Latest writeups
See all posts →
$ nmap -sV -sC target $ certipy find -vulnerable $ evil-winrm -i target -H hash
HTB AirTouch: Medium Walkthrough – SNMP Leak to WPA2-Enterprise Rogue AP Attack
HTB Cap: IDOR to PCAP Credential Leak and PwnKit Privilege Escalation
An IDOR vulnerability on a network capture endpoint reveals plaintext FTP credentials in a PCAP file. Credential reuse provides SSH access, and a vulnerable pkexec SUID binary (CVE-2021-4034) allows root escalation.
HTB Connected: From Unauthenticated SQLi to Root via FreePBX, incron & Sudoers Hijack
An unauthenticated SQL injection in FreePBX 16.x (CVE-2025-57819) allows credential extraction and hash replacement, leading to admin access. POST_RELOAD shell injection provides RCE as asterisk. A world-writable incron trigger file and writable module directory enable sudoers hijack for root.
HTB DevHub (Medium): CVE-2026-23744 → JupyterLab WebSocket RCE → Hidden MCP Tool to Root
An unauthenticated RCE in MCPJam Inspector (CVE-2026-23744) provides initial access. A JupyterLab token exposed in process arguments enables lateral movement via a raw WebSocket client. Reading the source code of an internal MCP server reveals a hidden tool that dumps root's SSH private key.
HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials
Starting with low-privileged domain credentials, the attack chain exploits CVE-2025-24071 to leak an NTLM hash, cracks it, abuses GenericAll ACLs, uses Shadow Credentials to take over service accounts, and finally forges an Administrator certificate via ADCS for Domain Admin.
HTB Helix: Apache NiFi RCE (CVE-2023-34468) → OPC UA Logic Manipulation to Root
Subdomain enumeration reveals an unauthenticated Apache NiFi instance. CVE-2023-34468 (H2 JDBC INIT injection) provides a shell as nifi. An SSH key found in NiFi support bundles grants access as operator. Privilege escalation requires manipulating OPC UA industrial control nodes to trigger a safety controller maintenance window, leading to root.
HackTheBox - Jeeves Writeup | Windows Medium
Unauthenticated Jenkins Script Console leads to RCE, a KeePass database is cracked to obtain an NTLM hash, and Pass-the-Hash grants SYSTEM access before extracting the root flag from an NTFS Alternate Data Stream.
HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning
Starting with a low-privileged user, SMB enumeration reveals hardcoded credentials in a log file. Password pattern inference leads to an updated credential. GenericWrite over a gMSA enables Shadow Credentials and WinRM access. DLL injection via a scheduled task gives lateral movement, and WSUS poisoning combined with ADIDNS spoofing and ADCS certificate abuse yields SYSTEM.
HTB MonitorsFour: IDOR to RCE to Docker Escape
An unauthenticated IDOR on an internal API leaks user credentials. Cracking an MD5 hash grants access to a Cacti instance vulnerable to CVE-2025-24367 (authenticated RCE). From a www-data shell inside a Docker container, an exposed Docker Engine API (port 2375) enables container escape and host compromise.
HTB Principal: JWT Authentication Bypass to SSH CA Key Forgery
A Java web app using pac4j-jwt/6.0.3 is vulnerable to CVE-2026-29000, allowing JWT authentication bypass via JWE token forgery. API enumeration as admin leaks an SSH deployment key. With user access, a readable SSH CA private key enables forging a root certificate for privilege escalation.
HTB Reactor: CVE-2025-55182 + Node.js Debug RCE
A critical RCE vulnerability in Next.js React Server Components (CVE-2025-55182) provides initial access. A misconfigured Node.js debugger bound to localhost enables privilege escalation to root.
HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)
Vhost fuzzing reveals a Flowise 3.0.5 staging site. CVE-2025-58434 leaks a password reset token, enabling account takeover. CVE-2025-59528 provides authenticated RCE inside a Docker container. Credential reuse from environment variables leads to SSH access, and CVE-2026-41651 (Pack2TheRoot) grants root.
HTB SmartHire: CVE-2024-37054 (MLflow RCE) → Python Module Hijacking via .pth
An MLflow deserialization vulnerability (CVE-2024-37054) provides initial access. Privilege escalation uses a Python module hijacking via site.addsitedir and malicious .pth files to execute code as root.
HTB Snapped (Hard): CVE-2026-27944, bcrypt, and Two Paths to Root via PackageKit and snap-confine
From an unauthenticated Nginx UI backup disclosure (CVE-2026-27944), a bcrypt hash is cracked to gain user access. Privilege escalation is possible via either CVE-2026-41651 (PackageKit TOCTOU) or the intended race condition in snap-confine (CVE-2026-3888).
HTB Support: SMB Anonymous Access → Binary Reversing → LDAP Credentials → RBCD Privilege Escalation
Anonymous SMB access reveals a .NET binary containing hardcoded XOR-encrypted LDAP credentials. After enumerating LDAP, a cleartext password in the info attribute grants WinRM access. BloodHound shows GenericAll on DC$, enabling RBCD abuse to impersonate Administrator and achieve SYSTEM on the Domain Controller.
Trick — DNS Zone Transfer to Fail2Ban Privilege Escalation
A multi-stage attack chain combining DNS Zone Transfer, SQL Injection, FILE privilege abuse, LFI, SSH key theft, and a Fail2Ban misconfiguration to obtain root access.
HTB TwoMillion: A Lesson in API Abuse and Privilege Escalation
JavaScript deobfuscation reveals hidden API endpoints, leading to invite code generation. API route enumeration exposes an admin section with broken access control, enabling self-promotion to admin. Command injection in a VPN generation endpoint provides a shell. A leaked .env file gives SSH credentials, and CVE-2023-0386 (OverlayFS) escalates to root.
Forest — AS-REP Roasting et DCSync via Exchange permissions
AS-REP Roasting sur un compte sans pré-auth Kerberos, puis abus des permissions Exchange WriteDACL pour obtenir DCSync et dumper les hashes NTDS.
Articles
See all → Your brain has 4 types of memory. So does your AI agent. Here's which one to give it.
AI agents have four memory types directly inspired by human cognition: working, semantic, procedural, and episodic. Each agent type only needs the memory that matches its tasks. Learn how to design agent memory for better performance.
I Passed Anthropic's Official Certifications. Here's What 90% of Claude Users Don't Know.
Official Anthropic Academy certifications reveal the four core properties of Claude, the 4D framework (Delegation, Description, Discernment, Diligence), and advanced features like Projects, Skills, and Claude Code that transform AI from a text generator into a cognitive partner.
Axios x Bitwarden CLI: CTI Analysis – Two Incidents, One Attack Surface
Two separate npm supply chain compromises – Axios (March 2026) and Bitwarden CLI (April 2026) – reveal distinct operational models on the same attack surface. Axios shows a clean delivery chain with documented propagation; Bitwarden CLI centers on CI pipeline abuse and secret harvesting. The tactical correlation is strong, but infrastructural correlation is unproven.