Skip to content

Commit 9974596

Browse files
committed
Add 30 more writeup links from chr0x6eos, threatninja, erichogue, and others
Batch 2 additions from final research agent. Key additions: - chr0x6eos: 7 machines (strong AD coverage - Sauna, Blackfield, Cascade, Resolute) - threatninja: 11 machines (hard machines - Snoopy, Napper, Visual, Vessel, Compiled) - erichogue: 5 machines (Jupiter, Sandworm, Keeper, Usage, GoodGames) - ivanitlearning: 4 machines (Forest, Sauna, Cascade, OpenAdmin) - HackingArticles: 6 hard machines (Reel, Blackfield, Tally, Intelligence, Writer) - zweilosec: 1 machine (Resolute) Blackfield now has 8 independent sources. Total unique source links: 170+.
1 parent f9a2260 commit 9974596

3 files changed

Lines changed: 30 additions & 30 deletions

File tree

machines/easy/README.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -72,14 +72,14 @@ permalink: /machines/easy/
7272
| 32 | **Haystack** | Linux | ELK Stack + Kibana LFI | Find base64 creds in Elasticsearch, exploit Kibana LFI (CVE-2018-17246) for shell, logstash for root | [0xdf](https://0xdf.gitlab.io/2019/11/02/htb-haystack.html) |
7373
| 33 | **Writeup** | Linux | CMS Made Simple SQLi + PATH Hijack | Exploit CMS Made Simple SQLi (CVE-2019-9053) for creds, SSH, PATH hijack via staff group for root | [0xdf](https://0xdf.gitlab.io/2019/10/12/htb-writeup.html) |
7474
| 34 | **Luke** | Linux | JSON API + Multiple Creds | Enumerate FTP, discover Ajenti panel, chain API auth tokens to extract admin creds | [0xdf](https://0xdf.gitlab.io/2019/09/14/htb-luke.html) |
75-
| 35 | **Postman** | Linux | Redis Unauthorized + Webmin RCE | Write SSH key via unauthenticated Redis, crack encrypted SSH key, Webmin RCE (CVE-2019-12840) as root | [0xdf](https://0xdf.gitlab.io/2020/03/14/htb-postman.html), [HackingArticles](https://www.hackingarticles.in/hack-the-box-postman-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-postman/), [Medium](https://medium.com/@v1per/postman-hackthebox-writeup-5d31df5bf6d9) |
75+
| 35 | **Postman** | Linux | Redis Unauthorized + Webmin RCE | Write SSH key via unauthenticated Redis, crack encrypted SSH key, Webmin RCE (CVE-2019-12840) as root | [0xdf](https://0xdf.gitlab.io/2020/03/14/htb-postman.html), [HackingArticles](https://www.hackingarticles.in/hack-the-box-postman-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-postman/), [Medium](https://medium.com/@v1per/postman-hackthebox-writeup-5d31df5bf6d9), [ivanitlearning](https://ivanitlearning.wordpress.com/2020/09/20/hackthebox-postman/) |
7676
| 36 | **Traverxec** | Linux | Nostromo RCE + Journalctl Privesc | Exploit Nostromo web server RCE (CVE-2019-16278) for shell, find SSH key in htdocs, sudo journalctl pager escape for root | [0xdf](https://0xdf.gitlab.io/2020/04/11/htb-traverxec.html), [HackingArticles](https://www.hackingarticles.in/traverxec-hackthebox-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-traverxec/) |
77-
| 37 | **OpenAdmin** | Linux | OpenNetAdmin RCE + Sudo Nano | Exploit OpenNetAdmin RCE, pivot via password reuse, read SSH key via internal Apache, sudo nano for root | [0xdf](https://0xdf.gitlab.io/2020/05/02/htb-openadmin.html), [HackingArticles](https://www.hackingarticles.in/hack-the-box-open-admin-box-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-openadmin/), [Medium](https://musyokaian.medium.com/openadmin-walkthrough-hackthebox-8ab40e4072a5) |
77+
| 37 | **OpenAdmin** | Linux | OpenNetAdmin RCE + Sudo Nano | Exploit OpenNetAdmin RCE, pivot via password reuse, read SSH key via internal Apache, sudo nano for root | [0xdf](https://0xdf.gitlab.io/2020/05/02/htb-openadmin.html), [HackingArticles](https://www.hackingarticles.in/hack-the-box-open-admin-box-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-openadmin/), [Medium](https://musyokaian.medium.com/openadmin-walkthrough-hackthebox-8ab40e4072a5), [chr0x6eos](https://chr0x6eos.github.io/2020/05/02/htb-OpenAdmin.html), [ivanitlearning](https://ivanitlearning.wordpress.com/2020/09/24/hackthebox-openadmin/) |
7878
| 38 | **Traceback** | Linux | PHP Webshell + Lua Privesc | Find existing webshell from previous attacker, pivot users via Lua binary (sudo luvit), motd write for root | [0xdf](https://0xdf.gitlab.io/2020/08/15/htb-traceback.html), [HackingArticles](https://www.hackingarticles.in/traceback-hackthebox-walkthrough/), [snowscan](https://snowscan.io/htb-writeup-traceback/) |
7979
| 39 | **Admirer** | Linux | Adminer 4.6.2 SSRF + PATH Hijack | Discover credentials via directory traversal, exploit Adminer SSRF to read config, PYTHONPATH hijack for root | [0xdf](https://0xdf.gitlab.io/2020/09/26/htb-admirer.html) |
8080
| 40 | **Blunder** | Linux | Bludit CMS Brute-force + sudo Bypass | Generate wordlist from site via CeWL, bypass Bludit brute-force protection, upload PHP shell, CVE-2019-14287 sudo bypass for root | [0xdf](https://0xdf.gitlab.io/2020/10/17/htb-blunder.html), [snowscan](https://snowscan.io/htb-writeup-blunder/), [Medium](https://medium.com/@paradoxis/hackthebox-blunder-d3669b73875c) |
8181
| 41 | **Tabby** | Linux | LFI + Tomcat WAR Deploy + LXD | LFI reads Tomcat credentials, deploy WAR shell, privesc via lxd group container escape for root | [0xdf](https://0xdf.gitlab.io/2020/11/07/htb-tabby.html), [HackingArticles](https://www.hackingarticles.in/tabby-hackthebox-walkthrough/), [rana-khalil](https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/linux-boxes/tabby-writeup-w-o-metasploit), [snowscan](https://snowscan.io/htb-writeup-tabby/) |
82-
| 42 | **Doctor** | Linux | SSTI in Flask + Splunk Privesc | Server-Side Template Injection in Flask app for command execution, Splunk Universal Forwarder RCE for root | [0xdf](https://0xdf.gitlab.io/2021/02/06/htb-doctor.html), [HackingArticles](https://www.hackingarticles.in/doctor-hackthebox-walkthrough/), [IppSec](https://www.youtube.com/watch?v=JcOR9krOPFY), [Medium](https://jdroberts96.medium.com/hackthebox-writeup-doctor-a07a5405b0f9) |
82+
| 42 | **Doctor** | Linux | SSTI in Flask + Splunk Privesc | Server-Side Template Injection in Flask app for command execution, Splunk Universal Forwarder RCE for root | [0xdf](https://0xdf.gitlab.io/2021/02/06/htb-doctor.html), [HackingArticles](https://www.hackingarticles.in/doctor-hackthebox-walkthrough/), [IppSec](https://www.youtube.com/watch?v=JcOR9krOPFY), [Medium](https://jdroberts96.medium.com/hackthebox-writeup-doctor-a07a5405b0f9), [chr0x6eos](https://chr0x6eos.github.io/2021/02/06/htb-Doctor.html) |
8383
| 43 | **Academy** | Linux | Laravel Debug RCE + Audit Log | Register with admin role via parameter tampering, exploit Laravel debug mode RCE (CVE-2018-15133), read audit log for creds, sudo composer for root | [0xdf](https://0xdf.gitlab.io/2021/02/27/htb-academy.html) |
8484
| 44 | **Laboratory** | Linux | GitLab SSRF + RCE + PATH Hijack | Exploit GitLab SSRF to file read (CVE-2020-10977), chain to RCE, SUID binary PATH injection for root | [0xdf](https://0xdf.gitlab.io/2021/04/17/htb-laboratory.html) |
8585
| 45 | **Luanne** | NetBSD | Lua Injection + Backup Decrypt | Bozohttpd Lua injection for code exec, find encrypted backup with credentials, doas for root | [0xdf](https://0xdf.gitlab.io/2021/03/27/htb-luanne.html) |
@@ -119,7 +119,7 @@ permalink: /machines/easy/
119119
| # | Machine | OS | Key Vulnerability / Technique | Attack Path Summary | Writeup |
120120
|---|---------|-----|-------------------------------|---------------------|---------|
121121
| 67 | **Pandora** | Linux | SNMP Credential Leak + Pandora FMS RCE | Enumerate SNMP for cleartext creds, port-forward Pandora FMS, chain SQLi + RCE, SUID binary PATH hijack for root | [0xdf](https://0xdf.gitlab.io/2022/05/21/htb-pandora.html), [HackingArticles](https://www.hackingarticles.in/pandora-hackthebox-walkthrough/), [IppSec](https://www.youtube.com/watch?v=vSnB0AZDvjM) |
122-
| 68 | **GoodGames** | Linux | SQLi + SSTI + Docker Escape | SQL injection in login to dump admin hash, SSTI in Flask dashboard for shell in container, mount host filesystem for root | [0xdf](https://0xdf.gitlab.io/2022/02/23/htb-goodgames.html), [HackingArticles](https://www.hackingarticles.in/goodgames-hackthebox-walkthrough/), [Medium](https://arz101.medium.com/hackthebox-goodgames-20358b06420c) |
122+
| 68 | **GoodGames** | Linux | SQLi + SSTI + Docker Escape | SQL injection in login to dump admin hash, SSTI in Flask dashboard for shell in container, mount host filesystem for root | [0xdf](https://0xdf.gitlab.io/2022/02/23/htb-goodgames.html), [HackingArticles](https://www.hackingarticles.in/goodgames-hackthebox-walkthrough/), [Medium](https://arz101.medium.com/hackthebox-goodgames-20358b06420c), [erichogue](https://erichogue.ca/2022/04/HTB/GoodGames), [threatninja](https://threatninja.net/hack-the-box-goodgames-machine-walkthrough-easy-difficulty/) |
123123
| 69 | **NodeBlog** | Linux | NoSQL Injection + XXE + Deserialization | NoSQL injection to bypass login, XXE in blog XML parsing, node-serialize deserialization RCE, MongoDB creds for root | [0xdf](https://0xdf.gitlab.io/2022/01/10/htb-nodeblog.html) |
124124
| 70 | **Trick** | Linux | DNS Enumeration + SQLi + LFI to RCE | DNS zone transfer reveals subdomains, SQLi in payroll app for file read, find vhost with LFI, include mail with PHP code for RCE, fail2ban privesc | [0xdf](https://0xdf.gitlab.io/2022/10/29/htb-trick.html), [IppSec](https://www.youtube.com/watch?v=i5NHOdCKYEY) |
125125
| 71 | **RedPanda** | Linux | Spring Boot SSTI + XXE Cron | SSTI in Java Spring Boot search for shell, exploit XXE in log parser cron job to read root SSH key | [0xdf](https://0xdf.gitlab.io/2022/11/26/htb-redpanda.html), [IppSec](https://www.youtube.com/watch?v=HqIUffFdjuI) |
@@ -144,8 +144,8 @@ permalink: /machines/easy/
144144
| 83 | **Topology** | Linux | LaTeX Injection + gnuplot Privesc | Exploit LaTeX equation generator for file read via \input, find .htpasswd, crack for SSH, gnuplot cron SUID for root | [0xdf](https://0xdf.gitlab.io/2023/11/04/htb-topology.html), [IppSec](https://www.youtube.com/watch?v=LqkA0UnNjGM), [Medium](https://medium.com/@josephalan17201972/topology-hack-the-box-write-up-b7a0f2ae5531) |
145145
| 84 | **MonitorsTwo** | Linux | Cacti RCE + Docker Escape + SUID | Exploit Cacti (CVE-2022-46169) for shell in container, find MySQL creds, capsh SUID in container, CVE-2021-41091 Docker escape for root | [0xdf](https://0xdf.gitlab.io/2023/09/02/htb-monitorstwo.html), [IppSec](https://www.youtube.com/watch?v=dJfbogs8Yz0), [Medium](https://medium.com/@jules1luv/monitorstwo-hackthebox-writeup-3ed2b76ba833) |
146146
| 85 | **Sau** | Linux | SSRF + Maltrail RCE | Exploit request-baskets SSRF (CVE-2023-27163) to access internal Maltrail, OS command injection (CVE-2023-27163) for shell, sudo systemctl for root | [0xdf](https://0xdf.gitlab.io/2024/01/06/htb-sau.html), [IppSec](https://www.youtube.com/watch?v=H6QfYGeGdGQ), [Medium](https://medium.com/@onurinalkac/hackthebox-24-sau-writeup-724b3dff4ac9) |
147-
| 86 | **TwoMillion** | Linux | API IDOR + Command Injection + Kernel CVE | Reverse invite code API, register account, IDOR to make admin, command injection in VPN generate, OverlayFS CVE-2023-0386 for root | [0xdf](https://0xdf.gitlab.io/2023/06/07/htb-twomillion.html), [IppSec](https://www.youtube.com/watch?v=Exl4P3fsF7U), [Medium](https://medium.com/@onurinalkac/hack-the-box-two-million-writeup-c7f839e076f6) |
148-
| 87 | **Keeper** | Linux | Default Creds + KeePass CVE | Request Tracker default creds, find user's KeePass info in notes, exploit CVE-2023-32784 KeePass memory dump for master password, extract SSH key | [0xdf](https://0xdf.gitlab.io/2024/02/10/htb-keeper.html), [IppSec](https://www.youtube.com/watch?v=0AafRQIaWmQ), [Medium](https://medium.com/@li_allouche/hack-the-box-keeper-writeup-56644dc6a55f) |
147+
| 86 | **TwoMillion** | Linux | API IDOR + Command Injection + Kernel CVE | Reverse invite code API, register account, IDOR to make admin, command injection in VPN generate, OverlayFS CVE-2023-0386 for root | [0xdf](https://0xdf.gitlab.io/2023/06/07/htb-twomillion.html), [IppSec](https://www.youtube.com/watch?v=Exl4P3fsF7U), [Medium](https://medium.com/@onurinalkac/hack-the-box-two-million-writeup-c7f839e076f6), [threatninja](https://threatninja.net/hack-the-box-twomillion-machine-walkthrough-easy-difficulty/) |
148+
| 87 | **Keeper** | Linux | Default Creds + KeePass CVE | Request Tracker default creds, find user's KeePass info in notes, exploit CVE-2023-32784 KeePass memory dump for master password, extract SSH key | [0xdf](https://0xdf.gitlab.io/2024/02/10/htb-keeper.html), [IppSec](https://www.youtube.com/watch?v=0AafRQIaWmQ), [Medium](https://medium.com/@li_allouche/hack-the-box-keeper-writeup-56644dc6a55f), [erichogue](https://erichogue.ca/2024/02/HTB/Keeper) |
149149
| 88 | **CozyHosting** | Linux | Spring Boot Actuator + Command Injection | Leak session cookie from Spring Boot Actuator endpoints, command injection in SSH hostname field, crack PostgreSQL hash, sudo ssh for root | [cyberarri](https://cyberarri.com/2025/01/04/cozyhosting-htb-writeup/), [IppSec](https://www.youtube.com/watch?v=okTl6kWrncg), [Medium](https://medium.com/@johnniketas/hackthebox-cozyhosting-c6e5272e7090) |
150150
| 89 | **Analytics** | Linux | Metabase Pre-Auth RCE + Docker Escape | Exploit Metabase CVE-2023-38646 pre-auth RCE for container shell, env variables reveal creds, OverlayFS CVE-2023-2640 for root on host | [0xdf](https://0xdf.gitlab.io/2024/03/23/htb-analytics.html), [IppSec](https://www.youtube.com/watch?v=p1NsQSGeDv0), [Medium](https://gxbnt.medium.com/analytics-hackthebox-walkthrough-a9008b2e7a4e) |
151151
| 90 | **Devvortex** | Linux | Joomla Information Disclosure + RCE | Exploit Joomla CVE-2023-23752 to leak DB creds, access admin panel, template RCE for shell, apport-cli (CVE-2023-1326) for root | [dev.to](https://dev.to/mrtnsgs/hackthebox-writeup-devvortex-retired-1d42), [IppSec](https://www.youtube.com/watch?v=jdWOXokQQK0), [Medium](https://rianfriedt.medium.com/devvortex-writeup-hack-the-box-rian-friedt-a46ae2ab7886) |
@@ -162,7 +162,7 @@ permalink: /machines/easy/
162162
| 94 | **Perfection** | Linux | SSTI via Regex Bypass + Hash Mask | Bypass regex filter with newline, exploit Ruby ERB SSTI for shell, crack password hash using mail-revealed format mask, sudo for root | [0xdf](https://0xdf.gitlab.io/2024/07/06/htb-perfection.html), [IppSec](https://www.youtube.com/watch?v=zcVCLoMsOKA), [Medium](https://medium.com/@jamesjarviscyber/perfection-hackthebox-walkthrough-management-summary-a493c71355ac) |
163163
| 95 | **Headless** | Linux | Blind XSS + Command Injection | Steal admin cookie via blind XSS in User-Agent header, access dashboard, command injection for shell, syscheck sudo script for root | [Medium](https://medium.com/@ankitsinha81195_47457/htb-writeup-headless-67fd05b685b5), [IppSec](https://www.youtube.com/watch?v=FDCpJbS1OuQ) |
164164
| 96 | **WifineticTwo** | Linux | OpenPLC Default Creds + WPS Pixie Dust | Login OpenPLC with default creds, upload PLC script for RCE, WPS Pixie Dust attack on WiFi, pivot to router for root | [Medium](https://medium.com/@jamesjarviscyber/wifinetictwo-hackthebox-writeup-management-summary-654c16eb5647) |
165-
| 97 | **Usage** | Linux | Blind SQLi + Laravel-Admin Upload | Boolean-based SQLi in password reset leaks admin hash, Laravel-Admin CVE-2023-24249 file upload for shell, 7z wildcard file read for root | [0xdf](https://0xdf.gitlab.io/2024/08/10/htb-usage.html) |
165+
| 97 | **Usage** | Linux | Blind SQLi + Laravel-Admin Upload | Boolean-based SQLi in password reset leaks admin hash, Laravel-Admin CVE-2023-24249 file upload for shell, 7z wildcard file read for root | [0xdf](https://0xdf.gitlab.io/2024/08/10/htb-usage.html), [erichogue](https://erichogue.ca/2024/08/HTB/Usage) |
166166
| 98 | **BoardLight** | Linux | Dolibarr RCE + Enlightenment SUID | Exploit Dolibarr CVE-2023-30253 PHP injection for shell, find plaintext creds in config, exploit Enlightenment SUID CVE-2022-37706 for root | [cyberarri](https://cyberarri.com/2024/12/31/boardlight-htb-writeup/), [IppSec](https://www.youtube.com/watch?v=SM6OhymnMbg), [Medium](https://olivierkonate.medium.com/hackthebox-boardlight-8ff0e907d7b2) |
167167
| 99 | **Crafty** | Windows | Minecraft Log4Shell RCE + Plugin Creds | Exploit Minecraft server Log4Shell (CVE-2021-44228) for shell, reverse engineer Java plugin to find RCON creds, RunAs for admin | [0xdf](https://0xdf.gitlab.io/2024/06/15/htb-crafty.html) |
168168
| 100 | **PermX** | Linux | Chamilo LMS CVE + Symlink Sudoers | Exploit Chamilo CVE-2023-4220 unrestricted file upload for RCE, symlink /etc/sudoers via ACL script to add sudo ALL for root | [b0rgch3n](https://b0rgch3n.github.io/2024/07/18/writeup-hackthebox-permx/), [Medium](https://medium.com/@pk2212/htb-permx-writeup-walkthrough-df745737713b) |

0 commit comments

Comments
 (0)