binreaper
I analyzed seven firmware images from a major IoT camera vendor and found shared private keys, plaintext cloud protocols, and a command injection chain — all baked into the architecture from day one. This isn’t an end-of-life problem. It’s a design problem.
HTB CCTV — ZoneMinder SQLi to Root via motionEye Signed API Command Injection
Walkthrough of HackTheBox CCTV machine — from ZoneMinder default credentials and CVE-2024-51482 blind SQLi to root via motionEye’s HMAC-signed API command injection in on_event_start hooks
Cracking Passwords from Embedded Linux Devices: The musl DES Crypt $ Salt Problem
DES crypt hashes with a $ character in the salt — generated by musl libc on OpenWrt routers — break every standard cracking tool. Here’s why, and the one-character fix.
HTB Pterodactyl — Pterodactyl Panel LFI to Root via CVE-2025-6018/6019 PAM+udisks Chain
Walkthrough of HackTheBox Pterodactyl machine — from Pterodactyl Panel LFI via pearcmd RCE to root via chained PAM session spoofing and libblockdev XFS resize SUID mount bypass
HTB Facts — Camaleon CMS Mass Assignment to Root
Walkthrough of HackTheBox Facts machine — from Camaleon CMS mass assignment to root via sudo facter custom facts
HTB Interpreter — Mirth Connect RCE to Root via Flask eval() Injection
Walkthrough of HackTheBox Interpreter machine — from Mirth Connect pre-auth XStream deserialization RCE to root via Flask eval() code injection
HTB WingData — Wing FTP RCE to Root via Python tarfile Filter Bypass
Walkthrough of HackTheBox WingData machine — from Wing FTP Server NULL byte Lua injection to root via Python tarfile filter=“data” PATH_MAX bypass