HTB: Holiday
A Linux box combining SQL injection for credential extraction, stored XSS with aggressive filter bypass to steal an admin cookie, command injection through a character-restricted export endpoint, and sudo npm install for root.
HTB: PiHole
Default Raspberry Pi credentials bypass the Pi-hole web surface entirely, passwordless sudo delivers root, and a deleted flag requires raw block device recovery with strings.
HTB: Cronos
DNS zone transfer discloses a hidden admin subdomain, SQL injection bypasses authentication, command injection provides a shell, and a writable cron script escalates to root.
HTB: Sense
Default credentials and a plaintext credential disclosure file on a pfSense 2.1.3 appliance lead to authenticated command injection (CVE-2016-10709) running as root. The box demonstrates why network appliances are high-value targets: they run as root by design.
HTB: Lame
A command injection flaw in Samba's username map script configuration gives unauthenticated root on a Linux host — and a lesson in why the obvious exploit isn't always the right one.