Walkthroughs
Keeping current with attacker tools, techniques, and thinking is part of the job. These writeups document that practice.
-
HTB Active Easy LinuxConnected
FreePBX 16.0.40.7 is vulnerable to CVE-2025-57819, a pre-auth SQL injection to RCE that Metasploit handles cleanly. The foothold lands as the asterisk user. Privilege escalation abuses incron, a filesystem event daemon watching a sysadmin spool directory. Writing a sentinel file triggers a root-owned script that sources a config file the asterisk user can write to, turning a simple echo into a root shell.
Web EnumerationFreePBX FingerprintingCVE-2025-57819 (FreePBX Pre-auth SQLi to RCE) +4 -
HTB Active Medium LinuxDevHub
MCPJam Inspector on port 6274 exposes an unauthenticated stdio transport endpoint that executes arbitrary commands as a subprocess, landing a shell as mcp-dev. Process enumeration reveals a JupyterLab token in the analyst user's command line args and a root-owned Flask app on port 5000. An SSH local port forward unlocks JupyterLab and a Python reverse shell elevates to analyst for the user flag. Reading the Flask app's source surfaces a hardcoded API key and an undocumented admin tool that dumps SSH credentials on request, handing back root's private key directly from the API.
MCPJam Inspector FingerprintingMCP stdio Transport RCE (Unauthenticated)Named Pipe Reverse Shell (mkfifo) +6 -
HTB Active Easy LinuxReactor
A Next.js 15 web app is vulnerable to CVE-2025-55182, a critical RSC deserialization flaw that fires before routing validation and hands back a shell as node. A SQLite database contains MD5 hashes -- the engineer account cracks from rockyou in under a second. Privilege escalation abuses a root-owned Node.js process with the V8 Inspector exposed on loopback, tunneled in via SSH and driven through the Chrome DevTools Protocol to land a root shell.
Next.js RSC FingerprintingCVE-2025-55182 (React Server Components RCE)RSC Flight Protocol Deserialization +6 -
HTB Retired Easy WindowsForest
AS-REP Roasting recovers credentials for a service account with no Kerberos pre-authentication. Nested group membership through Account Operators gives WriteDACL over the domain, enabling a DCSync attack for full domain compromise.
AS-REP RoastingCredential CrackingBloodHound Enumeration +3 -
HTB Retired Medium WindowsAuthority
Anonymous SMB access exposes Ansible Vault hashes stored in a development share. Cracking them recovers credentials for a PWM configuration manager, which is abused to capture cleartext LDAP credentials via Responder. ADCS ESC1 combined with PassTheCert completes the domain compromise.
SMB Anonymous EnumerationAnsible Vault CrackingLDAP Credential Capture +3 -
HTB Retired Medium LinuxCraft
A Gogs code hosting instance exposes a public repository where developer commits leak both an API token and plaintext credentials in a test script. A patch commit reveals an unsanitized eval() call in the API's brew endpoint, which accepts arbitrary Python code. Injecting a reverse shell through the API lands a shell as root inside a Docker container. A database script found in the container leads to MySQL credentials, and querying the user table yields credentials for Gilfoyle, whose private Gogs repository holds an SSH key. SSH as Gilfoyle uses the database password to unlock the key. A Vault token in the home directory and a secrets script in the private repo configure Vault's SSH OTP backend, which issues a one-time password for root.
Gogs Repository EnumerationCredentials Exposure in Version ControlPython eval() Injection +5 -
HTB Retired Easy WindowsFluffy
A writable IT share holds an upgrade notice listing active CVEs, including CVE-2025-24071. A malicious ZIP planted on the share triggers an NTLMv2 capture via Responder when Windows Explorer extracts it -- cracked credentials reveal a path through Shadow Credentials to winrm_svc for initial access. Privilege escalation abuses ADCS ESC16, where the CA's globally disabled security extension allows a forged administrator certificate and full domain compromise.
SMB Share EnumerationCVE-2025-24071 (NTLM Hash Disclosure via .library-ms)NTLMv2 Capture (Responder) +5 -
HTB Retired Medium WindowsAdministrator
Starting with pre-supplied credentials, ACL abuse chains through GenericAll and ForceChangePassword to recover a Password Safe archive from FTP. Targeted Kerberoasting against a DCSync-capable account yields the Administrator hash.
BloodHound EnumerationACL Abuse (GenericAll)ForceChangePassword +4 -
HTB Retired Medium WindowsJeeves
Unauthenticated Jenkins access leads to remote code execution. A KeePass vault stored on the host contains reusable credentials that enable pass-the-hash access to Administrator.
Jenkins Script Console RCEWeb EnumerationKeePass Credential Extraction +3 -
HTB Retired Medium WindowsMedia
A portfolio upload form on a Windows Apache stack accepts .asx files, triggering an automatic Windows Media Player authentication request that Responder captures as an NTLMv2 hash. Cracking the hash gives SSH access as enox. Discovering XAMPP on the box reveals that the upload directory structure can be hijacked via a junction link, redirecting uploaded files into the web root for PHP execution as NT AUTHORITY\LOCAL SERVICE. That service account holds SeTcbPrivilege, which is abused to add enox to the local Administrators group for full system access.
Web EnumerationNTLM Theft (.asx)NTLMv2 Capture (Responder) +5 -
HTB Retired Easy LinuxPostman
Unauthenticated Redis allows writing an SSH public key directly to the service account's authorized_keys. An encrypted backup key leaks Matt's credentials — which also unlock a vulnerable Webmin instance, exploited via CVE-2019-12840 for root.
Redis Unauthenticated AccessSSH Key Injection via Redis CONFIG SETEncrypted SSH Key Recovery +3 -
HTB Retired Medium WindowsPOV
A CV download endpoint on an ASP.NET portfolio site leaks web.config via LFI, exposing ViewState cryptographic keys. Those keys enable a deserialization attack for initial access. Encrypted PSCredential XML hardcoded on the box enables lateral movement, and SeDebugPrivilege on the target user allows process migration into LSASS for SYSTEM.
Web EnumerationSubdomain FuzzingLocal File Inclusion +6 -
HTB Retired Hard WindowsRedelegate
Anonymous FTP exposes a KeePass database alongside documents hinting at a seasonal password pattern. Cracking the database and spraying domain users yields a foothold via ForceChangePassword. SeEnableDelegationPrivilege combined with GenericAll over a machine account enables constrained delegation configuration and DCSync through service ticket impersonation.
FTP Anonymous AccessKeePass CrackingRID Brute Force +7 -
HTB Retired Medium WindowsStreamIO
A movie streaming site hides a search endpoint on a subdomain that is vulnerable to manual SQL injection, bypassing sqlmap blocks to dump user hashes. Cracked credentials reach an admin panel where a debug parameter allows LFI via PHP wrappers, leaking database credentials and source code containing an eval/RFI chain for remote code execution. Lateral movement runs through sqlcmd against a backup database, a Firefox credential extraction, and BloodHound ACL enumeration. WriteOwner over a privileged group and LAPS access on the DC machine account close the path to administrator.
Subdomain EnumerationManual SQL Injection (MSSQL, WAF Bypass)Hash Cracking +8 -
HTB Retired Medium WindowsTombWatcher
Provided credentials for henry kick off a multi-hop ACL chain through WriteSPN, Kerberoast, GMSA, ForceChangePassword, and WriteOwner before Shadow Credentials land a WinRM shell as john. Privilege escalation pivots on an orphaned SID in a certificate template's enrollment rights. The deleted account is still in the AD Recycle Bin, gets restored, and its enrollment rights unlock ESC15 (CVE-2024-49019) against the WebServer template for a forged administrator certificate and full domain compromise.
BloodHound EnumerationWriteSPN AbuseKerberoasting +7 -
HTB Retired Easy LinuxTrick
DNS zone transfer exposes a hidden payroll application vulnerable to SQL injection. File read via SQLi reveals a second vhost with an LFI vulnerability — exploited through a filter bypass with PHP-FPM running as the target user, leaking an SSH key. A writable fail2ban action directory and a NOPASSWD sudo rule finish the job.
DNS Zone Transfer (AXFR)SQL InjectionSQLMap File Read +6 -
HTB Retired Medium WindowsVoleur
Provided credentials open a Kerberos-only SMB share holding a password-locked spreadsheet. Cracking it with office2john reveals service account credentials. BloodHound maps a WriteSPN edge from svc_ldap to svc_winrm, enabling Kerberoasting for initial WinRM access. Lateral movement pivots through the AD Recycle Bin to restore a deleted user, DPAPI credential decryption to reach a third account, and a WSL-hosted SSH key pointing to svc_backup. That account has direct access to a backup copy of ntds.dit, SYSTEM, and SECURITY on a mounted Windows filesystem, giving a clean path to the administrator hash and domain compromise.
SMB Enumeration (Kerberos-only)Kerberos Configuration (krb5.conf)Office File Password Cracking (office2john) +10 -
HTB Retired Medium WindowsVulnCicada
An NFS share exposed to everyone contains user profile folders, one of which holds an image with a password visible on a post-it note. Those credentials confirm Kerberos auth (NTLM is disabled) and reveal ADCS via a CertEnroll share. ESC8 is present but certipy relay fails without NTLM. A rogue DNS record added via bloodyAD points the DC at the attacker machine, and krbrelayx relays the Kerberos-coerced authentication to the ADCS web enrollment endpoint. The resulting DC machine account certificate is used to DCSync the administrator hash for full domain compromise.
NFS EnumerationPassword Discovery via ImageKerberos Authentication (NTLM Disabled) +7