Writeups

Unified — Log4Shell to Root via MongoDB Hash Swap Unified is a Very Easy Linux box that demonstrates one of the most impactful vulnerabilities in recent memory: Log4Shell (CVE-2021-44228). The box runs a vulnerable version of UniFi Network Controller, and exploitation chains together a JNDI injection for initial access with an unauthenticated MongoDB instance to escalate all the way to root. Reconnaissance I started with an automated Nmap scan to get a picture of what was running on the box. ...

Vaccine — HackTheBox Writeup Vaccine is a Very Easy Linux box that chains together several classic web exploitation techniques: anonymous FTP access, zip cracking, hardcoded credentials, SQL injection, and a sudo misconfiguration that hands over root in seconds. Each step feeds directly into the next, making it an excellent box for learning how a real attack chain flows from initial recon to full compromise. Overview Field Value IP OS Linux (Ubuntu 20.04) Difficulty Very Easy Reconnaissance Port Scan I always start with a service/version scan using Nmap’s default scripts (-sC) alongside version detection (-sV). Treating the target as if ICMP is blocked from the start (-Pn) saves frustration on boxes that don’t respond to ping. ...

Archetype — HackTheBox Writeup Archetype is a Windows box that demonstrates a classic lateral movement chain: anonymous SMB access exposes a configuration file with database credentials, which leads to command execution via MSSQL, and sloppy PowerShell history hands us domain admin on a silver platter. It’s an excellent box for understanding how real-world Windows environments get compromised through misconfiguration rather than flashy exploits. Overview Field Value OS Windows Server 2019 Standard 17763 IP Difficulty Starting Point Date 2026-01-30 Reconnaissance Port Scanning I start every box the same way — a default script and version scan with nmap. The goal here isn’t to be fancy, it’s to quickly understand what services are exposed and build a mental model of the attack surface. ...

Dancing — Anonymous SMB Access on a Windows Target Dancing is a beginner-friendly Windows box that demonstrates one of the most common misconfigurations found in real-world environments: an SMB share left open to anonymous access. The entire engagement comes down to solid enumeration and knowing which shares are worth poking at. Reconnaissance Port Scanning I started with a standard service scan to get a picture of what’s running on the target. The -sC flag runs default scripts and -sV attempts version detection — together they give a solid baseline without being too noisy. ...

Fawn Fawn is one of HackTheBox’s introductory “Starting Point” machines, designed to teach the basics of FTP enumeration and the dangers of misconfigured anonymous access. It’s a single-step box — but the lesson it demonstrates shows up in real-world penetration tests far more often than you’d expect. Reconnaissance I kicked things off with a standard Nmap service scan against the target. The -sC flag runs Nmap’s default scripts (which includes FTP anonymous login detection), and -sV pulls version banners. I’m saving all output formats with -oA for later reference. ...

Meow — HackTheBox Writeup Meow is a beginner-friendly Linux box that demonstrates one of the most critical (and unfortunately still common) misconfigurations in the wild: a root account with no password exposed over Telnet. There’s no exploitation or privilege escalation required here — just knowing where to look and what to try. Overview The attack path is about as short as it gets. A single open port running Telnet, a root account with a blank password, and we’re done. While it may seem almost trivially simple, this box hammers home an important point: the most devastating vulnerabilities are often misconfigurations, not complex exploits. ...

Redeemer Redeemer is a beginner-friendly HackTheBox machine that demonstrates one of the most common real-world misconfigurations you’ll encounter: an exposed Redis instance with no authentication. There’s no exploitation involved here — just enumeration, awareness that interesting services live outside the default nmap port range, and knowing a handful of Redis commands. Overview The box runs a single exposed service — Redis 5.0.7 on port 6379 — configured with no password. The flag is stored directly as a key in the database. The entire challenge boils down to: find the service, connect to it, dump the keys. ...