The Archive

MACHINE Linux

HackTheBox: Altered

A Hard Linux Laravel box: username enumeration and an X-Forwarded-For rate-limit bypass let wfuzz brute-force the 4-digit reset PIN, a type-juggling SQL injection in the profile API dumps the database and writes a PHP webshell via INTO OUTFILE for a www-data shell, then a vulnerable 5.16 kernel falls to Dirty Pipe (CVE-2022-0847) for root.

MACHINE Linux

HackTheBox: Craft

A Linux box: a public Gogs repo leaks Dinesh's credentials and an eval() injection in the craft-api beer endpoint gives RCE inside a Docker container, the database yields Gilfoyle's login, a private repo holds his SSH key, and a HashiCorp Vault SSH OTP backend issues a root login.

MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

MACHINE Windows

HackTheBox: Authority

A Windows DC: cracked Ansible-vault credentials from an SMB share open a PWM config panel whose LDAP test leaks cleartext creds for svc_ldap, then a vulnerable AD CS template (ESC1), a fake computer account, Pass-the-Cert and RBCD escalate to the Administrator hash.

MACHINE Linux

HackTheBox: BroScience

A Medium Linux box: a double-URL-encoded LFI in img.php leaks source revealing a time-seeded activation-code generator, an ffuf timestamp brute-force activates an account, a PHP deserialisation gadget chain plus session-file poisoning give a www-data shell, cracked PostgreSQL creds reach bill over SSH, and a root cron running renew_cert.sh injects through an unsanitised OpenSSL Common Name for root.

MACHINE Linux

HackTheBox: Editorial

An Easy Linux box where one SSRF cascades to root: a Cover URL field fetches internal services, an SSRF port scan finds an internal API on 5000 leaking dev's SSH credentials, git history exposes the prod password, and a sudo GitPython script (CVE-2022-24439) runs an ext:: URL through sh for a root shell.

MACHINE Windows

HackTheBox: Ghost

An Insane Windows AD box: LDAP injection leaks a Gitea token, source review yields path-traversal and command-injection bugs for a Docker root shell, then Kerberos ticket theft, a fake DNS record for NTLMv2 capture, a gMSA password read, a Golden SAML forge against ADFS, a linked-MSSQL pivot and a cross-domain Golden Ticket with Extra SIDs fully compromise both domains.

MACHINE Linux

HackTheBox: Imagery

A Medium Linux Flask box: a blind XSS in the bug-report form steals the admin session cookie, an admin arbitrary-file-read pulls source revealing a hidden ImageMagick transform endpoint, command injection in the crop width lands a web shell, an AES-encrypted backup cracks to reveal mark's hash, and a sudo-privileged Charcol CLI schedules a root cron to SUID bash.

MACHINE Windows

HackTheBox: Jeeves

A standalone Windows box: an open Jenkins instance on a high port runs a Groovy script for a shell as kohsuke, a cracked KeePass database yields an NTLM hash, Pass-the-Hash gives Administrator, and the root flag hides in an NTFS alternate data stream.

MACHINE Windows

HackTheBox: Media

A Windows XAMPP box: a job-application upload form is weaponised with a malicious Windows Media Player file to capture enox's NTLMv2 hash via Responder, then an NTFS junction redirects an upload into the Apache web root for a webshell, and SeTcbPrivilege adds enox to Administrators.

MACHINE Linux

HackTheBox: Pollution

A Hard Linux box: a leaked Burp history file in a MyBB forum exposes an admin token, an XXE in the admin panel reads files to crack an .htpasswd hash, a Redis session write bypasses the developers login, a PHP filter-chain LFI gives a www-data shell, a FastCGI attack on php-fpm pivots to victor, and lodash prototype pollution in a root Node.js API escalates to root.

MACHINE Windows

HackTheBox: Pov

A Windows box: a path-traversal read leaks the ASP.NET machineKey from web.config, forged ViewState deserialization (ysoserial.net) gives a shell as sfitz, a DPAPI-encrypted connection.xml yields alaading, then SeDebugPrivilege is abused with psgetsys to impersonate winlogon for SYSTEM.

MACHINE Windows

HackTheBox: Redelegate

A Windows DC: anonymous FTP exposes a KeePass vault cracked to a season password, MSSQL RID brute-forcing enumerates users, a password spray lands Marie.Curie, ForceChangePassword reaches Helen.Frost, and SeEnableDelegationPrivilege plus GenericAll over FS01$ set up constrained delegation (S4U2Proxy) to impersonate the DC and DCSync the Administrator hash.

MACHINE Linux

HackTheBox: Reset

An Easy Linux box: a password-reset endpoint leaks the new password, an admin-dashboard LFI plus Apache access.log poisoning via the User-Agent header gives a www-data shell, Rservices trust in /etc/hosts.equiv lets rlogin pivot to sadm, and a detached tmux session leaks the sudo password to escalate through nano's execute-command GTFOBin to root.

MACHINE Linux

HackTheBox: Snoopy

A Linux box: an LFI on /download leaks the Bind9 TSIG key to hijack DNS and add a mail record, a Mattermost password reset is intercepted via Postfix, an SSH-honeypot plugin captures cbrown's creds, a sudo git apply symlink writes an SSH key for sbrown, and a ClamAV XXE (CVE-2023-20052) leaks root's SSH key.

MACHINE Windows

HackTheBox: StreamIO

A Windows box mixing web and AD: a SQL injection on search.php dumps and cracks user hashes, an LFI/RFI chain gives an IIS shell, a backup database cracks nikk37 for WinRM, decrypted Firefox passwords yield JDgodd, and WriteOwner over CORE STAFF reads a LAPS password for Administrator.

MACHINE Windows

HackTheBox: TombWatcher

A Windows DC of pure AD permission abuse: from henry, WriteSPN targets alfred for Kerberoasting, INFRASTRUCTURE membership reads a gMSA password, a ForceChangePassword/WriteOwner/GenericAll chain reaches john over WinRM, then restoring a deleted cert_admin from the AD Recycle Bin and an ESC15 certificate template give Administrator.

MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.

MACHINE Windows

HackTheBox: VulnCicada

A Windows DC where the first credential hides in an image on a public NFS share, and with NTLM disabled an ESC8 (ADCS HTTP web enrollment) attack requires Kerberos relaying: coerce the DC, relay to /certsrv for a machine-account certificate, then DCSync the Administrator hash. Covers both the Linux (bloodyAD/certipy) and Windows (RemoteKrbRelay) methods.

MACHINE Linux

HackTheBox: Connected

A Linux FreePBX appliance: an unauthenticated SQL injection in the Endpoint Manager module (CVE-2025-57819) bypasses auth and reaches a SQL sink, abused to create an admin or inject a reverse shell job for a shell as asterisk, then a root incron HA hook that includes a PHP file from an asterisk-writable webroot is hijacked to run code as root.

MACHINE Linux

HackTheBox: Postman

An Easy Linux box: an unauthenticated Redis 4.x instance writes an SSH key into the redis user's authorized_keys for a foothold, an encrypted /opt/id_rsa.bak cracks to computer2008 to reach Matt via su, and Webmin 1.910 falls to CVE-2019-12840 command injection (running as root) for a root shell.

MACHINE Linux

HackTheBox: Trick

An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael - and a writable fail2ban action plus a passwordless sudo restart escalates to root.

An HTB web challenge, the app shipped its JWT signing key in the client-side bundle, so reading it from DevTools let me forge an admin token, hit a privileged endpoint and grab the flag.

MACHINE Windows

HackTheBox: Fluffy

An assumed-breach Windows AD box: steal a second user's NTLM hash with CVE-2025-24071, map ACLs in BloodHound, abuse GenericAll/GenericWrite with bloodyAD + Certipy shadow credentials to reach winrm_svc, then exploit an ADCS ESC16 misconfiguration to impersonate the Administrator.

MACHINE Windows

HackTheBox: Support

An Easy Windows AD box, reverse-engineering a custom .NET binary to recover LDAP credentials, looting a plaintext password from an AD info attribute, then chaining GenericAll → RBCD to impersonate Administrator for SYSTEM.

An 8-flag HTB Fortress, leaking a backup script over SNMP, bypassing auth with HTTP verb tampering, abusing a Flask LFI to forge the Werkzeug debugger PIN for RCE, then PwnKit to root and a Vigenère-encrypted final flag.

MACHINE Linux

HackTheBox: Helix

A Medium Linux box, abusing an exposed Apache NiFi instance for RCE through H2 SQL aliases, recovering an SSH key from a support bundle, then driving an OPC UA / ICS reactor over an SSH tunnel to open a privileged maintenance window and reach root.

Bypassing a file upload filter on Apache by abusing .htaccess to execute a PHP webshell disguised as a JPEG, achieving full RCE and reading the flag.