Skip to main content
HTB Starting Point · Tier 1 + Tier 2 · Academy Module · 117+ tasks

$ htb.writeups()

// HackTheBox machine walkthroughs — terminal logs, task Q&A, and blurred flags. Click any machine to see the full writeup.

Tier 1 — 4 machines
Very Easy
🐧 Linux

Appointment

A web application running on port 80 is vulnerable to SQL injection. By appending a MySQL comment character (#) to the username field, we bypass password validation entirely and log in as admin without knowing the password.

SQL InjectionComment-based Auth BypassDirectory Enumeration
10 tasks · nmap, gobuster, browserRead →
Very Easy
🐧 Linux

Sequel

A MariaDB MySQL server is exposed on port 3306 and allows unauthenticated login as the root user. We enumerate databases and tables to find the flag stored in the config table of the htb database.

Unauthenticated MySQL AccessDatabase Enumeration
7 tasks · nmap, mysqlRead →
Very Easy
🐧 Linux

Crocodile

FTP anonymous login exposes two files: a userlist and password list. We use gobuster to find login.php, then use the harvested credentials to authenticate as admin via the web interface.

Anonymous FTP LoginCredential HarvestingDirectory Brute Force
9 tasks · nmap, ftp, gobusterRead →
Very Easy
Windows

Responder

A Windows web server redirects to unika.htb. The 'page' parameter is vulnerable to LFI/RFI. By pointing it to our Responder listener, the server authenticates to us leaking an NTLMv2 hash. John the Ripper cracks the hash to reveal the administrator password, which we use to access the machine via WinRM on port 5985.

LFI (Local File Inclusion)RFI (Remote File Inclusion)NTLMv2 Hash Capture
10 tasks · nmap, responder, john, evil-winrmRead →
Tier 2 — 4 machines
Very Easy
Windows

Archetype

An SMB share named 'backups' is accessible without credentials, containing a configuration file with MSSQL credentials. We connect to the SQL server and enable xp_cmdshell for command execution. WinPEAS reveals ConsoleHost_history.txt with the administrator password.

SMB EnumerationMSSQL xp_cmdshell RCEWinPEAS Privilege Escalation
7 tasks · nmap, smbclient, impacket-mssqlclient, WinPEASRead →
Very Easy
🐧 Linux

Oopsie

A web application's login page at /cdn-cgi/login uses cookies for access control. By changing the role cookie and access ID to the admin's (34322), we gain access to a file upload feature. Uploaded PHP shells land in /uploads. Privilege escalation via a SUID binary that calls 'cat' without a full path — PATH injection gives root.

Web Proxy InterceptionCookie Manipulation (IDOR)File Upload RCE
10 tasks · Burp Suite, curl, findRead →
Very Easy
🐧 Linux

Vaccine

Anonymous FTP yields a password-protected backup.zip. zip2john extracts a crackable hash — password reveals admin credentials for the web app. SQLmap with --os-shell gains a system shell as postgres. The postgres user can run vi as root via sudo, which drops into a root shell via vi's shell escape.

Anonymous FTPZip Password Cracking (zip2john)SQL Injection (sqlmap)
7 tasks · nmap, ftp, zip2john, john, sqlmapRead →
Very Easy
🐧 Linux

Unified

UniFi Network 6.4.54 on port 8443 is vulnerable to Log4Shell (CVE-2021-44228). A JNDI LDAP payload in the remember field triggers an outbound LDAP callback. We intercept via tcpdump on port 389, then enumerate MongoDB (port 27117) to update the admin password hash and log in, finally reading the root credentials.

Log4Shell (CVE-2021-44228)JNDI/LDAP InjectionMongoDB Credential Manipulation
12 tasks · nmap, tcpdump, Burp Suite, mongoRead →
Academy Module
Medium
🐧 Linux + ⊞ Windows · 24 sections · 45 questions

PenTest in a Nutshell

A full 24-section pentest engagement against a dual Linux/Windows target (cube-case.htb). Anonymous FTP exposes an SSH private key and bash history revealing credentials. WordPress on port 443 is exploited via Metasploit. Linux privilege escalation uses Dirty Pipe or SUID abuse. The Windows host runs Gitea with a Git Hooks RCE (2020-10-07) and a scheduled backup task vulnerable to code injection.

Anonymous FTP LootSSH Private Key TheftWordPress RCE (wp_hash_form_rce)Kernel Exploit (Dirty Pipe CVE-2022-0847)
Read →

// Writeups cover SQL injection, MSSQL xp_cmdshell, Log4Shell, NTLM hash capture, SUID abuse, WinRM, and MongoDB manipulation.
If this helped you, consider supporting AbleHearts.org — helping those in need.