HTB Machine Write-ups
Editor
This box starts with an outdated XWiki instance on Jetty, vulnerable to CVE-2025-24893, which provides a straightforward unauthenticated RCE via Groovy payload injection in a crafted RSS request. Once I gained code execution, I caught a reverse sh...
Era
The Era machine was an enjoyable mix of enumeration and web exploitation, topped off with a creative abuse of PHP wrappers. After spotting limited open ports (FTP and HTTP), the real action began with virtual host fuzzing, which revealed a file-sh...
Mirage
I immediately noticed that an NFS server was running on the Mirage Windows Server — unusual on its own — and further inspection revealed two files being shared. The first mentioned that the company was in the process of phasing out NTLM authentica...
Outbound
I began Outbound by accessing the Roundcube Webmail interface using Tyler’s credentials. The server was running Roundcube Webmail 1.6.10, which is vulnerable to CVE-2025-49113, a Post-Authentication Remote Command Execution (RCE) flaw. Leveraging...
RustyKey
During the assessment, I began by performing timeroasting against the rustykey.htb SNTP service. This technique yielded hashes for several computer accounts, including IT-Backup3$, whose hash was cracked within seconds. Using this, I requested a K...
Voleur
I played the thief (Voleur) in this box and walked away with passwords and secrets: a password-protected Excel file, password hashes, DPAPI-protected credentials and an SSH private key. The chain started with read access to an IT share. That shar...
Artificial
The artificial.htb web application was vulnerable to CVE-2024-3660 in TensorFlow Keras. By uploading a crafted AI model, I triggered the flaw and achieved remote code execution, landing a reverse shell as the app user. An SQLite backend contained...
TombWatcher
TombWatcher was an interesting machine, focusing heavily on AD ACE abuse through a complex attack chain and ADCS escalation using ESC15. The AD ACE attack chain kicked off with Henry Kerberoasting Alfred. Alfred’s password was laughably weak,...
Puppy
Using the supplied engagement credentials, I ran a BloodHound collector against the target Active Directory domain. A BloodHound query revealed an attack path: the user Levi could add himself to the DEVELOPERS group, which granted access to the DE...
Fluffy
An Upgrade Notice document found on a file share contained some information about discovered vulnerabilities in the environment. One of these vulnerabilities was CVE-2025-24071. An exploit Proof of Concept (PoC) generated a malicious zip file, w...
Planning
In this box, I infiltrate an education-themed platform where outdated software and misconfigurations give way to total system compromise. I start with access to a hidden Grafana dashboard vulnerable to CVE-2024-9264, which grants a root shell—but...
Environment
A hidden /login page on the Environment web server exposed an SQL injection vulnerability in the remember parameter. The error messages were overly verbose and even revealed a code snippet showing that authentication could be bypassed by simply sw...
TheFrizz
An outdated Gibbon Learning Management System vulnerable to CVE-2023-45878 allowed me to gain unauthenticated RCE access as w.webservice. The sha256 password hash and salt for user Fiona Frizzle were exfiltrated from the MySQL database. The passw...
Nocturnal
Nocturnal starts off slow and quiet — just SSH and HTTP on the radar. But behind the sleepy facade lies a custom file-sharing platform full of secrets and bad decisions. I abused a classic Insecure Direct Object Reference (IDOR) to enumerate user...
Code
A tiny Python “scratch‑pad” exposed on port 5000 turned out to be a full‑blown shell dispenser. Enumeration showed only SSH and a Flask + Gunicorn Python Code Editor web app. Although the devs blocked obvious strings like import, exec, and subpro...
Cypher
“Cypher” was an interesting box that blended web exploitation, graph database query injection, and privilege escalation through a misconfigured tool. The initial foothold was established through Cypher Injection in the login API, which enabled fo...
Dog
In the “Dog” machine on Hack The Box, I went sniffing around a poorly secured .git directory and followed the trail all the way to root. Starting with just two open ports, I dug through the exposed Git repo and uncovered credentials hardcoded in ...
Cat
The Cat machine was a multi-stage challenge blending classic web vulnerabilities with subtle post-exploitation pivots. The initial foothold came from something many devs overlook—a publicly exposed .git directory. This gifted me the full site so...
Haze
The Haze machine was compromised by exploiting a chain of vulnerabilities, starting with a Splunk path traversal (CVE-2024-36991), which allowed the retrieval of sensitive files and revealed an LDAP bind password for paul.taylor. This granted ini...