When designing the theme for my personal blog, I wanted to make sure that the site would work just fine with JavaScript disabled. All kinds of scripts on this site are merely to add some neat little features here and there. However, this made me wonder about the state of the modern web and its reliance on scripts in the browser. What happens if you strip them away? I checked how websites deal with browsers that don’t allow JavaScript, taking the noscript HTML element as my metric of choice. And although fewer websites broke than I initially suspected, it shows that you don’t need scripts to effectively track people.
Registry is a vulnerable Linux machine hosted over at HackTheBox with a difficulty rating of 5.7 out of 10. It hosts a Docker registry with lack of proper authentication. Login credentials can be found looking into a Docker image that can be pulled from said registry. From there, the path to root incorporates tricking a CMS into uploading a web shell and using a backup utility to get access to files that wouldn’t normally be accessible by anyone.
Postman is a vulnerable Linux machine hosted over at HackTheBox with a difficulty rating of 4.4 out of 10. It runs a Redis instance with lack of authentication which can be used to chuck SSH keys onto the machine. Another private SSH key hides in the guts of the file system. Its passphrase can then be used to obtain user privileges and, through a CVE, privilege escalation to root.