HTB: Brainfuck
A six-step attack chain across WordPress, SMTP, POP3, a Flarum forum with Vigenere encryption, SSH key cracking, and RSA cryptanalysis delivers the root flag without ever gaining a root shell.
HTB: Apocalyst
A steganographic wordlist hidden in a WordPress uploads image provides the admin password through brute-force, then a world-readable .secret file and LXD group membership deliver root via container escape.
HTB: TenTen
A WordPress Job Manager plugin leaks uploaded file names through predictable post IDs, revealing a steganographic image that hides an encrypted SSH key. A misconfigured sudo rule on /bin/fuckin completes the chain to root.
HTB: Blocky
A custom Minecraft plugin with hardcoded database credentials leads to SSH access via credential reuse, and sudo group membership completes the chain to root.