https://hexpysya.github.io/tags/web/Recent content in Web on bubka hacks stuffHugo -- gohugo.ioen-usMon, 19 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-conversor/Mon, 19 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-conversor/Flask web application vulnerable to path traversal during file uploads. Exploited by uploading Python reverse shell to cron-executed directory → gained www-data shell → extracted MD5 hashes from SQLite database → cracked password for user fismathack → leveraged CVE-2024-48990 in needrestart 3.7 for privilege escalation to root.