Myles Nieman

HTB Writeups

Hack The Box machine writeups — enumeration, foothold, and privilege escalation, organized by difficulty.

Very Easy 6

Easy 15

RedPanda

Easy

A Spring Boot search page reflects user input into a Server-Side Template Injection sink, giving RCE as woodenk; a root-owned log-parser cron is then …

Linux

Sea

Easy

A WonderCMS site’s contact form SSRF is weaponized to deliver CVE-2023-41425, landing a shell as www-data; a password hash found in the CMS …

Linux

VulnEscape

Easy

An RDP kiosk running Microsoft Edge is escaped by adding a local HTML page and renaming PowerShell to msedge.exe; Remote Desktop Plus stores a masked …

Windows

TemplTrap

Easy

A Langflow AI server exposed on port 80 is exploited via CVE-2026-0770 (SSTI RCE) for an initial shell as karen; screen 5.0.0 setuid-root logging …

Linux

Data

Easy

An unauthenticated Grafana path-traversal (CVE-2021-43798) exposes the SQLite database, leaking PBKDF2 password hashes that crack to yield SSH access; …

Linux

WingData

Easy

Wing FTP Server 7.4.3 exposes an unauthenticated RCE endpoint; cracking the salted password hashes from its XML config yields SSH access as a system …

Linux

Facts

Easy

A Ruby on Rails app running Camaleon CMS 2.9.0 is compromised via mass-assignment privilege escalation to admin, then an LFI in the admin …

Linux

Succession

Easy

Given SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …

Windows

Broker

Easy

A default-credentialed Apache ActiveMQ 5.15.15 console reveals a version vulnerable to CVE-2023-46604 (OpenWire deserialization RCE); a sudo-allowed …

Linux

Return

Easy

A printer admin panel leaks credentials to Responder via a spoofed LDAP server address; the recovered svc-printer account belongs to Server Operators, …

Windows

Sauna

Easy

Staff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …

Windows

Toolbox

Easy

SQL injection in a PostgreSQL-backed login form yields an os-shell inside a Docker container; the Docker Toolbox VM is reachable via SSH with default …

Windows

Overcertified

Easy

An LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …

Windows

Forest

Easy

Anonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …

Windows

Active

Easy

Anonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …

Windows

Medium 8

Bucket

Medium

A web application backed by a locally exposed S3-compatible bucket allows unauthenticated file uploads; uploading a PHP web shell through the bucket …

Linux

Infosek

Medium

Exposed WordPress credentials in a public location grant admin panel access; a webshell upload reveals database credentials for the ryder account, and …

Windows

Logging

Medium

Readable SMB log share leaks an svc_recovery password (with a year-increment pattern), Generic Write on MSA_HEALTH$ enables shadow credential abuse …

Windows

Deputy

Medium

A exposed .git directory leaks Terraform IAM ARNs; a case-sensitivity bug in the event-role API lets those ARNs cross account boundaries, eventually …

Linux

Interpreter

Medium

Mirth Connect 4.4.0 is vulnerable to CVE-2023-43208 (unauthenticated RCE); database credentials in mirth.properties lead to a PBKDF2-hashed password …

Linux

Rainbow

Medium

Anonymous FTP access combined with a custom web service on port 8080 leads to a stack-based buffer overflow that overwrites ECX; exploiting the crash …

Windows

VulnCicada

Medium

An exposed NFS share leaks domain usernames and a credential hidden inside an image file; the password belongs to Rosie.Powell, whose account is used …

Windows

Printer

Medium

A printer management web app leaks LDAP credentials to a Responder listener; Invoke-Pester in a constrained WinRM environment executes an arbitrary …

Windows

Hard 9

Freelancer

Hard

An IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …

Windows

OpenAD

Hard

A default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …

Windows

Playground

Hard

A Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …

Windows

Resource

Hard

A zip-upload feature on an SSH key management web app is exploited via a PHP pearcmd LFI-to-RCE trick to land a webshell as www-data; uploaded zip …

Linux

Search

Hard

A password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …

Windows

Pirate

Hard

Starting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …

Windows

Object

Hard

An open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …

Windows

Blackfield

Hard

Anonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …

Windows

Lantern

Hard

A Skipper proxy CVE-2022-38580 SSRF exposes an internal Blazor WebAssembly app whose DLL contains base64-encoded admin credentials; those credentials …

Linux

Insane 2