Writeups

Eighteen — HackTheBox Writeup Eighteen is a Windows Server 2025 Domain Controller that chains a creative MSSQL impersonation attack with a web app credential harvest to gain an initial foothold, then exploits BadSuccessor (CVE-2025-53779) — a novel Active Directory privilege escalation abusing delegated Managed Service Accounts — to achieve full domain compromise. What makes this box particularly instructive is how many standard Windows privesc paths are deliberately closed off, forcing you to understand cutting-edge AD attack primitives rather than reaching for familiar tools. ...

Pterodactyl — HackTheBox Writeup Pterodactyl is a Linux box built around a real-world attack chain: an unauthenticated LFI vulnerability in the Pterodactyl Panel game server management software leads to RCE, credential extraction, and ultimately root through a pair of freshly-disclosed SUSE-specific udisks2 privilege escalation CVEs. It’s a satisfying box because every step has a meaningful “why” behind it — nothing is arbitrary. Overview The box hosts a Minecraft server homepage alongside a Pterodactyl Panel installation. Enumeration surfaces a misconfigured phpinfo.php that reveals the exact PHP configuration needed for a PEAR-based RCE chain. After exploiting CVE-2025-49132 (unauthenticated LFI in the panel) to pivot to RCE, we dump database credentials, crack a user’s bcrypt hash, and SSH in. From there, a two-CVE chain targeting udisks2 on OpenSUSE — PAM environment injection to trick Polkit, followed by a SUID binary race on a temporary mount — hands us root. ...

MonitorsFour MonitorsFour is a medium-difficulty Windows box running WSL2 with Docker Desktop — a setup that makes the attack chain distinctly layered. The path runs from web enumeration through an authenticated Cacti RCE, into a Docker container, and finally out to the Windows host via an unauthenticated Docker API. Each pivot requires a slightly different mindset, which is what makes this box a great exercise in chained exploitation. Reconnaissance Port Scanning Starting with a standard nmap scan against the target: ...