lfi

MACHINE Linux

HackTheBox: Trick

An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael — and a writable fail2ban action plus a passwordless sudo restart escalates to root.

An 8-flag HTB Fortress, leaking a backup script over SNMP, bypassing auth with HTTP verb tampering, abusing a Flask LFI to forge the Werkzeug debugger PIN for RCE, then PwnKit to root and a Vigenère-encrypted final flag.