🐱

HackTheBox Writeups

HackTheBox Profile Badge

30 writeups

HTB Checkpoint Complete Writeup - AD Recycle Bin Abuse, Malicious VSIX Supply Chain, BadSuccessor dMSA PrivEsc & NTDS.dit Extraction from VM Backup
Medium

HTB Checkpoint Complete Writeup - AD Recycle Bin Abuse, Malicious VSIX Supply Chain, BadSuccessor dMSA PrivEsc & NTDS.dit Extraction from VM Backup

Checkpoint is a HackTheBox Medium Windows machine running Windows Server 2025 as a Domain Controller. The attack chain starts with low-privilege credentials for alex.turner, who has WRITE access on the AD Recycle Bin container and CREATE_CHILD on the Employees OU. Restoring the deleted user mark.davies and enabling AS-REP roasting recovers reused credentials, granting WRITE on the DevDrop SMB share. A malicious VS Code extension dropped to that share is auto-installed by a scheduled task running as ryan.brooks, yielding the user flag. Privilege escalation uses ryan.brooks's CreateChild permission on the dMSA-holder OU to perform the BadSuccessor attack against svc_deploy, extracting its NT hash from the KERB-DMSA-KEY-PACKAGE Kerberos structure. svc_deploy is in BackupAccess, which grants READ on a VMBackups share containing a VHDX disk image. Mounting the image and extracting NTDS.dit with the SYSTEM hive produces the Administrator NT hash, completing a Pass-the-Hash takeover of the domain.

Author Jun 14, 2026
27 min
hackthebox htb season11 windows
HTB Connected Complete Writeup - CVE-2025-57819 FreePBX Pre-Auth RCE, PHP Webshell, Incron Abuse & fwconsole-commands Hook PrivEsc
Easy

HTB Connected Complete Writeup - CVE-2025-57819 FreePBX Pre-Auth RCE, PHP Webshell, Incron Abuse & fwconsole-commands Hook PrivEsc

Connected is a HackTheBox Easy Linux machine (CentOS 7) running FreePBX 16.0.40.7 on ports 80 and 443. The attack chain starts with CVE-2025-57819, a critical pre-authentication vulnerability that chains a PHP namespace-based authentication bypass with SQL injection in the /admin/ajax.php endpoint's brand parameter. The injected SQL plants a cron job that writes a PHP webshell to the web root within 60 seconds, landing a shell as the asterisk service account and revealing the user flag. Privilege escalation abuses incron -- a filesystem event-driven cron daemon -- which monitors /var/spool/asterisk/incron/ as root. The asterisk user can write filenames to that directory, and by crafting a filename following the module.hook.params convention and encoding a command as zlib+base64 to bypass shell metacharacter filtering, the sysadmin_manager script executes our payload as root via the api/fwconsole-commands hook, copying the root flag to the web root for retrieval.

Author Jun 7, 2026
24 min
hackthebox htb linux freepbx
HTB DevHub Complete Writeup - CVE-2026-23744 MCPJam RCE, JupyterLab WebSocket Code Execution & OPSMCP Admin Tool Abuse
Medium

HTB DevHub Complete Writeup - CVE-2026-23744 MCPJam RCE, JupyterLab WebSocket Code Execution & OPSMCP Admin Tool Abuse

DevHub is a HackTheBox Season 11 Medium Linux machine built around a developer tooling stack running entirely on localhost. The attack chain starts with CVE-2026-23744, an unauthenticated RCE in MCPJam Inspector <= 1.4.2 where crafted HTTP requests trigger MCP server installation and arbitrary command execution. From the initial shell, internal enumeration reveals a JupyterLab instance running as analyst with its auth token exposed in process arguments, exploitable via the Jupyter REST API and WebSocket kernel protocol without any browser interaction. Source code of the OPSMCP Flask API running as root contains a hardcoded API key and a hidden admin tool named ops._admin_dump. Calling this tool with the target ssh_keys argument returns root's OpenSSH private key, completing the chain from unauthenticated network access to full root.

Author May 31, 2026
13 min
hackthebox htb linux cve-2026-23744
Hackthebox Reactor Complete Writeup - CVE-2025-55182 Next.js RCE, SQLite Credential Dump, MD5 Cracking & Node.js Inspector PrivEsc
Easy

Hackthebox Reactor Complete Writeup - CVE-2025-55182 Next.js RCE, SQLite Credential Dump, MD5 Cracking & Node.js Inspector PrivEsc

Reactor is a HackTheBox Medium Linux machine running a Next.js 15.0.3 web application on port 3000. The attack chain starts with CVE-2025-55182, a critical unauthenticated RCE in Next.js that allows arbitrary command execution via a crafted React Flight payload, landing a shell as the node user. Post-exploitation reveals a SQLite database containing MD5-hashed credentials for two users. Hashcat cracks the engineer hash against rockyou.txt in seconds. Direct SSH does not work so lateral movement is achieved via su from the existing shell, recovering the user flag. Privilege escalation abuses a Node.js Inspector debug socket on localhost port 9229, using the node inspect client to execute system commands via child_process.execSync and read the root flag directly.

Author May 31, 2026
12 min
hackthebox htb linux nextjs
HTB PingPong Complete Writeup - ESC13, Cross-Domain DACL, gMSA, JEA, RBCD & ESC4→ESC1
Insane

HTB PingPong Complete Writeup - ESC13, Cross-Domain DACL, gMSA, JEA, RBCD & ESC4→ESC1

PingPong is a HackTheBox Season 10 Insane Windows machine built around a bidirectional forest trust between ping.htb (DC1) and pong.htb (DC2, hidden on 192.168.2.0/24). NTLM is disabled domain-wide - every step is Kerberos-only. The chain begins with ESC13, an ADCS vulnerability where a certificate template's issuance policy is linked to a security group via msDS-OIDToGroupLink, causing the KDC to inject the group's SID into the PAC at PKINIT time. This grants WinRM access without the user being a member of the group. From there, ownership of a cross-domain group (PING\IT owns PONG\gMSA Managers) is abused by converting the group scope to DomainLocal and adding a Foreign Security Principal, enabling ReadGMSAPassword on Pong_gMSA$. The gMSA credentials unlock a restricted JEA endpoint on DC1 that leaks c.carlssen's password from PSReadLine history, giving WinRM access to DC2 and the user flag. Privilege escalation continues through GenericWrite on svc_sql to set RBCD, S4U impersonation to obtain MSSQL sysadmin, SeImpersonatePrivilege via GodPotato to add c.carlssen to DC2 Administrators, DCSync to recover R.Martinelli (a cross-domain CA Manager), and finally ESC4 to write ESC1 conditions onto the SmartcardAuthentication template before PKINIT as Administrator@ping.htb yields the root flag.

Author Apr 26, 2026
36 min
hackthebox htb windows active-directory
HTB Logging Complete Writeup - CVE-2025-59287, Shadow Credentials & WSUS MITM
Medium

HTB Logging Complete Writeup - CVE-2025-59287, Shadow Credentials & WSUS MITM

Logging is a HackTheBox Season 10 Medium Windows machine centered around a Domain Controller running Windows Server Update Services (WSUS). The exploitation chain begins with CVE-2025-59287, an unauthenticated unsafe deserialization vulnerability in WSUS that grants remote code execution without any credentials. Credentials for svc_recovery are then discovered in an SMB log file, which after Kerberos-only authentication and clock synchronization are used to abuse GenericAll rights over the msa_health$ Managed Service Account via shadow credentials. A shell is obtained as msa_health$, from which a DLL hijack against a scheduled monitoring task yields lateral movement to jaylee.clifton. The privilege escalation pivots through a DNS spoofing attack that redirects the DC's WSUS client to a fake WSUS server, delivering a malicious executable that runs as SYSTEM.

Author Apr 19, 2026
24 min
hackthebox htb active-directory domain-controller
HTB Silentium Complete Writeup -CVE-2025-58434, CVE-2025-59528 & Gogs RCE
Easy

HTB Silentium Complete Writeup -CVE-2025-58434, CVE-2025-59528 & Gogs RCE

Silentium is a HackTheBox Season 10 machine built around a Flowise 3.0.5 AI workflow platform exposed on a staging subdomain. The exploitation chain begins with CVE-2025-58434 - an unauthenticated password reset token disclosure - to take over the ben account, then leverages CVE-2025-59528, a critical CVSS-10 JavaScript code injection flaw in the Flowise CustomMCP node, to land a shell inside the Docker container. SSH credentials are extracted from process environment variables, yielding a proper shell as ben. The privilege escalation pivots through a locally bound Gogs 0.13.3 instance vulnerable to CVE-2025-64111, a symlink bypass that allows overwriting .git/config with a poisoned sshCommand, ultimately executing commands as root.

Author Apr 14, 2026
11 min
hackthebox htb linux cve-2025-58434
Garfield HackTheBox Writeup- Hard Windows Active Directory Machine Walkthrough
Hard

Garfield HackTheBox Writeup- Hard Windows Active Directory Machine Walkthrough

A comprehensive walkthrough of the Garfield machine from HackTheBox. This Hard-difficulty Windows Active Directory machine writeup covers abusing writable ACLs to plant a malicious logon script via scriptPath, gaining code execution as l.wilson, resetting the l.wilson_adm password for lateral movement, pivoting to an internal Read-Only Domain Controller through a Ligolo tunnel, creating a fake machine account for Resource-Based Constrained Delegation, dumping the krbtgt_8245 AES256 key from RODC01 using Mimikatz, modifying the RODC password replication policy, forging an RODC Golden Ticket with Rubeus, performing a KeyList attack against DC01 to obtain a legitimate Administrator TGT, and fully compromising the domain via NTDS dump. An essential resource for penetration testers studying multi-step Active Directory exploitation chains.

Author Apr 6, 2026
16 min
hackthebox htb garfield windows
HTB DevArea Complete Writeup - CVE-2022-46364 Apache CXF LFI & HoverFly RCE
Medium

HTB DevArea Complete Writeup - CVE-2022-46364 Apache CXF LFI & HoverFly RCE

DevArea is a Medium-difficulty HackTheBox machine from Season 10 featuring an internal developer platform exposed across multiple services. The exploitation chain begins with anonymous FTP access to a leaked JAR file, which reveals an Apache CXF SOAP service vulnerable to a critical XOP/MTOM Local File Inclusion (CVE-2022-46364 / CVE-2022-46363). Reading the HoverFly systemd service file leaks admin credentials, which are used to authenticate against the HoverFly Admin API and obtain a JWT token. From there, a malicious middleware payload injected via the /api/v2/hoverfly/middleware endpoint delivers a reverse shell as dev_ryan. Privilege escalation to root exploits a world-writable /bin/bash binary combined with a sudo-permitted script to plant a root-owned SUID shell. This writeup provides a complete step-by-step walkthrough with detailed technical analysis of each exploitation stage.

Author Mar 30, 2026
17 min
hackthebox htb linux cve-2022-46364
HTB Kobold Complete Writeup — CVE-2026-23744 MCP Inspector RCE & Docker Escape
Easy

HTB Kobold Complete Writeup — CVE-2026-23744 MCP Inspector RCE & Docker Escape

Kobold is an Easy-difficulty HackTheBox machine from Season 10 built around modern AI tooling infrastructure. The attack chain begins with subdomain enumeration uncovering an MCPJam Inspector instance vulnerable to CVE-2026-23744 — a critical unauthenticated RCE in the /api/mcp/connect endpoint that allows arbitrary command execution via a crafted serverConfig payload. This delivers a reverse shell as the user ben. Privilege escalation exploits an implicit Docker group membership accessible via newgrp docker, which is leveraged to mount the host filesystem inside a root-running MySQL container and read the root flag directly — a textbook Docker socket escape. This writeup provides a complete step-by-step walkthrough with beginner-friendly explanations of each technique.

Author Mar 30, 2026
14 min
hackthebox htb linux cve-2026-23744
HTB VariaType Complete Writeup — CVE-2025-66034 & Font Exploitation
Medium

HTB VariaType Complete Writeup — CVE-2025-66034 & Font Exploitation

VariaType is a cutting-edge HackTheBox machine from Season 10 featuring a web-based variable font generator. The exploitation chain involves chaining three critical vulnerabilities—fontTools CVE-2025-66034 for initial webshell creation, FontForge CVE-2024-25081 for lateral privilege escalation to the steve user, and a setuptools PackageIndex path traversal vulnerability for root access. This writeup provides complete step-by-step instructions with detailed technical analysis of each exploit mechanism.

Author Mar 15, 2026
20 min
hackthebox htb linux cve-2025-66034
CCTV HackTheBox Writeup — Season 10 Linux Machine Walkthrough
Easy

CCTV HackTheBox Writeup — Season 10 Linux Machine Walkthrough

A comprehensive walkthrough of the CCTV machine from HackTheBox Season 10. This Medium-difficulty Linux machine writeup covers ZoneMinder default credentials, exploiting CVE-2024-51482 SQL injection to extract and crack bcrypt hashes, leveraging a tcpdump Linux capability to sniff plaintext credentials from Docker network traffic, SSH port forwarding to expose an internal MotionEye instance, and achieving root via CVE-2025-60787 remote code execution using Metasploit. A must-read for penetration testers tackling multi-step Linux exploitation chains.

Author Mar 8, 2026
16 min
hackthebox htb cctv linux
Pirate HackTheBox Writeup — Complete Season 10 Machine Walkthrough
Hard

Pirate HackTheBox Writeup — Complete Season 10 Machine Walkthrough

A comprehensive walkthrough of the Pirate machine from HackTheBox Season 10. This Hard-difficulty Windows machine writeup covers initial access with provided credentials, Active Directory enumeration, lateral movement strategies, privilege escalation techniques, and achieving SYSTEM access. Learn how to compromise this challenging HTB Windows machine with detailed methodology, practical command examples, and SEO-optimized content for cybersecurity professionals.

Author Mar 4, 2026
33 min
hackthebox htb pirate windows
Hack The Box Sorcery Writeup (Season 8) – Complete Walkthrough | Insane Linux Machine
Insane

Hack The Box Sorcery Writeup (Season 8) – Complete Walkthrough | Insane Linux Machine

Sorcery is a Medium difficulty Linux machine from Hack The Box Season 8 that focuses on web application exploitation, misconfigurations, and privilege escalation techniques. In this walkthrough, we perform full reconnaissance, identify the attack surface, exploit vulnerabilities to gain initial access, and escalate privileges to root. This guide breaks down every phase of the attack chain with practical methodology and command examples, making it ideal for penetration testers, red teamers, and HTB players preparing for real-world scenarios.

Author Feb 12, 2026
53 min
hackthebox htb hackthebox htb
Pterodactyl Hack The Box Write-Up-Medium Linux Machine Walkthrough
Medium

Pterodactyl Hack The Box Write-Up-Medium Linux Machine Walkthrough

This write-up covers the full compromise of the Pterodactyl machine from Hack The Box, a Medium-difficulty Linux challenge. It walks through initial reconnaissance, service enumeration, vulnerability discovery, exploitation paths, and the privilege escalation techniques required to achieve root access. Ideal for penetration testers and CTF players looking to sharpen real-world Linux exploitation skills and structured attack methodology.

Author Feb 9, 2026
14 min
htb hackthebox linux medium
Facts Hack The Box Writeup-Sudo Privilege Escalation via Facter (Linux)
Easy

Facts Hack The Box Writeup-Sudo Privilege Escalation via Facter (Linux)

In this walkthrough of the Facts machine from Hack The Box, we exploit a misconfigured sudo rule allowing the execution of Facter as root. By abusing Facter's --custom-dir option, we load a malicious Ruby fact file that executes with UID 0. Instead of spawning an unstable shell, we apply the SetUID bit to /bin/bash, gaining a persistent root shell via bash -p. This writeup covers enumeration, attack reasoning, exploitation mechanics, and a clean privilege escalation path to root.

Author Feb 1, 2026
9 min
htb Linux htb hackthebox
HackTheBox Gavel Walkthrough (Linux – Medium)
Medium

HackTheBox Gavel Walkthrough (Linux – Medium)

This HackTheBox Gavel writeup provides a full walkthrough for the Linux Medium machine from Season 9. it covers the entire exploitation chain, including enumeration, misconfiguration discovery, service abuse, gaining an initial foothold, and achieving root through privilege escalation. This guide is designed for learners who want a clear, realistic, attacker-focused approach to solving HTB gavel machine and improving their penetration testing skills.

Author Nov 30, 2025
5 min
pentesting htb hackthebox