Interpreter chains a pre-auth deserialization RCE against a healthcare integration platform with a devious Python f-string injection to reach root — a box that rewards thorough enumeration and creative payload crafting.

Pirate is a brutal Hard-rated Windows Domain Controller that chains together gMSA password extraction, ADFS internals abuse, NTLM relay over a Hyper-V double-pivot, and SPN hijacking to reach Domain Admin — a genuine enterprise attack simulation.

A Minecraft panel hiding two CVEs and a SUSE-specific PAM trick — Pterodactyl chains a Laravel LFI into code execution, then escalates via a race-condition SUID mount flaw in udisks2.

WingData chains two fresh CVEs — an unauthenticated RCE in Wing FTP Server and a Python tarfile filter bypass via PATH_MAX overflow — into a clean root. Don’t let the ‘Easy’ rating fool you.

MonitorsFour chains a fresh Cacti RCE vulnerability with an exposed Docker API to go from web login to full Windows host compromise — a great lesson in container escape methodology.

Facts chains a Rails mass-assignment CVE in CamaleonCMS to admin access, leaks MinIO credentials hiding a backdoored SSH key, and escapes to root through Puppet’s facter tool — a satisfying end-to-end story about trusting your CMS too much.

Appointment is a deceptively simple box that teaches one of the most fundamental web vulnerabilities: SQL injection authentication bypass. One payload, one flag — but the lesson lasts a career.

Crocodile proves that the simplest misconfigurations can be devastating — an open FTP server hands you the keys to the web app if you know where to look.

A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.

Sequel is a dead-simple but instructive HackTheBox machine that highlights one of the most dangerous real-world misconfigurations: a MySQL/MariaDB instance exposed to the network with no root password.