/ writeups

Notes, after the flag.

Retired HackTheBox machines, explained start to finish. Foothold, pivot, privesc — no shortcuts in the narration.

01
Kobold easy
Active HackTheBox machine — full writeup published after retirement.
linuxMCPCVE-2026-23744subdomain-enumerationdockerprivesc
15 Mar 2026
HTB
02
CCTV easy
Active HackTheBox machine — full writeup published after retirement.
linuxZoneMinderSQLiCVE-2024-51482CVE-2025-60787SSH-tunnelingcommand-injection
07 Mar 2026
HTB
03
Pirate hard featured
Active HackTheBox machine — full writeup published after retirement.
windowsactive-directorypre2kgmsakerberosntlm-relayrbcdconstrained-delegationspn-jackingligolo-ngprivesc
01 Mar 2026
HTB
04
Gavel medium
Linux web box — exposed .git repo leaks PHP source revealing a SQLi, admin panel RCE via PHP rule engine, then privesc by abusing a root-run auction daemon that executes YAML-defined PHP rules.
linuxwebsqligit-dumperphprceyamlsuidprivesc
12 Oct 2025
HTB
05
DarkZero hard featured
Active Directory box featuring MSSQL lateral movement across two domains, kernel exploitation (CVE-2024-30088) via Metasploit, and Golden Ticket via Rubeus + PetitPotam to compromise the forest.
windowsactive-directorymssqlkerberosCVE-2024-30088golden-ticketrubeusprivesc
05 Oct 2025
HTB
06
Return easy featured
LDAP credential capture from a printer web panel, followed by Server Operators privilege escalation via service binary path modification.
windowsactive-directoryldapprivescserver-operators
04 Oct 2025
HTB
07
Cicada easy
Beginner-friendly Windows AD box — anonymous SMB enumeration leads to default credentials, password spraying finds a foothold, and SeBackupPrivilege escalates to Administrator via SAM dump.
windowsactive-directorysmbpassword-spraySeBackupPrivilegepass-the-hash
03 Oct 2025
HTB
08
Expressway easy
Linux box with IKE/ISAKMP on UDP/500 — crack the PSK with psk-crack, SSH in, then exploit a vulnerable sudo version (CVE-2025-32463) to root.
linuxikevpnpsk-cracksshCVE-2025-32463sudoprivesc
22 Sept 2025
HTB
Copied