Very Easy

Appointment is a deceptively simple box that teaches one of the most fundamental web vulnerabilities: SQL injection authentication bypass. One payload, one flag — but the lesson lasts a career.

Crocodile proves that the simplest misconfigurations can be devastating — an open FTP server hands you the keys to the web app if you know where to look.

A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.

Sequel is a dead-simple but instructive HackTheBox machine that highlights one of the most dangerous real-world misconfigurations: a MySQL/MariaDB instance exposed to the network with no root password.

Unified is a Very Easy Linux box that weaponizes the infamous Log4Shell vulnerability against an unpatched UniFi Network controller, then chains unauthenticated MongoDB access to go from nobody to root.

Vaccine chains together anonymous FTP access, zip cracking, hardcoded credentials, and a PostgreSQL SQL injection into a full compromise — then escapes to root through a classic vi sudo misconfiguration.