securitea.tech

securitea.techHTB writeups, pentesting walkthroughs, and security research.https://securitea.tech/enSun, 12 Apr 2026 16:05:12 GMTHTB: Jailhttps://securitea.tech/blog/htb-jail/https://securitea.tech/blog/htb-jail/A stack buffer overflow with socket-reuse shellcode, NFS SUID escalation via raw syscall assembly, an rvim Python escape, and PwnKit combine for a four-stage privilege escalation on CentOS 7.Fri, 16 Sep 2022 00:00:00 GMThtblinuxnfsbuffer-overflowrvimrestricted-shellHTB: Brainfuckhttps://securitea.tech/blog/htb-brainfuck/https://securitea.tech/blog/htb-brainfuck/A six-step attack chain across WordPress, SMTP, POP3, a Flarum forum with Vigenere encryption, SSH key cracking, and RSA cryptanalysis delivers the root flag without ever gaining a root shell.Fri, 09 Sep 2022 00:00:00 GMThtblinuxwordpresssmtpvigenerecryptolxcrsaHTB: WingDatahttps://securitea.tech/blog/htb-wingdata/https://securitea.tech/blog/htb-wingdata/A NULL byte in Wing FTP Server's login handler triggers Lua code injection for unauthenticated RCE, then a Python tarfile data filter bypass via PATH_MAX overflow writes an SSH key to root.Fri, 02 Sep 2022 00:00:00 GMThtbwindowswebapiprivilege-escalationHTB: Pterodactylhttps://securitea.tech/blog/htb-pterodactyl/https://securitea.tech/blog/htb-pterodactyl/A critical LFI in Pterodactyl Panel's locale endpoint chains with pearcmd.php for unauthenticated RCE, then a PAM environment injection and udisks2 XFS resize race condition deliver root on openSUSE.Fri, 26 Aug 2022 00:00:00 GMThtblinuxpterodactyl-panelwebprivilege-escalationHTB: Koboldhttps://securitea.tech/blog/htb-kobold/https://securitea.tech/blog/htb-kobold/An MCPJam Inspector RCE for initial access, PrivateBin template cookie LFI for container-level code execution, database password reuse across services, and a Docker management API that mounts the host root filesystem.Fri, 19 Aug 2022 00:00:00 GMThtblinuxwebssrfprivilege-escalationHTB: Interpreterhttps://securitea.tech/blog/htb-interpreter/https://securitea.tech/blog/htb-interpreter/Pre-authentication Java deserialisation in Mirth Connect, PBKDF2 hash cracking of a dictionary password, and a Python f-string template injection in a root-owned Flask service for privilege escalation.Fri, 12 Aug 2022 00:00:00 GMThtbwindowscustom-interpreterreverse-engineeringbinary-exploitationHTB: CCTVhttps://securitea.tech/blog/htb-cctv/https://securitea.tech/blog/htb-cctv/Default credentials on ZoneMinder, a time-based blind SQL injection to extract bcrypt hashes, SSH password reuse, and a motionEye command injection running as root through a surveillance daemon's notification configuration.Fri, 05 Aug 2022 00:00:00 GMThtbwindowswebreverse-engineeringbinary-exploitationHTB: Holidayhttps://securitea.tech/blog/htb-holiday/https://securitea.tech/blog/htb-holiday/A Linux box combining SQL injection for credential extraction, stored XSS with aggressive filter bypass to steal an admin cookie, command injection through a character-restricted export endpoint, and sudo npm install for root.Fri, 29 Jul 2022 00:00:00 GMThtblinuxxssstored-xsscommand-injectionnpmsudoHTB: Charonhttps://securitea.tech/blog/htb-charon/https://securitea.tech/blog/htb-charon/A multi-stage Linux box requiring two SQL injection points, a case-sensitive keyword filter bypass, a hidden base64 upload field, RSA key factorisation, and a SUID binary with a newline injection to reach root.Fri, 22 Jul 2022 00:00:00 GMThtblinuxsql-injectionrsaupload-bypasssuidHTB: Calamityhttps://securitea.tech/blog/htb-calamity/https://securitea.tech/blog/htb-calamity/A 32-bit Linux box with hardcoded credentials, a PHP code injection endpoint, audio steganography for SSH credentials, and an LXD group membership that provides a container escape to root.Fri, 15 Jul 2022 00:00:00 GMThtblinuxbuffer-overflowaudio-steganographylxcHTB: Garfieldhttps://securitea.tech/blog/htb-garfield/https://securitea.tech/blog/htb-garfield/An Active Directory domain with a Read-Only Domain Controller whose Password Replication Policy is writable by a Tier 1 admin, enabling the KERB-KEY-LIST attack to extract the Administrator's NT hash.Fri, 08 Jul 2022 00:00:00 GMThtbwindowsactive-directoryrodckerberosHTB: Factshttps://securitea.tech/blog/htb-facts/https://securitea.tech/blog/htb-facts/A path traversal in Camaleon CMS exposes Rails master keys, SQLite databases, and authentication tokens, enabling admin takeover through cookie forgery on a Ruby on Rails 8 application.Fri, 01 Jul 2022 00:00:00 GMThtblinuxwebenumerationprivilege-escalationHTB: PiHolehttps://securitea.tech/blog/htb-pihole/https://securitea.tech/blog/htb-pihole/Default Raspberry Pi credentials bypass the Pi-hole web surface entirely, passwordless sudo delivers root, and a deleted flag requires raw block device recovery with strings.Fri, 24 Jun 2022 00:00:00 GMThtblinuxpi-holednscommand-injectiondockerHTB: DevAreahttps://securitea.tech/blog/htb-devarea/https://securitea.tech/blog/htb-devarea/Apache CXF MTOM SSRF reads credentials from systemd unit files, Hoverfly middleware provides RCE, and a world-writable /usr/bin/bash combined with a sudoers negation bypass delivers root.Fri, 17 Jun 2022 00:00:00 GMThtblinuxgitsource-code-reviewapiHTB: Inceptionhttps://securitea.tech/blog/htb-inception/https://securitea.tech/blog/htb-inception/A layered exploitation chain through dompdf LFI, WebDAV file upload, LXC container escape via anonymous FTP reconnaissance, and apt pre-invoke hook injection through TFTP.Fri, 10 Jun 2022 00:00:00 GMThtblinuxsquid-proxywebdavdompdfpivotingHTB: Ninevehhttps://securitea.tech/blog/htb-nineveh/https://securitea.tech/blog/htb-nineveh/A multi-stage chain through phpLiteAdmin, LFI with path filtering, steganographic SSH key extraction, and a chkrootkit privilege escalation on an Ubuntu 16.04 host.Fri, 03 Jun 2022 00:00:00 GMThtblinuxbrute-forcelfiphpinfoport-knockingchkrootkitHTB: Apocalysthttps://securitea.tech/blog/htb-apocalyst/https://securitea.tech/blog/htb-apocalyst/A steganographic wordlist hidden in a WordPress uploads image provides the admin password through brute-force, then a world-readable .secret file and LXD group membership deliver root via container escape.Fri, 27 May 2022 00:00:00 GMThtblinuxwordpresssteganographybrute-forcedirectory-enumerationHTB: Lazyhttps://securitea.tech/blog/htb-lazy/https://securitea.tech/blog/htb-lazy/A padding oracle in a custom PHP authentication cookie enables CBC bit-flipping to forge admin access, exposing an SSH key. A SUID binary with a relative PATH call to cat completes the root chain.Fri, 20 May 2022 00:00:00 GMThtblinuxpadding-oraclecryptosuidpath-hijackHTB: Octoberhttps://securitea.tech/blog/htb-october/https://securitea.tech/blog/htb-october/Default credentials on October CMS grant admin access, the code editor provides RCE as www-data, and a 32-bit SUID buffer overflow with ASLR brute-force delivers root in under ten seconds.Fri, 13 May 2022 00:00:00 GMThtblinuxoctober-cmsfile-uploadbuffer-overflowsuidHTB: TenTenhttps://securitea.tech/blog/htb-tenten/https://securitea.tech/blog/htb-tenten/A WordPress Job Manager plugin leaks uploaded file names through predictable post IDs, revealing a steganographic image that hides an encrypted SSH key. A misconfigured sudo rule on /bin/fuckin completes the chain to root.Fri, 06 May 2022 00:00:00 GMThtblinuxwordpresssteganographysshcve-2015-6668HTB: Bastardhttps://securitea.tech/blog/htb-bastard/https://securitea.tech/blog/htb-bastard/Drupalgeddon 2 delivers unauthenticated RCE on a Windows Server 2008 R2 box with zero hotfixes, then JuicyPotato turns an IIS service account into SYSTEM via COM/DCOM token impersonation.Fri, 29 Apr 2022 00:00:00 GMThtbwindowsdrupalphpkernel-exploitms15-051HTB: Europahttps://securitea.tech/blog/htb-europa/https://securitea.tech/blog/htb-europa/An SQL injection bypass on a TLS-disclosed admin portal leads to PHP code execution via preg_replace's /e modifier, then a writable cron script grants root.Fri, 22 Apr 2022 00:00:00 GMThtblinuxsql-injectionopenvpnregexpreg_replaceHTB: Cronoshttps://securitea.tech/blog/htb-cronos/https://securitea.tech/blog/htb-cronos/DNS zone transfer discloses a hidden admin subdomain, SQL injection bypasses authentication, command injection provides a shell, and a writable cron script escalates to root.Fri, 15 Apr 2022 00:00:00 GMThtblinuxdnssql-injectioncommand-injectioncronHTB: Beephttps://securitea.tech/blog/htb-beep/https://securitea.tech/blog/htb-beep/An Elastix PBX system with 15 open ports, a universal password across every service, and a local file inclusion that discloses credentials from the configuration file.Fri, 08 Apr 2022 00:00:00 GMThtblinuxelastixlfivoipshellshockHTB: Bankhttps://securitea.tech/blog/htb-bank/https://securitea.tech/blog/htb-bank/A DNS zone transfer leaks the domain, a failed encryption process exposes plaintext credentials, a debug file extension bypass enables a webshell, and a custom SUID binary gives instant root.Fri, 01 Apr 2022 00:00:00 GMThtblinuxfile-uploaddnssuidHTB: Blockyhttps://securitea.tech/blog/htb-blocky/https://securitea.tech/blog/htb-blocky/A custom Minecraft plugin with hardcoded database credentials leads to SSH access via credential reuse, and sudo group membership completes the chain to root.Fri, 25 Mar 2022 00:00:00 GMThtblinuxminecraftjavacredential-reusewordpressHTB: Optimumhttps://securitea.tech/blog/htb-optimum/https://securitea.tech/blog/htb-optimum/A null byte injection in Rejetto HFS 2.3 gives unauthenticated RCE, and a Secondary Logon race condition escalates to SYSTEM on an unpatched Windows Server 2012 R2.Fri, 18 Mar 2022 00:00:00 GMThtbhfswindowsrejettocve-2014-6287HTB: Grandpahttps://securitea.tech/blog/htb-grandpa/https://securitea.tech/blog/htb-grandpa/A buffer overflow in IIS 6.0's WebDAV handler delivers code execution on Windows Server 2003, and token kidnapping completes the escalation to SYSTEM.Fri, 11 Mar 2022 00:00:00 GMThtbiiswebdavwindowstoken-impersonationcve-2017-7269HTB: Grannyhttps://securitea.tech/blog/htb-granny/https://securitea.tech/blog/htb-granny/IIS 6.0 with WebDAV enabled permits unauthenticated file upload via PUT and MOVE, bypassing extension restrictions to deploy an ASPX webshell. Token kidnapping (MS09-012) escalates NETWORK SERVICE to SYSTEM on Windows Server 2003.Fri, 04 Mar 2022 00:00:00 GMThtbiiswebdavwindowstoken-impersonationHTB: Arctichttps://securitea.tech/blog/htb-arctic/https://securitea.tech/blog/htb-arctic/Adobe ColdFusion 8 on Windows Server 2008 R2 yields unauthenticated RCE through a three-part chain: directory traversal for credential extraction, FCKeditor file upload, and LFI-based CFML code injection. MS10-059 escalates to SYSTEM when JuicyPotato fails.Fri, 25 Feb 2022 00:00:00 GMThtbcoldfusionwindowsdirectory-traversalprivilege-escalationHTB: Sensehttps://securitea.tech/blog/htb-sense/https://securitea.tech/blog/htb-sense/Default credentials and a plaintext credential disclosure file on a pfSense 2.1.3 appliance lead to authenticated command injection (CVE-2016-10709) running as root. The box demonstrates why network appliances are high-value targets: they run as root by design.Fri, 18 Feb 2022 00:00:00 GMThtbpfsenseopenbsdcommand-injectionfirewallHTB: Shockerhttps://securitea.tech/blog/htb-shocker/https://securitea.tech/blog/htb-shocker/A CGI bash script on Apache 2.4.18 is vulnerable to Shellshock (CVE-2014-6271), yielding RCE via a crafted User-Agent header. A sudo NOPASSWD entry for Perl completes the path to root. The real challenge is handling stdout pollution in CGI context.Fri, 11 Feb 2022 00:00:00 GMThtblinuxshellshockcgibashcve-2014-6271HTB: Bashedhttps://securitea.tech/blog/htb-bashed/https://securitea.tech/blog/htb-bashed/A developer leaves a PHP web shell in a publicly accessible directory, then compounds the mistake with a sudo misconfiguration and a root cron job reading from a user-writable directory. Three independent failures chain into full system compromise.Fri, 04 Feb 2022 00:00:00 GMThtblinuxwebshellphpbashsudoHTB: Bluehttps://securitea.tech/blog/htb-blue/https://securitea.tech/blog/htb-blue/EternalBlue (MS17-010) turns an SMB-only Windows 7 host into a SYSTEM shell in under a minute. The box is a single-exploit machine, but the methodology around blind command execution and exfiltration via writable shares is worth studying.Fri, 28 Jan 2022 00:00:00 GMThtbsmbms17-010eternalbluewindowsHTB: Develhttps://securitea.tech/blog/htb-devel/https://securitea.tech/blog/htb-devel/Anonymous FTP write access to an IIS web root creates a trivial foothold. The real lesson is in the privilege escalation — unpatched Windows 7 with no service packs is a kernel exploit playground.Fri, 21 Jan 2022 00:00:00 GMThtbftpiisaspxwindowskernel-exploitprivilege-escalationms11-046HTB: Legacyhttps://securitea.tech/blog/htb-legacy/https://securitea.tech/blog/htb-legacy/MS08-067 on Windows XP — the vulnerability that powered the Conficker pandemic. A deep dive into the NetAPI32.dll buffer overflow that defined an era of network worms.Fri, 14 Jan 2022 00:00:00 GMThtbsmbms08-067cve-2008-4250buffer-overflowwindows-xpconfickerHTB: Lamehttps://securitea.tech/blog/htb-lame/https://securitea.tech/blog/htb-lame/A command injection flaw in Samba's username map script configuration gives unauthenticated root on a Linux host — and a lesson in why the obvious exploit isn't always the right one.Fri, 07 Jan 2022 00:00:00 GMThtbsmbsambacve-2007-2447command-injectionlinuxvsftpd