WhiteRabbit - HTB
Full walkthrough of WhiteRabbit HTB box involving vhost enumeration, SQLi via HMAC signature spoofing, restic backup abuse, reverse engineering a password generator, and privilege escalation to root.
Writeups
Private writeups. Each has its own key.
Voleur - HTB
Full Domain Compromise via DPAPI Credential Theft and AD Dump
Tombwatcher - HTB
Initial access with user credentials, SPN abuse via targetedKerberoast, GMSA password read, cross-user escalation, account takeover, and final domain compromise through restored cert_admin and Certificate Request Agent abuse.
Soulmate - HTB
Compromising a matchmaking webapp through CrushFTP auth bypass and chaining Erlang's remote shell for privilege escalation.
Sorcery -HTB
A brutal, multi-layered HTB box featuring Cypher injection, Docker abuse, custom CA phishing, Kafka RCE, and FreeIPA misconfigurations—culminating in full domain compromise.
Rustykey - HTB
Full Active Directory exploitation on Rusty Key from initial access to domain admin. Includes SPN cracking, AddSelf abuse, group removals from Protected Objects, password resets via bloodyAD, DLL hijack via writable CLSID, and final ESC8 attack for Administrator access.
Puppy - HTB
Active Directory attack chain on Puppy involving BloodHound analysis, GenericWrite abuse, KeePass file cracking, and credential manager extraction
Previous - HTB
Enumeration of a Next.js application leads to sensitive information disclosure and misuse of Terraform for privilege escalation.
Planning - HTB
Initial access via admin credentials, exploit of vulnerable Grafana service, enumeration of Docker and environment variables for credentials, privilege escalation via crontab and SUID shell.
Outbound - HTB
nitial foothold via Roundcube exploit, user access through decrypted IMAP creds, and root via sudo misconfiguration in below.
Mirage - HTB
Windows AD lab with misconfigurations across DNS, LDAP, and certificate services, leading to full domain compromise.
Imagery - HTB
From XSS to cookie theft, LFI for secrets, then abusing ImageMagick injection and a custom backup utility for root.
Guardian - HTB
A university portal with weak authentication and insecure web features leads to account takeover, chained into exploiting a vulnerable PHP library and misconfigured Apache setup for full compromise.
Fluffy - HTB
Initial access via SMB creds, BloodHound enumeration, NTLMv2 cracking, shadow credentials, and Administrator via certificate abuse.
Expressway - HTB
Compromised Expressway HTB from VPN user to root via IKEv1 PSK and Sudo privilege escalation
Era - HTB
Blind RCE through a custom file reader and AV evasion attempts via binary replacement.
Environment HTB
Initial foothold via broken remember-me parameter, preprod environment bypass, PHP webshell upload, GPG decryption for credentials, and privesc through sudo BASH_ENV bypass.
Editor - HTB
A misconfigured content system where user access leads to unexpected control.
DarkZero - HackTheBox Writeup
An Active Directory–based pentest scenario involving MSSQL pivoting, Kerberos abuse, and privilege escalation via CVE-2024-30085.
Codetwo - HTB
Initial access via █████ RCE on web app → SSH as █████ (cracked creds) → npbackup-cli → root
Cobblestone - HTB
A web-focused HTB box leveraging SQL injection, and an exposed Cobbler XML-RPC API—leading to a chained privilege escalation and root access.
Certificate - HTB
Web-to-root HTB box featuring a ZIP upload bypass with null-byte injection, credential harvesting, shadow credential attack, AD CS exploitation via SeManageVolume abuse, and full domain takeover through forged certificates.
BigBang - HTB
Exploitation of a WordPress and Grafana setup via leaked credentials, JWT abuse on a custom APK API, and command injection in a vulnerable /send-image endpoint to gain root access.
Artificial - HTB
An Easy-rated HTB box exploiting TensorFlow deserialization RCE to gain initial access, followed by backup abuse, password cracking, and Restic misconfig for full root compromise.