DevArea chains a SOAP service SSRF through Hoverfly middleware RCE to foothold, then escalates via Flask session forgery, command injection, and a symlink/log-write trick to root. A deeply layered box with real-world misconfigurations at every turn.
VariaType is a CVE-chaining masterpiece — three distinct vulnerabilities in font-processing tools combine to take you from unauthenticated to root. If you want practice identifying real-world supply-chain CVEs, this box delivers.
Principal chains a fresh CVE in pac4j-jwt — where encryption was mistaken for authentication — with SSH CA key abuse to go from zero to root on a Java Spring Boot platform.
Gavel chains an exposed git repo, a subtle PDO prepared statement SQL injection, and a creative PHP sandbox escape — overwriting the php.ini from inside the sandbox itself — to reach root.
AirTouch is a unique HTB medium box where you pivot through three network segments entirely over WiFi — cracking WPA-PSK, stealing session cookies from decrypted traffic, and pulling off a real-cert evil twin attack to capture MSCHAPv2 credentials.
Interpreter chains a pre-auth deserialization RCE against a healthcare integration platform with a devious Python f-string injection to reach root — a box that rewards thorough enumeration and creative payload crafting.
A Minecraft panel hiding two CVEs and a SUSE-specific PAM trick — Pterodactyl chains a Laravel LFI into code execution, then escalates via a race-condition SUID mount flaw in udisks2.
MonitorsFour chains a fresh Cacti RCE vulnerability with an exposed Docker API to go from web login to full Windows host compromise — a great lesson in container escape methodology.
Overwatch chains MSSQL linked server credential capture via DNS poisoning with a WCF service PowerShell injection to go from unauthenticated to Domain Admin on a Windows Server 2022 DC.
Browsed is a devious medium Linux box where you weaponize a Chrome extension upload feature to chain browser automation, bash arithmetic injection, and Python bytecode poisoning into a full root compromise.