Machine

All Posts

Published on
February 23, 2026
HTB - Interpreter (Medium)
machine linux PBKDF2 SSTI port-forwarding regex
The target runs a version of NextGen Healthcare Mirth Connect that is vulnerable to CVE-2023-43208 which allows for initial foothold. DB enumeration reveals a user credential encrypted in PBKDF2-HMAC-SHA256 which requires some decoding and cracking. Thus, gaining user access. Then, acquired root by identifying an SSTI vulnerability of unsafe user input validation within a custom script for Mirth Connect
Published on
February 18, 2026
HTB - WingData (easy)
machine linux wing-ftp tarfile path-traversal symlink-escape sudoers
The target runs an outdated version of Wing FTP Server which is vulnerable to CVE-2025-47812 that allows for initial foothold. Gathering credentials by cracking a salted hash in the credential file that leads to the user flag. Then, acquired root by exploiting a sudo misconfiguration that allowed running a vulnerable Python version with a custom program that uses the tarfile module of which allows for path traversal, symlink escape & write access to system files (CVE-2025-4517 & CVE-2025-4138)
Published on
February 6, 2026
HTB - Facts (easy)
machine linux LFI path-traversal camaleon-cms ssh2john facter
Discovered a running webpage that allowed for registration. After logging in, it was revealed an outdated version of Camaleon CMS instance which was vulnerable to CVE-2024-46987 (Authenticated Arbitrary File Read). Leveraging that vulnerability to grab SSH keys on getting initial access. Finally, gained root access by exploiting a sudo misconfiguration using the facter command/binary.
Published on
July 29, 2025
HTB - Authority (Medium)
machine windows Active-Directory ansible2john pwm pass-back-attack Certificate-Service-DCOM-Access ESC1 ldap-shell Schannel S4U2Self S4U2Proxy
SMB enumeration reveals ansible configuration files for a running webserver that is hosting an LDAPS Server. In those files, contains an ansible vault that has a crackable password revealing credentials to the LDAP Server and executing a Pass-Back Attack revealing more sensitive credentials that are used for initial foothold. Later enumerating ADCS reveals ESC1 for Computer Accounts group which led to creating a computer account and spawning an LDAP-shell and adding the low-privileged user to the Administrators group gaining DA access
Published on
July 24, 2025
HTB - Escape (Medium)
machine windows Active-Directory MSSQL NTLM-Relay ESC1
Guest Logon enumeration leads to early access to an SQL Server which allows for performing an NTLM Relay attack that captures a crackable hash. Using the valid credentials to find other credentials of another user in a backup log file. Elevating to Domain Admin by enumerating vulnerable certificate templates that reveal the current template is vulnerable to ESC1

Machine

HTB - Interpreter (Medium)

HTB - WingData (easy)

HTB - Facts (easy)

HTB - Authority (Medium)

HTB - Escape (Medium)