> I'm also not impressed with a carrot disclosure that looks like this. Running a python script to compromise a locally hosted instance? Bruh, you have physical hardware and host shell access. That python script could be doing anything including running as root.

> Show us the exploit hitting a remote server.

Watch out, their script works on HN too, as a proof here's me logging in to YOUR computer's root account (a bit more redacted for obvious reasons):

    $ python3 ./poc/chain_alpha.py --target dangus > out.txt
    $ grep Backdoor out.txt |  sed -r 's@[^:]+$@ [REDACTED]@g'
    [+]   Backdoor admin created: [REDACTED]
    $ grep IP out.txt |  sed -r 's@[^:]+$@ [REDACTED]@g'
    [+]   IPv4 address for dangus: [REDACTED]
    $ grep 'debug2: shell' out.txt
    [+]   debug2: shell request accepted on channel 0
    $ tail -n12 out.txt 
    ================================================================
    [+] COMMAND EXECUTION CONFIRMED!
    ================================================================
    
    Server-side output (received via SSH, with `set -x`):

      + id -u
      0
      + id -g
      0
    
    ================================================================
    $ sha256 ./poc/chain_alpha.py
    c10d28a5ff74646683953874b035ca6ba56742db2f95198b54e561523e1880d7  ./poc/chain_alpha.py

Seriously, this author comes across as an absolute sore loser if this is the PR they are referring too:

https://codeberg.org/forgejo/forgejo/pulls/12283

Someone asking you to write a test for new code and then making this blog in response is just so pathetic.