Easy

CCTV — HackTheBox Writeup CCTV is an Easy Linux box that chains together several real-world security misconfigurations: default credentials in ZoneMinder, a forgotten default JWT secret enabling privilege escalation within the app, and an exposed motionEye instance running as root. What makes this box satisfying is that every step requires you to understand the application you’re attacking rather than just firing off a CVE exploit. Overview The target runs a public-facing ZoneMinder CCTV management interface. Default credentials get us in, but a default JWT signing secret lets us forge tokens for a higher-privileged user, unlocking filter-based command execution. From there, internal service enumeration reveals motionEye running as root on localhost, and its SHA-1 authentication scheme turns out to require no cracking at all — the stored hash is the credential. ...

Pterodactyl — HackTheBox Writeup Pterodactyl is a Linux box built around a real-world attack chain: an unauthenticated LFI vulnerability in the Pterodactyl Panel game server management software leads to RCE, credential extraction, and ultimately root through a pair of freshly-disclosed SUSE-specific udisks2 privilege escalation CVEs. It’s a satisfying box because every step has a meaningful “why” behind it — nothing is arbitrary. Overview The box hosts a Minecraft server homepage alongside a Pterodactyl Panel installation. Enumeration surfaces a misconfigured phpinfo.php that reveals the exact PHP configuration needed for a PEAR-based RCE chain. After exploiting CVE-2025-49132 (unauthenticated LFI in the panel) to pivot to RCE, we dump database credentials, crack a user’s bcrypt hash, and SSH in. From there, a two-CVE chain targeting udisks2 on OpenSUSE — PAM environment injection to trick Polkit, followed by a SUID binary race on a temporary mount — hands us root. ...