Understanding how the website works We are greeted by a home page that lists all pages and ability to create new pages. <!doctype html> <html> <head> <title>Mi...

Vulnerability Overview I was able to achieve Remote Code Execution (RCE) via the file upload functionality on Academico. TL;DR: Academico’s profile picture upload lacks file type validation and s...

Recon Port Scanning sudo nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49680,49701,49739 10.10.11.174 [sudo] password for kali: Starting Nmap 7.95 ( http...

Box Credentials As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich Recon Port Sc...

Box Creds As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09 Recon Port Discovery ┌──(kali㉿...

Recon Port Discovery sudo nmap -PN -sC -sV -oN steamCloud 10.10.11.133 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 13:46 PKT Nmap scan report for 10.10.11.133...

Investigating the Instance On visiting the spawned instance http://94.237.54.192:48939, we are greeted with: Something of interest is the message: Proudly powered by Flask/Jinja2 I tried inve...

Recon Port Discovery sudo nmap -PN -sC -sV -oN twomillion 10.10.11.221 [sudo] password for kali: Starting Nma...

Recon Port Discovery sudo nmap -PN -sC -sV -oN cicada 10.10.11.35 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-15 22:27 PKT Nmap scan report for 10.10.11....

Recon Port Discovery sudo nmap -PN -sC -sV -oN boardlight 10.10.11.11 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-15 14:12 PKT Nmap scan report for 10.10.11.11 H...