First, we perform vhost fuzzing to find that a Pterodactyl Panel that is running. It is vulnerable to Local File Inclusion, which we can leverage to get a RCE. Once we have access to the machine, we can log into the database and retrieve the password hash of a user. The user reused the same credentials for SSH access too. To escalate privileges, we can exploit a vulnerability in udisk2. However, I used copyfail instead because I could not get the intended solution.
There are two vhost on the machine. The website on default vhost is vulnerable to IDOR, which leaks users hashes. We can crack those hashes with hashcat. Then, we use the credentials to log into the cacti vhost. The cacti vhost is vulnerable to command injection, that allows us to get a shell. However, we find out that the shell is in a docker container. To escape the container, we utilize a Docker RCE. Voila, we got root on the host machine.
First, we need to find the local file disclosure vulnerability in the CMS hosted on the server. We can leverage this vulnerability to leak the SSH key. The SSH key is password-protected but can be easily cracked with Hashcat. With the SSH key cracked, we can SSH into the server. Finally, the user could run a command as sudo. We leverage GTFObins to escalate priveleges to root.
A short blog about Data Center Network Architecture for AI Worklaods
Short writeup of 3 questions I created for UMCS CTF 2026 - REDISTRIBUTE, Guess the pin, FUK U PHP.
