Starting Point

Appointment A deceptively simple box that proves sometimes the oldest tricks in the book are the most effective. Appointment is a single-page web challenge centered entirely on a PHP login form vulnerable to SQL injection authentication bypass — no rabbit holes, no pivoting, just clean exploitation of a classic vulnerability. Overview Appointment runs a bare-bones Apache web server with a PHP login form as its only attack surface. The goal is straightforward: bypass authentication using SQL injection to retrieve the flag. It’s a great box for internalizing why SQL injection works, not just how to use it. ...

Crocodile — HackTheBox Writeup Crocodile is a very easy Linux box that demonstrates how anonymous FTP access can expose credentials that unlock a web application login. The attack chain is short but teaches a fundamental methodology: always enumerate every open service, because sensitive information on one port can become your key into another. Reconnaissance I started with a service-version scan to understand what was running on the target: nmap -sV -sC <TARGET> ...

Responder — HackTheBox Writeup Responder is a Very Easy Windows box that chains a classic Local File Inclusion vulnerability with NTLM hash capture to gain a foothold via WinRM. It’s an excellent introduction to how Windows authentication can be weaponized against itself when a server blindly follows UNC paths. Overview The attack path here is beautifully simple once you see it: a PHP web application has an LFI vulnerability in its language selector, Windows will attempt NTLM authentication when it tries to access a UNC path, and we’re sitting there with Responder ready to catch the hash. Crack the hash, log in over WinRM, read the flag. Along the way I hit a firewall issue that was a useful reminder about VPN interface trust zones — more on that later. ...

Sequel Sometimes the simplest misconfiguration is the most damaging. Sequel is a very easy Linux box that exposes a MariaDB instance with no root password — no exploits required, just knowing to try the door before assuming it’s locked. Overview This box runs a single service: MySQL/MariaDB on port 3306. The entire challenge is recognizing that the database accepts unauthenticated connections as root, then methodically enumerating databases and tables until you find the flag. It’s a great introduction to database enumeration methodology and a real-world reminder of how often default or missing credentials appear in the wild. ...

Three — Pwning a Website via a Misconfigured S3 Bucket A deceptively simple Starting Point box, Three demonstrates how a misconfigured S3-compatible storage backend can turn a static-looking website into a remote code execution vulnerability. The attack chain is short but teaches a genuinely common real-world pattern: enumerate subdomains, find exposed cloud storage, write a webshell, get a shell. Reconnaissance Port Scan Standard nmap to start. Two open ports — SSH and HTTP, nothing exotic. ...

Oopsie Oopsie is a beginner-friendly Linux box that chains together several classic web application vulnerabilities — broken access control, an insecure file upload, and a SUID PATH hijacking — into a satisfying end-to-end compromise. What makes it particularly interesting is that it rewards players who remember their history: credentials from a previous box in the Starting Point series come back to bite the target here. Reconnaissance Port Scanning I started with a default nmap scan to get the lay of the land: ...

Unified — Log4Shell to Root via MongoDB Hash Swap Unified is a Very Easy Linux box that demonstrates one of the most impactful vulnerabilities in recent memory: Log4Shell (CVE-2021-44228). The box runs a vulnerable version of UniFi Network Controller, and exploitation chains together a JNDI injection for initial access with an unauthenticated MongoDB instance to escalate all the way to root. Reconnaissance I started with an automated Nmap scan to get a picture of what was running on the box. ...

Vaccine — HackTheBox Writeup Vaccine is a Very Easy Linux box that chains together several classic web exploitation techniques: anonymous FTP access, zip cracking, hardcoded credentials, SQL injection, and a sudo misconfiguration that hands over root in seconds. Each step feeds directly into the next, making it an excellent box for learning how a real attack chain flows from initial recon to full compromise. Overview Field Value IP OS Linux (Ubuntu 20.04) Difficulty Very Easy Reconnaissance Port Scan I always start with a service/version scan using Nmap’s default scripts (-sC) alongside version detection (-sV). Treating the target as if ICMP is blocked from the start (-Pn) saves frustration on boxes that don’t respond to ping. ...

Archetype — HackTheBox Writeup Archetype is a Windows box that demonstrates a classic lateral movement chain: anonymous SMB access exposes a configuration file with database credentials, which leads to command execution via MSSQL, and sloppy PowerShell history hands us domain admin on a silver platter. It’s an excellent box for understanding how real-world Windows environments get compromised through misconfiguration rather than flashy exploits. Overview Field Value OS Windows Server 2019 Standard 17763 IP Difficulty Starting Point Date 2026-01-30 Reconnaissance Port Scanning I start every box the same way — a default script and version scan with nmap. The goal here isn’t to be fancy, it’s to quickly understand what services are exposed and build a mental model of the attack surface. ...

Dancing — Anonymous SMB Access on a Windows Target Dancing is a beginner-friendly Windows box that demonstrates one of the most common misconfigurations found in real-world environments: an SMB share left open to anonymous access. The entire engagement comes down to solid enumeration and knowing which shares are worth poking at. Reconnaissance Port Scanning I started with a standard service scan to get a picture of what’s running on the target. The -sC flag runs default scripts and -sV attempts version detection — together they give a solid baseline without being too noisy. ...