# Medium

- [Magic](/notes/writeups/hack-the-box/linux-machines/medium/magic.md): SQL injection, PHP reverse shell upload, mysqldump and PATH injection
- [UpDown](/notes/writeups/hack-the-box/linux-machines/medium/updown.md): LFI to RCE using PHAR files while bypassing disabled\_functions, followed by abuse of SUID and sudo.