red-team

Beyond CRTO: Skillable

TL;DR While working on the RTO course tooling, I found Skillable’s SCORM lab launch path trusted a userId the browser supplies for allocation, while validating only the SCORM token. Changing that

Beyond CRTO: pwnlift

TL;DR While working through CRTO, I found pwnlift exposed through passwordless sudo on the team server VM. The upload handler permitted arbitrary file write as root via symlink traversal, and the first