In Crafty, I'll exploit the infamous Log4j RCE exploit (CVE-2021-44228) on a Minecraft server to gain a shell as the user. Then, I'll discover a jar file in one of the user's directories, decompile...

Lame as its name suggests is a very easy box. The services running on the box are old, and there is a known CVE that allows to directly gain a shell as root.

In DC-9, we only have access to a web application, which is vulnerable to SQL injection and LFI. We exploit the SQL injection to collect a set of credentials that is used later on in the box. The i...

FALL is an easy box from the digitalworld.local series. It hosts a web application that uses CMS Made Simple, where we discover an LFI vulnerability that allows us to read the SSH private key of th...