HackTheBox: Altered
A Hard Linux Laravel box: username enumeration and an X-Forwarded-For rate-limit bypass let wfuzz brute-force the 4-digit reset PIN, a type-juggling SQL injection in the profile API dumps the database and writes a PHP webshell via INTO OUTFILE for a www-data shell, then a vulnerable 5.16 kernel falls to Dirty Pipe (CVE-2022-0847) for root.
Read 