HackTheBox: BroScience
A Medium Linux box: a double-URL-encoded LFI in img.php leaks source revealing a time-seeded activation-code generator, an ffuf timestamp brute-force activates an account, a PHP deserialisation gadget chain plus session-file poisoning give a www-data shell, cracked PostgreSQL creds reach bill over SSH, and a root cron running renew_cert.sh injects through an unsanitised OpenSSL Common Name for root.
Read 