THM: Archangel is fun easy box that has involves one of my favorite techniques: escalating LFI to RCE by poisoning a log file. Once we have a shell we’ll take advantage of open permissions on a file running as cronjob to pivot to another user. And we’ll finish with a path injection attack to root the box.

Dogcat involves one of my favorite techniques: log file poisoning. We’ll start by enumerating a webapp and finding a LFI bug. Then we can poison the web server’s logs to escalate the LFI to RCE and pop a user shell. From there, getting root is almost too easy. That’s because we’ll find ourselves inside a Docker container, and the final challenge will be escaping to a root shell on the host.