Kobold - HTB
An easy-difficulty Linux machine featuring multiple web vulnerabilities.
VariaType - HTB
A medium-difficulty Linux machine centered around a custom font-generation web application. The challenge involves exploring file handling behavior, analyzing backend processing logic, and chaining multiple issues in the font processing pipeline to move from initial access to full system compromise.
CCTV - HTB
Easy Linux CCTV machine abusing ZoneMinder and MotionEye flaws through SQL injection and escalation. [Unintended]
Pirate - HTB
Windows Active Directory challenge centered on delegation, Kerberos, and privilege escalation workflows.
Interpreter - HTB
Medium Linux box exploiting Mirth Connect pre‑auth RCE, cracking DB hashes for SSH, then abusing a root Flask service with eval-based SSTI.
WingData - HTB
Easy Linux box exploiting Wing FTP Server RCE and a tarfile filter bypass (CVE-2025-4517) to write root SSH keys via a sudo restore script.
Pterodactyl - HTB
Medium Linux box exploiting a Pterodactyl Panel locale RCE, then escalating via polkit/udisks chained CVEs on openSUSE.
Facts - HTB
Easy Linux target exploiting a Cameleon LFI to steal an SSH key, crack its passphrase, then abuse facter custom facts for root.
Browsed - HTB
Chrome extension sandbox abuse to reach browsedinternals and localhost, then pivot through the routines script for root.
MonitorsFour - HTB
Easy Windows host running Cacti in Docker. Exploit Cacti auth RCE, then escape Docker Desktop via its exposed API to reach the host.
Fries - HTB
Hard Windows AD + container lab. Abuse pgAdmin for container RCE, pivot to internal services, capture LDAP creds, extract gMSA secrets, then ADCS ESC7 to Administrator.
Eighteen - HTB
Easy Windows box starting with MSSQL creds, pivoting to WinRM via cracked app DB hashes, then abusing dMSA badSuccessor for Administrator access.
NanoCorp - HTB
Hard Windows AD chain starting with NTLM leakage via a ZIP upload, then AD privilege hops and a Checkmk Agent MSI repair LPE to SYSTEM.
Giveback - HTB
Medium Linux box chaining a GiveWP deserialization RCE with container pivoting, PHP-CGI injection, Kubernetes secret theft, and runc debug abuse for root.
Conversor - HTB
Easy Linux box abusing XSLT injection to write a cron-executed script, then harvesting local SQLite creds and escalating via needrestart.
Hercules - HTB
Insane Windows AD chain featuring LDAP injection, forged ASP.NET auth cookies, file-based hash capture, ADCS abuse, and RBCD to full domain compromise.
Signed - HTB
Medium Windows target focused on MSSQL abuse, NTLM hash capture and cracking, then silver-ticket impersonation and NTLM reflection for WinRM access.
DarkZero - HTB
Windows AD box starting with SQL Server access, linked-server command execution, local exploit for SYSTEM, ticket capture with Rubeus, and DCSync to Domain Admin.
DarkZero - HackTheBox Writeup
An Active Directory–based pentest scenario involving MSSQL pivoting, Kerberos abuse, and privilege escalation via CVE-2024-30085.
Imagery - HTB
Medium Linux box using blind XSS for admin session theft, LFI to source read, ImageMagick command injection for RCE, pyAesCrypt backup decryption, and Charcol cron abuse for root.
Expressway - HTB
Linux target using IKE aggressive mode to crack PSK, SSH as ike, and sudo chroot vulnerability (CVE-2025-32463) for root.
HackNet - HTB
Medium Linux machine with Django SSTI in a social feed, cache deserialization abuse, GPG passphrase cracking, and DB backup recovery for root.
Soulmate - HTB
Easy Linux machine using CrushFTP auth bypass for admin access, webshell upload, leaked Erlang creds, and an Erlang SSH service to read root files.
Guardian - HTB
Guardian is a Linux box combining IDOR in a student portal, XSS via PhpSpreadsheet, CSRF admin creation, PHP filter chain RCE, and sudo misconfigurations to read root files.