Beyond CRTO: pwnlift
TL;DR
While working through CRTO, I found pwnlift exposed through passwordless sudo on the team server VM. The upload handler permitted arbitrary file write as root via symlink traversal, and the first
cve
cve
Why Infra Pentests Suck
Let's call him Marco.
We were both at the same consultancy, a few years into pentesting, stuck on site together at a client. I was mid-level, still figuring shit out