and recover the flag that was never meant to leave the chain.

Use guest credentials leaked in source, trace the post-login redirect to profile.php?user=guest, then exploit an IDOR by swapping the user reference to admin while reusing the same session.