Short Overview The video consist of my process of enumeration and overall hacking the machine, please use this as a walkthrough. This box consist of several vulnerabilities: Local File Inclusion/Path traversal - The query string path= in the img.php file is vulnerable to that, with that we can download the site map that I’ve discovered using Burp Deserialization / PHP Object Injection - I saw that in the utils.php file, and I’ve prepared a payload for the AvatarInterface since this is the class ...