https://blog.akmee.xyz/series/active/Recent content in Active on tomato's blogHugoen-usMon, 20 Apr 2026 14:48:49 -0300https://blog.akmee.xyz/writeups/active/interpreter/Thu, 05 Mar 2026 00:00:00 +0000https://blog.akmee.xyz/writeups/active/interpreter/Medium Linux machine exploiting CVE-2023-43208 (Mirth Connect RCE) for initial access, followed by MySQL credential leakage, PBKDF2 hash cracking, and an f-string eval SSTI in a local Flask server to escalate to root.https://blog.akmee.xyz/writeups/retired/planning/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/planning/Planning is an easy Linux assumed-breached machine where initial access comes through CVE-2024-9264, a SQLi-to-RCE in Grafana. After landing in a Docker container, credentials leaked from environment variables give SSH access to the host. Privilege escalation involves finding a cleartext password in a readable database file and abusing a cron job manager running as root.https://blog.akmee.xyz/writeups/retired/scepter/Mon, 12 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/scepter/Scepter is a hard Windows Active Directory machine where initial access comes from cracking encrypted .pfx files found on an exposed NFS share. From there, the path to root chains two ADCS vulnerabilities — ESC9 and ESC14 — abusing certificate template misconfigurations and UPN/email attribute manipulation to impersonate privileged users and ultimately DCSync the domain.https://blog.akmee.xyz/writeups/retired/environment/Mon, 05 May 2025 00:00:00 +0000https://blog.akmee.xyz/writeups/retired/environment/Environment is a medium Linux machine where breaking the login page leaks the Laravel version, leading to CVE-2024-52301 — an argument injection that lets you switch the app environment and bypass authentication. From the dashboard, a file upload filter bypass gives RCE. Root comes from decrypting a GPG backup to recover credentials and abusing BASH_ENV preserved via env_keep in sudoers.