Command-Injection

A full walkthrough of the Hack The Box machine “Precious” — from enumeration to exploitation, including a clever pdfkit command injection and Ruby YAML deserialization for root. With shell stabilisation and some VPN drama on the side.

In this university exam practice VM, I explored file upload handling, discovered a separate file inclusion point, and chained it with an uploaded webshell to gain remote command execution.

From basic payloads to protected and self-destructing shells — a hands-on journey upgrading your webshells for stealth, power, and style.

After exploring XSS in Part 1, we now dive into server-side command injection, shell behavior, piping, and classic reverse shell tactics.