HTB Machine Write-ups
Voleur
I played the thief (Voleur) in this box and walked away with passwords and secrets: a password-protected Excel file, password hashes, DPAPI-protected credentials and an SSH private key. The chain started with read access to an IT share. That shar...
Artificial
The artificial.htb web application was vulnerable to CVE-2024-3660 in TensorFlow Keras. By uploading a crafted AI model, I triggered the flaw and achieved remote code execution, landing a reverse shell as the app user. An SQLite backend contained...
TombWatcher
TombWatcher was an interesting machine, focusing heavily on AD ACE abuse through a complex attack chain and ADCS escalation using ESC15. The AD ACE attack chain kicked off with Henry Kerberoasting Alfred. Alfred’s password was laughably weak,...
Puppy
Using the supplied engagement credentials, I ran a BloodHound collector against the target Active Directory domain. A BloodHound query revealed an attack path: the user Levi could add himself to the DEVELOPERS group, which granted access to the DE...
Fluffy
An Upgrade Notice document found on a file share contained some information about discovered vulnerabilities in the environment. One of these vulnerabilities was CVE-2025-24071. An exploit Proof of Concept (PoC) generated a malicious zip file, w...
Planning
In this box, I infiltrate an education-themed platform where outdated software and misconfigurations give way to total system compromise. I start with access to a hidden Grafana dashboard vulnerable to CVE-2024-9264, which grants a root shell—but...
Environment
A hidden /login page on the Environment web server exposed an SQL injection vulnerability in the remember parameter. The error messages were overly verbose and even revealed a code snippet showing that authentication could be bypassed by simply sw...
TheFrizz
An outdated Gibbon Learning Management System vulnerable to CVE-2023-45878 allowed me to gain unauthenticated RCE access as w.webservice. The sha256 password hash and salt for user Fiona Frizzle were exfiltrated from the MySQL database. The passw...
Nocturnal
Nocturnal starts off slow and quiet — just SSH and HTTP on the radar. But behind the sleepy facade lies a custom file-sharing platform full of secrets and bad decisions. I abused a classic Insecure Direct Object Reference (IDOR) to enumerate user...
Code
A tiny Python “scratch‑pad” exposed on port 5000 turned out to be a full‑blown shell dispenser. Enumeration showed only SSH and a Flask + Gunicorn Python Code Editor web app. Although the devs blocked obvious strings like import, exec, and subpro...
Cypher
“Cypher” was an interesting box that blended web exploitation, graph database query injection, and privilege escalation through a misconfigured tool. The initial foothold was established through Cypher Injection in the login API, which enabled fo...
Dog
In the “Dog” machine on Hack The Box, I went sniffing around a poorly secured .git directory and followed the trail all the way to root. Starting with just two open ports, I dug through the exposed Git repo and uncovered credentials hardcoded in ...
Cat
The Cat machine was a multi-stage challenge blending classic web vulnerabilities with subtle post-exploitation pivots. The initial foothold came from something many devs overlook—a publicly exposed .git directory. This gifted me the full site so...
Haze
The Haze machine was compromised by exploiting a chain of vulnerabilities, starting with a Splunk path traversal (CVE-2024-36991), which allowed the retrieval of sensitive files and revealed an LDAP bind password for paul.taylor. This granted ini...