HTB: Jail
A stack buffer overflow with socket-reuse shellcode, NFS SUID escalation via raw syscall assembly, an rvim Python escape, and PwnKit combine for a four-stage privilege escalation on CentOS 7.
HTB: Brainfuck
A six-step attack chain across WordPress, SMTP, POP3, a Flarum forum with Vigenere encryption, SSH key cracking, and RSA cryptanalysis delivers the root flag without ever gaining a root shell.
HTB: Pterodactyl
A critical LFI in Pterodactyl Panel's locale endpoint chains with pearcmd.php for unauthenticated RCE, then a PAM environment injection and udisks2 XFS resize race condition deliver root on openSUSE.
HTB: Kobold
An MCPJam Inspector RCE for initial access, PrivateBin template cookie LFI for container-level code execution, database password reuse across services, and a Docker management API that mounts the host root filesystem.
HTB: Holiday
A Linux box combining SQL injection for credential extraction, stored XSS with aggressive filter bypass to steal an admin cookie, command injection through a character-restricted export endpoint, and sudo npm install for root.
HTB: Charon
A multi-stage Linux box requiring two SQL injection points, a case-sensitive keyword filter bypass, a hidden base64 upload field, RSA key factorisation, and a SUID binary with a newline injection to reach root.
HTB: Calamity
A 32-bit Linux box with hardcoded credentials, a PHP code injection endpoint, audio steganography for SSH credentials, and an LXD group membership that provides a container escape to root.
HTB: Facts
A path traversal in Camaleon CMS exposes Rails master keys, SQLite databases, and authentication tokens, enabling admin takeover through cookie forgery on a Ruby on Rails 8 application.
HTB: PiHole
Default Raspberry Pi credentials bypass the Pi-hole web surface entirely, passwordless sudo delivers root, and a deleted flag requires raw block device recovery with strings.
HTB: DevArea
Apache CXF MTOM SSRF reads credentials from systemd unit files, Hoverfly middleware provides RCE, and a world-writable /usr/bin/bash combined with a sudoers negation bypass delivers root.
HTB: Inception
A layered exploitation chain through dompdf LFI, WebDAV file upload, LXC container escape via anonymous FTP reconnaissance, and apt pre-invoke hook injection through TFTP.
HTB: Nineveh
A multi-stage chain through phpLiteAdmin, LFI with path filtering, steganographic SSH key extraction, and a chkrootkit privilege escalation on an Ubuntu 16.04 host.
HTB: Apocalyst
A steganographic wordlist hidden in a WordPress uploads image provides the admin password through brute-force, then a world-readable .secret file and LXD group membership deliver root via container escape.
HTB: Lazy
A padding oracle in a custom PHP authentication cookie enables CBC bit-flipping to forge admin access, exposing an SSH key. A SUID binary with a relative PATH call to cat completes the root chain.
HTB: October
Default credentials on October CMS grant admin access, the code editor provides RCE as www-data, and a 32-bit SUID buffer overflow with ASLR brute-force delivers root in under ten seconds.
HTB: TenTen
A WordPress Job Manager plugin leaks uploaded file names through predictable post IDs, revealing a steganographic image that hides an encrypted SSH key. A misconfigured sudo rule on /bin/fuckin completes the chain to root.
HTB: Europa
An SQL injection bypass on a TLS-disclosed admin portal leads to PHP code execution via preg_replace's /e modifier, then a writable cron script grants root.
HTB: Cronos
DNS zone transfer discloses a hidden admin subdomain, SQL injection bypasses authentication, command injection provides a shell, and a writable cron script escalates to root.
HTB: Beep
An Elastix PBX system with 15 open ports, a universal password across every service, and a local file inclusion that discloses credentials from the configuration file.
HTB: Bank
A DNS zone transfer leaks the domain, a failed encryption process exposes plaintext credentials, a debug file extension bypass enables a webshell, and a custom SUID binary gives instant root.
HTB: Blocky
A custom Minecraft plugin with hardcoded database credentials leads to SSH access via credential reuse, and sudo group membership completes the chain to root.
HTB: Shocker
A CGI bash script on Apache 2.4.18 is vulnerable to Shellshock (CVE-2014-6271), yielding RCE via a crafted User-Agent header. A sudo NOPASSWD entry for Perl completes the path to root. The real challenge is handling stdout pollution in CGI context.
HTB: Bashed
A developer leaves a PHP web shell in a publicly accessible directory, then compounds the mistake with a sudo misconfiguration and a root cron job reading from a user-writable directory. Three independent failures chain into full system compromise.
HTB: Lame
A command injection flaw in Samba's username map script configuration gives unauthenticated root on a Linux host — and a lesson in why the obvious exploit isn't always the right one.