Hacking-club

The Evasion machine is vulnerable to LFI with filter bypass, session poisoning for RCE, crontab, and privilege escalation via sudo.

IAM Machine has the CVE-2021-40438 vulnerability, which allows SSRF in Apache, resulting in temporary AWS credentials and privilege escalation to root.

The application contains vulnerabilities including XXE, RFI, reverse shell, privilege escalation, RCE, cracked password, and unauthorized access to sensitive files.

The application is vulnerable to JWT token forgery, remote code execution (RCE), and privilege escalation via slo-generator.

Application has exposed credentials vulnerability, Function Injection leading to RCE, improper use of eval() in Python, and privilege escalation via verify.py script.

Máquina sobre Broken Access Control, BOLA, SQL Injection e linux capabilities.

On the Paradize machine, we need to exploit an SQL injection to upload a webshell and explore a path hijacking vulnerability.

The Injection machine is vulnerable to Command Injection (CVE-2022-36231) and privilege escalation via sudo.

Application has a BOLA vulnerability, unauthorized file access, SSH key usage, privilege escalation via SUID, and code execution.

The application has remote code execution (RCE) vulnerabilities in the ReportLab library and privilege escalation via "Shared Library Hijacking".

The application has the following vulnerabilities: endpoint enumeration via FUZZ, SQL Injection, remote command execution (RCE), and privilege escalation via Linux capabilities.

This is a HackingClub championship machine where we found an IDOR that provides initial access and Privilege Escalation through XAMPP.

The Calc machine is vulnerable to code injection, unauthorized file access, and Python library hijacking for privilege escalation.

The Poisoning machine has an LFI vulnerability exploited with Log Poisoning for RCE execution, followed by privilege escalation using Python with cap_setuid+ep capability for root.

The Lion machine is vulnerable to SQL injection, allowing RCE through the upload of a webshell, and has privilege escalation via cron jobs.

The application has vulnerabilities such as CVE-2022-29464, unrestricted file upload and remote code execution, privilege escalation via SUID binary, and Docker escape.

Machine for network traffic analysis and vulnerability exploitation in Ghostscript (CVE-2024-29510).

The application has Remote Code Execution vulnerabilities in Apache APISIX (CVE-2022-24112) and privilege escalation via the SUID binary lua.

Exploring an SSTI vulnerability in a live rendering application, it is possible to gain RCE on the server. The privilege escalation involves sudo permissions on logstash.

The Reader machine has SSRF and RFI vulnerabilities that allow RCE and privilege escalation to root via capabilities in the Perl binary.

Machine involving SQL Injection, code injection, and reversing (PE).