Local File Inclusion (LFI) Archives

24 Jan, 2026

Hack The Box: Imagery Machine Walkthrough – Medium Difficulity

Medium Machine backup recovery, BurpSuite, Challenges, Charcol, HackTheBox, hashcat, javascript, json, Linux, Local File Inclusion (LFI), Penetration Testing, python3, RCE, ssh

Just completed the Imagery machine on Hack The Box (Medium). The challenge involved identifying weaknesses in a custom web application, analysing exposed application logic and data, and chaining these issues to move laterally within the system to gain user-level access. Further investigation highlighted how overlooked privilege boundaries and misconfigured trusted utilities can be abused to escalate privileges and obtain full administrative control.

#HackTheBox #CyberSecurity #WebSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #CTF #InfoSec
…

Learn MoreHack The Box: Imagery Machine Walkthrough – Medium Difficulity

28 Jun, 2025

Hack The Box: Haze Machine Walkthrough – Hard Difficulty

Hard Machine Active Directory, Bloodhound, bloodyAD, Certipy, Challenges, CVE-2024-36991, evil-winrm, HackTheBox, Linux, Local File Inclusion (LFI), NetExec, Penetration Testing, pywhisker, Splunk, splunksecrets, SweetPotato

New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

#HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

3 May, 2025

HackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Hard Machine Android, BuddyForms, BurpSuite, Challenges, chisel, CVE-2023-26326, CVE-2024-2961, file upload, gobuster, grafana, grafana2hashcat, HackTheBox, hashcat, Linux, Local File Inclusion (LFI), MySQL, Penetration Testing, port forwarding, python3, Remote Code Execution (RCE) in WordPress, Server Misconfigurations, Wordpress

Chained exploitation through misconfigured web app and internal services. We started by exploiting a WordPress plugin vulnerability (CVE-2023-26326) to upload files, followed by a file read vulnerability (CVE-2024-2961) for remote code execution. From there, we cracked the database credentials, gained SSH access as the shawking user, and leveraged a vulnerable API endpoint to escalate to root. This highlights how overlooked configurations and service misconfigurations can lead to a full server compromise.

#CTF #PrivilegeEscalation #WebSecurity #CommandInjection #SSH #WordPress #LinuxPentesting #BugBounty #HackTheBox #RedTeam #CyberSecurity …

Learn MoreHackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Threatninja.net

Threatninja.net

Hack The Box: Imagery Machine Walkthrough – Medium Difficulity

Hack The Box: Haze Machine Walkthrough – Hard Difficulty

HackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Threatninja.net

Threatninja.net

Tag Archives: Local File Inclusion (LFI)

Hack The Box: Imagery Machine Walkthrough – Medium Difficulity

Hack The Box: Haze Machine Walkthrough – Hard Difficulty

HackTheBox – BigBang Machine Walkthrough (Hard Difficulty)