Writeups

18 writeups · HTB, CTF, TryHackMe

HTB AirTouch: Medium Walkthrough – SNMP Leak to WPA2-Enterprise Rogue AP Attack
HTB

HTB AirTouch: Medium Walkthrough – SNMP Leak to WPA2-Enterprise Rogue AP Attack

An SNMP system description leaks an SSH password. Network segmentation reveals three VLANs accessed via Wi-Fi. WPA2-PSK cracking provides a foothold in the Tablets VLAN, followed by web exploitation and certificate theft. A rogue access point attack against WPA2-Enterprise captures an MSCHAPv2 hash, which is cracked to gain access to the Corporate VLAN and root.

09 Jun 2026 Medium
HTB Cap: IDOR to PCAP Credential Leak and PwnKit Privilege Escalation
HTB

HTB Cap: IDOR to PCAP Credential Leak and PwnKit Privilege Escalation

An IDOR vulnerability on a network capture endpoint reveals plaintext FTP credentials in a PCAP file. Credential reuse provides SSH access, and a vulnerable pkexec SUID binary (CVE-2021-4034) allows root escalation.

09 Jun 2026 Easy
HTB Connected: From Unauthenticated SQLi to Root via FreePBX, incron & Sudoers Hijack
HTB Non-retired

HTB Connected: From Unauthenticated SQLi to Root via FreePBX, incron & Sudoers Hijack

An unauthenticated SQL injection in FreePBX 16.x (CVE-2025-57819) allows credential extraction and hash replacement, leading to admin access. POST_RELOAD shell injection provides RCE as asterisk. A world-writable incron trigger file and writable module directory enable sudoers hijack for root.

09 Jun 2026 Easy
HTB DevHub (Medium): CVE-2026-23744 → JupyterLab WebSocket RCE → Hidden MCP Tool to Root
HTB Non-retired

HTB DevHub (Medium): CVE-2026-23744 → JupyterLab WebSocket RCE → Hidden MCP Tool to Root

An unauthenticated RCE in MCPJam Inspector (CVE-2026-23744) provides initial access. A JupyterLab token exposed in process arguments enables lateral movement via a raw WebSocket client. Reading the source code of an internal MCP server reveals a hidden tool that dumps root's SSH private key.

09 Jun 2026 Medium
HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials
HTB

HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials

Starting with low-privileged domain credentials, the attack chain exploits CVE-2025-24071 to leak an NTLM hash, cracks it, abuses GenericAll ACLs, uses Shadow Credentials to take over service accounts, and finally forges an Administrator certificate via ADCS for Domain Admin.

09 Jun 2026 Easy
HTB Helix: Apache NiFi RCE (CVE-2023-34468) → OPC UA Logic Manipulation to Root
HTB Non-retired

HTB Helix: Apache NiFi RCE (CVE-2023-34468) → OPC UA Logic Manipulation to Root

Subdomain enumeration reveals an unauthenticated Apache NiFi instance. CVE-2023-34468 (H2 JDBC INIT injection) provides a shell as nifi. An SSH key found in NiFi support bundles grants access as operator. Privilege escalation requires manipulating OPC UA industrial control nodes to trigger a safety controller maintenance window, leading to root.

09 Jun 2026 Medium
HackTheBox - Jeeves Writeup | Windows Medium
HTB

HackTheBox - Jeeves Writeup | Windows Medium

Unauthenticated Jenkins Script Console leads to RCE, a KeePass database is cracked to obtain an NTLM hash, and Pass-the-Hash grants SYSTEM access before extracting the root flag from an NTFS Alternate Data Stream.

09 Jun 2026 Medium
HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning
HTB Non-retired

HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning

Starting with a low-privileged user, SMB enumeration reveals hardcoded credentials in a log file. Password pattern inference leads to an updated credential. GenericWrite over a gMSA enables Shadow Credentials and WinRM access. DLL injection via a scheduled task gives lateral movement, and WSUS poisoning combined with ADIDNS spoofing and ADCS certificate abuse yields SYSTEM.

09 Jun 2026 Medium
HTB MonitorsFour: IDOR to RCE to Docker Escape
HTB Non-retired

HTB MonitorsFour: IDOR to RCE to Docker Escape

An unauthenticated IDOR on an internal API leaks user credentials. Cracking an MD5 hash grants access to a Cacti instance vulnerable to CVE-2025-24367 (authenticated RCE). From a www-data shell inside a Docker container, an exposed Docker Engine API (port 2375) enables container escape and host compromise.

09 Jun 2026 Easy
HTB Principal: JWT Authentication Bypass to SSH CA Key Forgery
HTB

HTB Principal: JWT Authentication Bypass to SSH CA Key Forgery

A Java web app using pac4j-jwt/6.0.3 is vulnerable to CVE-2026-29000, allowing JWT authentication bypass via JWE token forgery. API enumeration as admin leaks an SSH deployment key. With user access, a readable SSH CA private key enables forging a root certificate for privilege escalation.

09 Jun 2026 Medium
HTB Reactor: CVE-2025-55182 + Node.js Debug RCE
HTB Non-retired

HTB Reactor: CVE-2025-55182 + Node.js Debug RCE

A critical RCE vulnerability in Next.js React Server Components (CVE-2025-55182) provides initial access. A misconfigured Node.js debugger bound to localhost enables privilege escalation to root.

09 Jun 2026 Easy
HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)
HTB

HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)

Vhost fuzzing reveals a Flowise 3.0.5 staging site. CVE-2025-58434 leaks a password reset token, enabling account takeover. CVE-2025-59528 provides authenticated RCE inside a Docker container. Credential reuse from environment variables leads to SSH access, and CVE-2026-41651 (Pack2TheRoot) grants root.

09 Jun 2026 Easy
HTB SmartHire: CVE-2024-37054 (MLflow RCE) → Python Module Hijacking via .pth
HTB Non-retired

HTB SmartHire: CVE-2024-37054 (MLflow RCE) → Python Module Hijacking via .pth

An MLflow deserialization vulnerability (CVE-2024-37054) provides initial access. Privilege escalation uses a Python module hijacking via site.addsitedir and malicious .pth files to execute code as root.

09 Jun 2026 Medium
HTB Snapped (Hard): CVE-2026-27944, bcrypt, and Two Paths to Root via PackageKit and snap-confine
HTB

HTB Snapped (Hard): CVE-2026-27944, bcrypt, and Two Paths to Root via PackageKit and snap-confine

From an unauthenticated Nginx UI backup disclosure (CVE-2026-27944), a bcrypt hash is cracked to gain user access. Privilege escalation is possible via either CVE-2026-41651 (PackageKit TOCTOU) or the intended race condition in snap-confine (CVE-2026-3888).

09 Jun 2026 Hard
HTB Support: SMB Anonymous Access → Binary Reversing → LDAP Credentials → RBCD Privilege Escalation
HTB

HTB Support: SMB Anonymous Access → Binary Reversing → LDAP Credentials → RBCD Privilege Escalation

Anonymous SMB access reveals a .NET binary containing hardcoded XOR-encrypted LDAP credentials. After enumerating LDAP, a cleartext password in the info attribute grants WinRM access. BloodHound shows GenericAll on DC$, enabling RBCD abuse to impersonate Administrator and achieve SYSTEM on the Domain Controller.

09 Jun 2026 Easy
Trick — DNS Zone Transfer to Fail2Ban Privilege Escalation
HTB

Trick — DNS Zone Transfer to Fail2Ban Privilege Escalation

A multi-stage attack chain combining DNS Zone Transfer, SQL Injection, FILE privilege abuse, LFI, SSH key theft, and a Fail2Ban misconfiguration to obtain root access.

09 Jun 2026 Easy
HTB TwoMillion: A Lesson in API Abuse and Privilege Escalation
HTB

HTB TwoMillion: A Lesson in API Abuse and Privilege Escalation

JavaScript deobfuscation reveals hidden API endpoints, leading to invite code generation. API route enumeration exposes an admin section with broken access control, enabling self-promotion to admin. Command injection in a VPN generation endpoint provides a shell. A leaked .env file gives SSH credentials, and CVE-2023-0386 (OverlayFS) escalates to root.

09 Jun 2026 Easy
Forest — AS-REP Roasting et DCSync via Exchange permissions
HTB

Forest — AS-REP Roasting et DCSync via Exchange permissions

AS-REP Roasting sur un compte sans pré-auth Kerberos, puis abus des permissions Exchange WriteDACL pour obtenir DCSync et dumper les hashes NTDS.

02 Apr 2025 Easy