HTB

IDOR → PCAP recovery of credentials → SSH user shell → Linux file capabilities (getcap) → root via python3.8 capability.

Anonymous FTP → backup extraction → credential reuse (SSH) → local wireless enumeration → WPS PIN attack (reaver) → root via local escalation.

Exploiting MS17-010 (EternalBlue) on a Windows 7 SP1 target. Recon, SMB enumeration, exploitation, and proof of SYSTEM access.