🧠 Hack The Box — Writeups

Author: k41r0s3
Platform: Hack The Box

A collection of my personal writeups for retired Hack The Box machines. Each writeup documents my methodology, tools used, and the full attack chain from initial reconnaissance to root.

---

⚠️ Disclaimer

These writeups are for educational purposes only. All machines documented here are retired HTB machines, meaning they are no longer active challenges. Please respect HTB's rules and do not share writeups for active machines.

---

📁 Repository Structure

Hack-The-Box/
└── Write-ups/
    └── MachineName/
        └── README.md

---

📝 Writeups

#	Machine	Difficulty	OS	Category	Date
1	Planning	Easy	Linux	Web	March 3, 2026
2	Reset	Easy	Linux	Web / Network	March 4, 2026
3	Data	Easy	Linux	Web / Network	March 7, 2026
4	Browsed	Medium	Linux	Web / PrivEsc	March 9, 2026
5	Editor	Easy	Linux	Web / PrivEsc	March 10, 2026
6	Artificial	Easy	Linux	AI / PrivEsc	March 11, 2026
7	Down	Easy	Linux	Web / SSRF	March 12, 2026
8	Nocturnal	Easy	Linux	Web / Command Injection / CVE	March 13, 2026
9	Code	Easy	Linux	Web	March 14, 2026
10	Dog	Easy	Linux	Web / Git Disclosure	March 17, 2026
11	Trick	Easy	Linux	Web / LFI / DNS	March 17, 2026
12	Fluffy	Medium	Windows	Active Directory / ADCS / CVE-2025-24071 / ESC16	March 18, 2026
13	Postman	Easy	Linux	Misconfiguration / Redis / CVE-2019-12840	March 18, 2026
14	Craft	Medium	Linux	Web / Git Recon / eval() RCE / Vault	March 19, 2026
15	Jeeves	Medium	Windows	Web / Jenkins RCE / JuicyPotato / NTFS ADS	March 19, 2026
16	Snoopy	Hard	Linux	LFI / DNS Injection / Mattermost / CVE-2023-23946 / CVE-2023-20052	March 20, 2026
17	UnderPass	Easy	Linux	SNMP / daloRADIUS / Mosh	March 26, 2026
18	Titanic	Easy	Linux	Web / LFI / Gitea / CVE-2024-41817	March 26, 2026
19	Support	Easy	Windows	Active Directory / SMB / .NET RE / LDAP / RBCD	March 27, 2026
20	POV	Medium	Windows	LFI / ASP.NET ViewState Deserialization / SeDebugPrivilege	March 28, 2026
21	LinkVortex	Easy	Linux	Web / Git Disclosure / CVE-2023-40028 / Symlink Bypass	March 30, 2026
22	Administrator	Medium	Windows	Active Directory / ACL Abuse / Password Safe / DCSync	April 18, 2026

---

🛠️ Common Tools

🌐 Web & Network

Tool	Purpose
nmap	Port scanning and service enumeration
ffuf	Directory and subdomain fuzzing
gobuster	Directory and vhost enumeration
curl	Web requests and API interaction
whatweb	Web technology fingerprinting
BurpSuite	Web traffic interception and analysis
dig	DNS zone transfer and record enumeration
nsupdate	TSIG-authenticated DNS dynamic update injection
aiosmtpd	Fake SMTP server for email interception
Cowrie	SSH honeypot for credential capture
snmpwalk	SNMP enumeration via community string
snmp-check	Formatted SNMP system info report
onesixtyone	SNMP community string brute-forcing
sqlite3	Query SQLite databases (e.g. Gitea user hash extraction)
ntpdate	Sync system clock with DC for Kerberos attacks

🪟 Active Directory

Tool	Purpose
netexec	SMB/WinRM/FTP credential validation, share and user enumeration
impacket	AD attack suite (GetUserSPNs, GetNPUsers, addcomputer, rbcd, getST, secretsdump)
bloodyAD	ACL enumeration, group membership abuse, shadow credentials
certipy-ad	ADCS enumeration and exploitation (ESC1–ESC16)
PKINITtools	PKINIT TGT requests and NT hash recovery
evil-winrm	WinRM shell via credentials or NT hash
bloodhound-python	Active Directory data collection for BloodHound
responder	NTLM hash capture via poisoning
hashcat	Password hash cracking (NTLMv2, TGS, PBKDF2, etc.)
smbclient	SMB share interaction and file transfer
ldapsearch	LDAP enumeration and SID resolution
addcomputer.py	Create fake machine accounts for RBCD attacks
rbcd.py	Write msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
getST.py	Request S4U2Proxy Kerberos service tickets for impersonation
secretsdump.py	DCSync — extract NT hashes and Kerberos keys from domain
targetedKerberoast.py	Abuse GenericWrite to set fake SPN, capture and clean up TGS hash
net rpc	Remote password reset via MS-RPC (abuse GenericAll / ForceChangePassword)
pwsafe2john	Convert Password Safe .psafe3 vaults to john-crackable format

🔬 Reverse Engineering & Binary Analysis

Tool	Purpose
python3	.NET PE metadata parser — extract #US heap string literals
dnfile	Python library for parsing .NET PE metadata streams
pefile	Python PE file parsing library
strings	Basic string extraction from binaries
binwalk	Binary file analysis and embedded content detection
file	Identify binary type and architecture

🐧 Linux PrivEsc & General

Tool	Purpose
netcat	Reverse shell listener
LinPEAS	Linux privilege escalation enumeration
Metasploit	Exploitation framework
hydra	Network login brute-forcing
sshpass	Forced password authentication over SSH
jq	JSON parsing
git-dumper	Dump exposed .git repositories
rsh-redone-client	BSD r-services client
pswm-decryptor	Brute-force pswm password manager vaults
Docker	Isolated exploit build environments
redis-cli	Redis interaction and exploitation
ssh2john	Convert encrypted SSH keys to crackable format
john	Offline password and passphrase cracking (TGS, psafe3, SSH keys, etc.)
vault	HashiCorp Vault CLI — secret engine enumeration and SSH OTP generation
JuicyPotato	SeImpersonatePrivilege → SYSTEM token impersonation (Windows, pre-1809)
genisoimage	Build HFS+ disk images for Apple DMG creation
bbe	Binary stream editor — patch DMG plists for CVE exploitation
mosh-client	Connect to privileged mosh-server session for root shell access
gcc	Compile malicious shared libraries for CVE-2024-41817 ImageMagick privesc
ysoserial.net	.NET deserialization payload generation (ViewState, BinaryFormatter gadget chains)
RunasCs	Spawn processes with interactive logon token (Type 2) to enable stripped privileges

---

🔗 Connect

• HTB Profile: k41r0s3
• GitHub: k41r0s3

---

Happy Hacking! 🚀
k41r0s3