Privilege-Escalation

A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.

A misconfigured S3-compatible bucket with an open write policy turns a static band website into a remote code execution opportunity. Here’s how subdomain enumeration and a single AWS CLI command led to a shell.

Oopsie chains credential reuse, a cookie-based IDOR, and a file upload to land a shell — then a SUID binary with an unsafe PATH gets us root. A masterclass in chained misconfigurations.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.

Vaccine chains together anonymous FTP access, zip cracking, hardcoded credentials, and a PostgreSQL SQL injection into a full compromise — then escapes to root through a classic vi sudo misconfiguration.

Archetype shows how a single misconfigured SMB share cascades into full domain compromise — SSIS config files, xp_cmdshell, and PowerShell history all play a role.

Dancing is a beginner-friendly Windows box that teaches the fundamentals of SMB enumeration. A misconfigured file share with anonymous access is all you need to grab the flag.

Fawn is a beginner HackTheBox machine that demonstrates one of the most common real-world misconfigurations: anonymous FTP access left enabled with sensitive files sitting in the root directory.

Meow is HTB’s gentlest introduction to penetration testing — a single open Telnet port, no password on the root account, and an immediate lesson in why legacy services are dangerous.

Redeemer proves that sometimes the simplest misconfigurations are the most dangerous — an open Redis instance with no password stands between you and the flag.