HTB Writeups
Hack The Box machine writeups — enumeration, foothold, and privilege escalation, organized by difficulty.
Very Easy 6
Certifried
Very EasyAnonymous SMB enumeration on an Active Directory host reveals a readable share; null-session LDAP queries are not open, but unauthenticated SMB access …
BloodFlow
Very EasyA publicly exposed n8n workflow automation instance is vulnerable to CVE-2026-21858, an unauthenticated arbitrary file read to RCE chain, yielding a …
ReactOOPS
Very EasyA vulnerable React application is exploited via CVE-2025-55182 (react2shell), yielding unauthenticated remote code execution and a shell that reads …
Caring
Very EasyAn unauthenticated SMB Config share leaks a config.ini containing credentials for the user claudio; WinPEAS then surfaces Administrator credentials …
ADSelfService
Very EasyAn exposed ManageEngine ADSelfService Plus portal running version 6.1 is vulnerable to CVE-2021-40539 (REST API authentication bypass to RCE), …
Logonshell
Very EasyA Microsoft Exchange Server 2019 RTM (15.2.221.12) on the edelweiss.htb domain is exploited via ProxyShell (CVE-2021-34473) — the auth bypass …
Easy 15
RedPanda
EasyA Spring Boot search page reflects user input into a Server-Side Template Injection sink, giving RCE as woodenk; a root-owned log-parser cron is then …
Sea
EasyA WonderCMS site’s contact form SSRF is weaponized to deliver CVE-2023-41425, landing a shell as www-data; a password hash found in the CMS …
VulnEscape
EasyAn RDP kiosk running Microsoft Edge is escaped by adding a local HTML page and renaming PowerShell to msedge.exe; Remote Desktop Plus stores a masked …
TemplTrap
EasyA Langflow AI server exposed on port 80 is exploited via CVE-2026-0770 (SSTI RCE) for an initial shell as karen; screen 5.0.0 setuid-root logging …
Data
EasyAn unauthenticated Grafana path-traversal (CVE-2021-43798) exposes the SQLite database, leaking PBKDF2 password hashes that crack to yield SSH access; …
WingData
EasyWing FTP Server 7.4.3 exposes an unauthenticated RCE endpoint; cracking the salted password hashes from its XML config yields SSH access as a system …
Facts
EasyA Ruby on Rails app running Camaleon CMS 2.9.0 is compromised via mass-assignment privilege escalation to admin, then an LFI in the admin …
Succession
EasyGiven SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …
Broker
EasyA default-credentialed Apache ActiveMQ 5.15.15 console reveals a version vulnerable to CVE-2023-46604 (OpenWire deserialization RCE); a sudo-allowed …
Return
EasyA printer admin panel leaks credentials to Responder via a spoofed LDAP server address; the recovered svc-printer account belongs to Server Operators, …
Sauna
EasyStaff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …
Toolbox
EasySQL injection in a PostgreSQL-backed login form yields an os-shell inside a Docker container; the Docker Toolbox VM is reachable via SSH with default …
Overcertified
EasyAn LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …
Forest
EasyAnonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …
Active
EasyAnonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …
Medium 8
Bucket
MediumA web application backed by a locally exposed S3-compatible bucket allows unauthenticated file uploads; uploading a PHP web shell through the bucket …
Infosek
MediumExposed WordPress credentials in a public location grant admin panel access; a webshell upload reveals database credentials for the ryder account, and …
Logging
MediumReadable SMB log share leaks an svc_recovery password (with a year-increment pattern), Generic Write on MSA_HEALTH$ enables shadow credential abuse …
Deputy
MediumA exposed .git directory leaks Terraform IAM ARNs; a case-sensitivity bug in the event-role API lets those ARNs cross account boundaries, eventually …
Interpreter
MediumMirth Connect 4.4.0 is vulnerable to CVE-2023-43208 (unauthenticated RCE); database credentials in mirth.properties lead to a PBKDF2-hashed password …
Rainbow
MediumAnonymous FTP access combined with a custom web service on port 8080 leads to a stack-based buffer overflow that overwrites ECX; exploiting the crash …
VulnCicada
MediumAn exposed NFS share leaks domain usernames and a credential hidden inside an image file; the password belongs to Rosie.Powell, whose account is used …
Printer
MediumA printer management web app leaks LDAP credentials to a Responder listener; Invoke-Pester in a constrained WinRM environment executes an arbitrary …
Hard 9
Freelancer
HardAn IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …
OpenAD
HardA default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …
Playground
HardA Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …
Resource
HardA zip-upload feature on an SSH key management web app is exploited via a PHP pearcmd LFI-to-RCE trick to land a webshell as www-data; uploaded zip …
Search
HardA password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …
Pirate
HardStarting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …
Object
HardAn open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …
Blackfield
HardAnonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …
Lantern
HardA Skipper proxy CVE-2022-38580 SSRF exposes an internal Blazor WebAssembly app whose DLL contains base64-encoded admin credentials; those credentials …
Insane 2
Ghost
InsaneLDAP injection on a Next.js intranet leaks a service-account secret that unlocks Gitea; a custom Ghost CMS file-read exposes an RCE dev key; from …
PingPong
InsaneAn assumed-breach scenario starting with domain credentials for c.roberts; initial BloodHound enumeration of ping.htb identifies ADCS as a potential …