Writeups

Eighteen — HackTheBox Writeup Eighteen is a Windows Server 2025 Domain Controller that chains a creative MSSQL impersonation attack with a web app credential harvest to gain an initial foothold, then exploits BadSuccessor (CVE-2025-53779) — a novel Active Directory privilege escalation abusing delegated Managed Service Accounts — to achieve full domain compromise. What makes this box particularly instructive is how many standard Windows privesc paths are deliberately closed off, forcing you to understand cutting-edge AD attack primitives rather than reaching for familiar tools. ...

Pterodactyl — HackTheBox Writeup Pterodactyl is a Linux box built around a real-world attack chain: an unauthenticated LFI vulnerability in the Pterodactyl Panel game server management software leads to RCE, credential extraction, and ultimately root through a pair of freshly-disclosed SUSE-specific udisks2 privilege escalation CVEs. It’s a satisfying box because every step has a meaningful “why” behind it — nothing is arbitrary. Overview The box hosts a Minecraft server homepage alongside a Pterodactyl Panel installation. Enumeration surfaces a misconfigured phpinfo.php that reveals the exact PHP configuration needed for a PEAR-based RCE chain. After exploiting CVE-2025-49132 (unauthenticated LFI in the panel) to pivot to RCE, we dump database credentials, crack a user’s bcrypt hash, and SSH in. From there, a two-CVE chain targeting udisks2 on OpenSUSE — PAM environment injection to trick Polkit, followed by a SUID binary race on a temporary mount — hands us root. ...

MonitorsFour MonitorsFour is a medium-difficulty Windows box running WSL2 with Docker Desktop — a setup that makes the attack chain distinctly layered. The path runs from web enumeration through an authenticated Cacti RCE, into a Docker container, and finally out to the Windows host via an unauthenticated Docker API. Each pivot requires a slightly different mindset, which is what makes this box a great exercise in chained exploitation. Reconnaissance Port Scanning Starting with a standard nmap scan against the target: ...

Appointment A deceptively simple box that proves sometimes the oldest tricks in the book are the most effective. Appointment is a single-page web challenge centered entirely on a PHP login form vulnerable to SQL injection authentication bypass — no rabbit holes, no pivoting, just clean exploitation of a classic vulnerability. Overview Appointment runs a bare-bones Apache web server with a PHP login form as its only attack surface. The goal is straightforward: bypass authentication using SQL injection to retrieve the flag. It’s a great box for internalizing why SQL injection works, not just how to use it. ...

Crocodile — HackTheBox Writeup Crocodile is a very easy Linux box that demonstrates how anonymous FTP access can expose credentials that unlock a web application login. The attack chain is short but teaches a fundamental methodology: always enumerate every open service, because sensitive information on one port can become your key into another. Reconnaissance I started with a service-version scan to understand what was running on the target: nmap -sV -sC <TARGET> ...

Responder — HackTheBox Writeup Responder is a Very Easy Windows box that chains a classic Local File Inclusion vulnerability with NTLM hash capture to gain a foothold via WinRM. It’s an excellent introduction to how Windows authentication can be weaponized against itself when a server blindly follows UNC paths. Overview The attack path here is beautifully simple once you see it: a PHP web application has an LFI vulnerability in its language selector, Windows will attempt NTLM authentication when it tries to access a UNC path, and we’re sitting there with Responder ready to catch the hash. Crack the hash, log in over WinRM, read the flag. Along the way I hit a firewall issue that was a useful reminder about VPN interface trust zones — more on that later. ...

Sequel Sometimes the simplest misconfiguration is the most damaging. Sequel is a very easy Linux box that exposes a MariaDB instance with no root password — no exploits required, just knowing to try the door before assuming it’s locked. Overview This box runs a single service: MySQL/MariaDB on port 3306. The entire challenge is recognizing that the database accepts unauthenticated connections as root, then methodically enumerating databases and tables until you find the flag. It’s a great introduction to database enumeration methodology and a real-world reminder of how often default or missing credentials appear in the wild. ...

Three — Pwning a Website via a Misconfigured S3 Bucket A deceptively simple Starting Point box, Three demonstrates how a misconfigured S3-compatible storage backend can turn a static-looking website into a remote code execution vulnerability. The attack chain is short but teaches a genuinely common real-world pattern: enumerate subdomains, find exposed cloud storage, write a webshell, get a shell. Reconnaissance Port Scan Standard nmap to start. Two open ports — SSH and HTTP, nothing exotic. ...

Oopsie Oopsie is a beginner-friendly Linux box that chains together several classic web application vulnerabilities — broken access control, an insecure file upload, and a SUID PATH hijacking — into a satisfying end-to-end compromise. What makes it particularly interesting is that it rewards players who remember their history: credentials from a previous box in the Starting Point series come back to bite the target here. Reconnaissance Port Scanning I started with a default nmap scan to get the lay of the land: ...

Unified — Log4Shell to Root via MongoDB Hash Swap Unified is a Very Easy Linux box that demonstrates one of the most impactful vulnerabilities in recent memory: Log4Shell (CVE-2021-44228). The box runs a vulnerable version of UniFi Network Controller, and exploitation chains together a JNDI injection for initial access with an unauthenticated MongoDB instance to escalate all the way to root. Reconnaissance I started with an automated Nmap scan to get a picture of what was running on the box. ...