Writeups

HackTheBox and CTF walkthroughs with practical methodology and evidence.

20 writeups • Search matches title and tags.

Writeup • 2026-06-24

HTB - Checkpoint

Pre-supplied credentials for alex.turner expose writable ACLs across the domain, including WRITE over a tombstoned user, Mark Davies. The deleted object is reanimated and the alex.turner password is reused to gain write access to the DevDrop SMB share, a drop point for approved VS Code .vsix packages. A malicious extension with an onStartupFinished reverse shell is uploaded and auto-executed in the context of ryan.brooks, yielding the user flag. From ryan.brooks a tgtdeleg TGT is extracted with Rubeus and used to run a BadSuccessor (dMSA) abuse against svc_deploy — a member of BackupAccess — recovering its Kerberos keys. The svc_deploy hash unlocks the VMBackups share, which stores a VMware memory snapshot. Volatility 3 dumps the SAM from the .vmem image, exposing the Administrator NT hash, and pass-the-hash over WinRM completes full domain compromise.

Locked OS: windows Difficulty: medium smb-enumerationldap-acl

Writeup • 2026-06-24

HTB - Nimbus

An unauthenticated YAML job submitter exposes a server-side request forgery primitive. The submitter only requires the fetched URL to end in .yaml and blocks the IMDS IP as a literal string, so an inet_aton octal-encoded address (0251.0376.0251.0376) plus a ?t=temp.yml suffix reaches the EC2 Instance Metadata Service and leaks the nimbus-web-role temporary credentials. Those credentials drive a LocalStack-style AWS endpoint where the SQS nimbus-jobs queue feeds a worker that parses messages with yaml.load and runs the job script through python3 — a reverse shell yields user as worker. The worker container carries long-term AWS keys that can reach a floci/LocalStack CodeBuild service; a privileged CodeBuild project (privilegedMode) combined with a BASH_FUNC_id%% function-injection bypass and a core_pattern container escape reads /root/root.txt from the host for full compromise.

Locked OS: linux Difficulty: hard ssrfec2-imds

Writeup • 2026-06-24

Shutlock - Intro / Start

Shutlock's intro challenge: a mission image hides a second image appended after the IEND chunk (revealing an agent User-Agent), while the classified document conceals a Vigenère-encrypted URL. The key SHUTLOCK decrypts both the endpoint and a password; replaying the User-Agent and password through curl yields a connect.sid session cookie that unlocks the mission dashboard and its 8 challenges.

Locked OS: web Difficulty: easy steganobinwalk

Writeup • 2026-06-08

HTB - Connected

An unauthenticated remote code execution vulnerability in FreePBX's Endpoint Manager module (CVE-2025-57819) provides an initial foothold as the asterisk user. Privilege escalation to root is achieved by tampering with a FreePBX module's hook script, recalculating its SHA-256 signature to bypass the module's integrity verification, and triggering execution of the forged hook through an incron-monitored spool directory.

Locked OS: linux Difficulty: easy freepbxcve-2025-57819

Writeup • 2026-05-30

HTB - DevHub

MCPJam Inspector RCE (same CVE as Kobold) gives initial shell as mcp-dev. JupyterLab token leaked from /proc cmdline enables WebSocket kernel execution to pivot to analyst. Hardcoded API key in OPSMCP source exposes a hidden credential dump tool that returns the root SSH private key.

Locked OS: linux Difficulty: medium cvemcp

Writeup • 2026-05-24

HTB - EscapeTwo

Initial credentials expose an SMB share containing Excel files that leak MSSQL service-account credentials. Authenticating as sa enables xp_cmdshell, yielding RCE as sql_svc. A plaintext password found in an installation INI file is reused by the ryan account, granting WinRM access and the user flag. Ryan holds WriteOwner over the ca_svc service account, which is abused to add GenericAll, perform a Shadow Credentials attack to recover ca_svc's NT hash, and discover an ESC4-vulnerable ADCS template. Rewriting the template as ESC1 and requesting a certificate for the administrator UPN produces a PFX from which the administrator hash is extracted, completing the domain compromise.

OS: windows Difficulty: easy smb-enumerationmssql

Writeup • 2026-05-23

HTB - Reactor

A Next.js application on port 3000 is vulnerable to CVE-2025-55182, a prototype pollution flaw that leads to remote code execution. RCE is used to read a local SQLite database containing MD5-hashed credentials; the engineer account hash cracks to a reused SSH password. A Node.js inspector process running as root on a loopback port is abused via the Chrome DevTools Protocol to execute arbitrary JavaScript in the root context, setting the SUID bit on bash for a privileged shell.

Locked OS: linux Difficulty: easy nextjscve-2025-55182

Writeup • 2026-05-21

HTB - Cicada

Guest SMB access exposes an HR share containing a default password in a staff notice. RID brute-force enumerates domain users, and a password spray yields initial access as michael.wrightson. LDAP user enumeration reveals a second password stored in david.orelious's account description. His access to the DEV share exposes a PowerShell backup script containing emily.oscars's credentials. Emily's membership in Remote Management Users grants a WinRM foothold. Her Backup Operators membership is abused to snapshot the C volume via VSS, extract NTDS.dit, and dump the Administrator NTLM hash for a pass-the-hash login.

OS: windows Difficulty: easy smb-enumerationrid-brute

Writeup • 2026-05-11

HTB - Reset

An unauthenticated password-reset endpoint discloses a new password for the admin account, granting access to a dashboard that exposes a file-read LFI via a path parameter. Poisoning the Apache access log with a PHP payload in the User-Agent header yields RCE as www-data. Lateral movement to sadm is achieved through the legacy rlogin service on port 513. Privilege escalation abuses an attached tmux session combined with a sudo rule on nano, which permits spawning a root shell via nano's command-execution feature.

OS: linux Difficulty: easy password-resetlfi

Writeup • 2026-05-07

HTB - Manage

JMX exposed over Java RMI allows unauthenticated enumeration and remote shell via beanshooter TonkaBean. A backup archive leaks an SSH private key and Google Authenticator seed enabling lateral movement to useradmin. A sudo rule permits adduser with a regex that allows creating an "admin" user, which Linux automatically places in the admin group, granting full root escalation.

OS: linux Difficulty: easy jmxrmi

Writeup • 2026-04-21

HTB - Principal

CVE-2026-29000 in pac4j-jwt 6.0.3 allows forging an unsigned JWT wrapped in JWE to bypass authentication. API settings leak an SSH deployment password. The svc-deploy user reads a CA private key via group membership, enabling SSH certificate forgery to authenticate as root.

OS: linux Difficulty: medium cvepac4j

Writeup • 2026-04-20

HTB - Logging

AD enumeration, DLL hijack via scheduled task, then WSUS MITM to escalate to SYSTEM.

Locked OS: windows Difficulty: hard enumsmb

Writeup • 2026-04-17

CTF pwn - Temporal

RCE via libc leak and function pointer overwrite

OS: linux Difficulty: easy pwnbuffer-overflow

Writeup • 2026-04-17

CTF web - Magic Link

Exposed .env and predictable magic-link token flow

OS: web Difficulty: easy webmisconfiguration

Writeup • 2026-03-22

HTB - Kobold

MCPJam Inspector RCE gives initial shell. PrivateBin LFI leaks MySQL creds which reuse into an Arcane Docker management API, then a privileged container escape reads root.txt.

Locked OS: linux Difficulty: medium cvelfi

Writeup • 2026-03-15

HTB - VariaType

Git repo exposed on portal leaks credentials. LFI with path traversal bypass leads to fonttools arbitrary file write (webshell). Fontforge pickle deserialization gives lateral movement, then CVE-2025-47273 setuptools path traversal writes SSH key as root.

Locked OS: linux Difficulty: medium gitlfi

Writeup • 2026-02-22

HTB - Interpreter

Mirth Connect 4.4.0 RCE via CVE-2023-43208. Database credentials reveal a Flask notification service with an eval() injection in a timestamp field that runs as root.

OS: linux Difficulty: medium cvemirth

Writeup • 2026-02-15

HTB - WingData

Wing FTP null-byte RCE, SHA-256 hash crack for lateral movement, then CVE-2025-4517 tarfile PATH_MAX bypass to write a cron job as root.

Locked OS: linux Difficulty: medium cveftp

Writeup • 2026-02-12

HTB - Pterodactyl

Path traversal in Pterodactyl Panel leaks database credentials. Pearcmd LFI converts to RCE, bcrypt hash cracking gives SSH access, then CVE-2025-6019 (udisks XFS resize without nosuid) escalates to root.

OS: linux Difficulty: hard cvelfi

Writeup • 2026-02-01

HTB - Overwatch

.NET decompilation leaks hardcoded MSSQL creds and a command injection. ADIDNS poisoning redirects a linked server to a rogue MSSQL and captures cleartext credentials, then a WCF SOAP injection runs as SYSTEM.

OS: windows Difficulty: hard dotnetmssql