In DC-9, we only have access to a web application, which is vulnerable to SQL injection and LFI. We exploit the SQL injection to collect a set of credentials that is used later on in the box. The i...

FALL is an easy box from the digitalworld.local series. It hosts a web application that uses CMS Made Simple, where we discover an LFI vulnerability that allows us to read the SSH private key of th...