Tag: web

All the articles with the tag "web".

• HTB Crocodile — The Credential Chain

  9 May, 2026

  HackTheBox Crocodile chains anonymous FTP credential disclosure into a hidden web admin login. Same structural failure shows up in agentic systems when leaked API keys legitimately authenticate into production tool-use endpoints.

• HTB Appointment — SQL Injection Skips the Lock

  15 Apr, 2026

  HackTheBox Appointment exploits a login form that concatenates user input directly into a SQL query. One comment character silences the password check entirely — the same structural failure that makes LLM agents vulnerable to prompt injection.