Linux

Pterodactyl — HackTheBox Writeup Pterodactyl is a Linux box built around a real-world attack chain: an unauthenticated LFI vulnerability in the Pterodactyl Panel game server management software leads to RCE, credential extraction, and ultimately root through a pair of freshly-disclosed SUSE-specific udisks2 privilege escalation CVEs. It’s a satisfying box because every step has a meaningful “why” behind it — nothing is arbitrary. Overview The box hosts a Minecraft server homepage alongside a Pterodactyl Panel installation. Enumeration surfaces a misconfigured phpinfo.php that reveals the exact PHP configuration needed for a PEAR-based RCE chain. After exploiting CVE-2025-49132 (unauthenticated LFI in the panel) to pivot to RCE, we dump database credentials, crack a user’s bcrypt hash, and SSH in. From there, a two-CVE chain targeting udisks2 on OpenSUSE — PAM environment injection to trick Polkit, followed by a SUID binary race on a temporary mount — hands us root. ...

Appointment A deceptively simple box that proves sometimes the oldest tricks in the book are the most effective. Appointment is a single-page web challenge centered entirely on a PHP login form vulnerable to SQL injection authentication bypass — no rabbit holes, no pivoting, just clean exploitation of a classic vulnerability. Overview Appointment runs a bare-bones Apache web server with a PHP login form as its only attack surface. The goal is straightforward: bypass authentication using SQL injection to retrieve the flag. It’s a great box for internalizing why SQL injection works, not just how to use it. ...

Crocodile — HackTheBox Writeup Crocodile is a very easy Linux box that demonstrates how anonymous FTP access can expose credentials that unlock a web application login. The attack chain is short but teaches a fundamental methodology: always enumerate every open service, because sensitive information on one port can become your key into another. Reconnaissance I started with a service-version scan to understand what was running on the target: nmap -sV -sC <TARGET> ...

Sequel Sometimes the simplest misconfiguration is the most damaging. Sequel is a very easy Linux box that exposes a MariaDB instance with no root password — no exploits required, just knowing to try the door before assuming it’s locked. Overview This box runs a single service: MySQL/MariaDB on port 3306. The entire challenge is recognizing that the database accepts unauthenticated connections as root, then methodically enumerating databases and tables until you find the flag. It’s a great introduction to database enumeration methodology and a real-world reminder of how often default or missing credentials appear in the wild. ...

Three — Pwning a Website via a Misconfigured S3 Bucket A deceptively simple Starting Point box, Three demonstrates how a misconfigured S3-compatible storage backend can turn a static-looking website into a remote code execution vulnerability. The attack chain is short but teaches a genuinely common real-world pattern: enumerate subdomains, find exposed cloud storage, write a webshell, get a shell. Reconnaissance Port Scan Standard nmap to start. Two open ports — SSH and HTTP, nothing exotic. ...

Oopsie Oopsie is a beginner-friendly Linux box that chains together several classic web application vulnerabilities — broken access control, an insecure file upload, and a SUID PATH hijacking — into a satisfying end-to-end compromise. What makes it particularly interesting is that it rewards players who remember their history: credentials from a previous box in the Starting Point series come back to bite the target here. Reconnaissance Port Scanning I started with a default nmap scan to get the lay of the land: ...

Unified — Log4Shell to Root via MongoDB Hash Swap Unified is a Very Easy Linux box that demonstrates one of the most impactful vulnerabilities in recent memory: Log4Shell (CVE-2021-44228). The box runs a vulnerable version of UniFi Network Controller, and exploitation chains together a JNDI injection for initial access with an unauthenticated MongoDB instance to escalate all the way to root. Reconnaissance I started with an automated Nmap scan to get a picture of what was running on the box. ...

Vaccine — HackTheBox Writeup Vaccine is a Very Easy Linux box that chains together several classic web exploitation techniques: anonymous FTP access, zip cracking, hardcoded credentials, SQL injection, and a sudo misconfiguration that hands over root in seconds. Each step feeds directly into the next, making it an excellent box for learning how a real attack chain flows from initial recon to full compromise. Overview Field Value IP OS Linux (Ubuntu 20.04) Difficulty Very Easy Reconnaissance Port Scan I always start with a service/version scan using Nmap’s default scripts (-sC) alongside version detection (-sV). Treating the target as if ICMP is blocked from the start (-Pn) saves frustration on boxes that don’t respond to ping. ...

Meow — HackTheBox Writeup Meow is a beginner-friendly Linux box that demonstrates one of the most critical (and unfortunately still common) misconfigurations in the wild: a root account with no password exposed over Telnet. There’s no exploitation or privilege escalation required here — just knowing where to look and what to try. Overview The attack path is about as short as it gets. A single open port running Telnet, a root account with a blank password, and we’re done. While it may seem almost trivially simple, this box hammers home an important point: the most devastating vulnerabilities are often misconfigurations, not complex exploits. ...

Redeemer Redeemer is a beginner-friendly HackTheBox machine that demonstrates one of the most common real-world misconfigurations you’ll encounter: an exposed Redis instance with no authentication. There’s no exploitation involved here — just enumeration, awareness that interesting services live outside the default nmap port range, and knowing a handful of Redis commands. Overview The box runs a single exposed service — Redis 5.0.7 on port 6379 — configured with no password. The flag is stored directly as a key in the database. The entire challenge boils down to: find the service, connect to it, dump the keys. ...