Categories

HTBMEDIUM

Devarea

DevArea is a Linux machine hosting multiple vulnerable services. Initial access is gained through anonymous FTP revealing a JAR file vulnerable to Apache CXF SSRF (CVE-2022-46364), which exposes Hoverfly credentials in systemd service files. The Hoverfly instance is vulnerable to path traversal (CVE-2025-54123), leading to remote code execution. Privilege escalation exploits a world-writable `/bin/bash` binary combined with a passwordless sudo rule, allowing arbitrary command execution as root.

Mar 2026

HTBEASY

facts

Facts is a medium-difficulty machine that revolves around exploiting a vulnerable CMS hosted on facts.htb. Initial enumeration reveals multiple exposed services, including a web application and SSH. The key to gaining access lies in a path traversal vulnerability within the CMS, allowing authenticated users to download sensitive files. By leveraging this flaw, we can retrieve the SSH private key for the 'trivia' user, crack it, and gain initial access. From there, we can escalate privileges using a misconfigured sudo permission on the 'facter' command.

Jan 2026

HTBMEDIUM

gavel

Gavel is a medium-difficulty Linux machine that demonstrates the exploitation of a misused SQL PDO statement to achieve SQL injection and extract data from an internal database. The scenario further highlights a PHP code-injection flaw that is exploited to execute remote commands, thereby enabling initial access to the target. Privilege escalation is achieved by targeting a root-owned daemon that processes user-supplied YAML files; by submitting a crafted YAML payload, PHP code is executed within a sandboxed environment with root privileges.

Nov 2025

HTBHARD

Fries

Fries is a hard Active Directory machine on Hack The Box. It involves various techniques such as LDAP enumeration, Kerberos attacks, and SMB exploitation to gain access to the system and escalate privileges to root.

Nov 2025

HTBHARD

Nanocorp

Nanocorp is a Hard difficulty Active Directory machine that exploits CVE-2025-24054 to extract NTLM hashes via malicious .library-ms files. After gaining initial access and password cracking, privilege escalation is achieved through a Check MK Agent vulnerability by crafting a malicious MSI repair payload to execute code as SYSTEM.

Nov 2025

HTBHARD

Eighteen

Nov 2025

HTBEASY

MonitorsFour

MonitorsFour is an Active Directory machine on Hack The Box that features a vulnerable API endpoint leading to credential leakage, followed by an authenticated RCE in Cacti, and ultimately a full Docker escape via SSRF to achieve host compromise.

Nov 2025

HTBEASY

Giveback

Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.

Nov 2025

THM

TryHackMe: Sequence

Sep 2025

THM

TryHackMe: Voyage

Sep 2025

THM

TryHackMe: Extract

Aug 2025

THM

TryHackMe: Contrabando

Aug 2025

THM

TryHackMe: Soupedecode 01

Aug 2025

THM

TryHackMe: Ledger

May 2025

THM

TryHackMe: Moebius

Apr 2025

THM

TryHackMe: Robots

Mar 2025

THM

TryHackMe: Billing

Mar 2025

THM

TryHackMe: Crypto Failures

Mar 2025

THM

TryHackMe: Rabbit Store

Feb 2025

THM

TryHackMe: Decryptify

Feb 2025

THM

TryHackMe: You Got Mail

Feb 2025

THM

TryHackMe: TryPwnMe Two

Feb 2025

THM

TryHackMe: Smol

Jan 2025

THM

TryHackMe: Lo-Fi

Jan 2025

THM

TryHackMe: Light

Jan 2025

THM

TryHackMe: Silver Platter

Jan 2025

THM

TryHackMe: AoC 2024 Side Quest Two

Jan 2025

THM

TryHackMe: AoC 2024 Side Quest Three

Jan 2025

THM

TryHackMe: AoC 2024 Side Quest One

Jan 2025

THM

TryHackMe: AoC 2024 Side Quest Four

Jan 2025

THM

TryHackMe: AoC 2024 Side Quest Five

Jan 2025

THM

TryHackMe: The Sticker Shop

Dec 2024

THM

TryHackMe: Lookup

Nov 2024

THM

TryHackMe: Mouse Trap

Nov 2024

THM

TryHackMe: Hack Back

Nov 2024

THM

TryHackMe: SeeTwo

Nov 2024

THM

TryHackMe: Whiterose

Nov 2024

THM

TryHackMe: Rabbit Hole

Oct 2024

THM

TryHackMe: Mountaineer

Oct 2024

THM

TryHackMe: Extracted

Oct 2024

THM

TryHackMe: Backtrack

Oct 2024

THM

TryHackMe: Brains

Oct 2024

THM

TryHackMe: Pyrat

Oct 2024

THM

TryHackMe: K2

Sep 2024

THM

TryHackMe: The London Bridge

Sep 2024

THM

TryHackMe: Cheese CTF

Sep 2024

THM

TryHackMe: Breakme

Sep 2024

THM

TryHackMe: CERTain Doom

Sep 2024

THM

TryHackMe: TryPwnMe One

Sep 2024

THM

TryHackMe: Hammer

Aug 2024

THM

TryHackMe: U.A. High School

Aug 2024

THM

TryHackMe: Block

Aug 2024

THM

TryHackMe: Injectics

Jul 2024

THM

TryHackMe: DX2: Hell's Kitchen

Jul 2024

THM

TryHackMe: New York Flankees

Jul 2024

THM

TryHackMe: NanoCherryCTF

Jul 2024

THM

TryHackMe: Publisher

Jun 2024

THM

TryHackMe: W1seGuy

Jun 2024

THM

TryHackMe: mKingdom

Jun 2024

THM

TryHackMe: Airplane

Jun 2024

THM

TryHackMe: Include

Jun 2024

THM

TryHackMe: CyberLens

May 2024

THM

TryHackMe: Whats Your Name?

Apr 2024

THM

TryHackMe: TriCipher Summit

Apr 2024

THM

TryHackMe: Burg3r Bytes

Apr 2024

THM

TryHackMe: Creative

Apr 2024

THM

TryHackMe: Bypass

Apr 2024

THM

TryHackMe: Clocky

Apr 2024

THM

TryHackMe: El Bandito

Mar 2024

THM

TryHackMe: Hack Smarter Security

Mar 2024

THM

TryHackMe: Chrome

Mar 2024

THM

TryHackMe: Exfilibur

Feb 2024

THM

TryHackMe: Breaking RSA

Feb 2024

THM

TryHackMe: Kitty

Feb 2024

THM

TryHackMe: Reset

Jan 2024

THM

TryHackMe: Umbrella

Jan 2024

THM

TryHackMe: WhyHackMe

Jan 2024

THM

TryHackMe: Dodge

Jan 2024