🌟 wither's blog

HackTheBox Machines

HackTheBox - Machines

Comprehensive writeups for HackTheBox machines across Easy, Medium, Hard, and Insane difficulties

Total 169 reports , currently page 2 of 17 (10 per page)

💡 Ctrl + K to quickly focus search box

Sendai

Sendai is a medium-difficulty AD box: anonymous SMB and RID brute force reveal expired/weak accounts; resetting thomas.powell yields a domain foothold. BloodHound shows abuse paths to the MGTSVC$ GMSA...

2025-10-28 13:30 42.7 KB 2 images HTB Medium

🔒 Hercules

It is a very complex and lengthy AD domain mixed web abnormal level machine, and it can even be said that the utilization path is more abnormal than DarkCorp.

2025-10-23 14:12 77.1 KB 37 images HTB Insane LOCKED

🔒 Signed

In general, there are many paths to root on this machine, but for the user part, it is very unstable when verifying mssql. If you always receive the prompt: "Connection refused because the domain name...

2025-10-15 04:40 18.0 KB 7 images HTB Medium LOCKED

Lock

Lock is an easy Windows box: enumerate a Gitea repo to get a Personal Access Token, deploy an ASPX web shell for initial access, decrypt a password from an mRemoteNG config to access another user, the...

2025-10-13 12:50 22.9 KB 17 images HTB Easy

Manage

Manage is an easy Linux box: exploit an exposed Java RMI/JMX service for RCE as tomcat, find leaked SSH keys and OTPs from a misconfigured backup to move to useradmin, then abuse a sudo misconfigurati...

2025-10-13 12:50 33.3 KB 2 images HTB Easy

Reset

Reset (Easy) gained remote code execution by poisoning logs and abusing the website's password reset function; it then leveraged Rservices and sudo permissions on nano in a separate tmux session to el...

2025-10-10 05:59 11.6 KB 13 images HTB Easy

RetroTwo

RetroTwo (Easy, Windows): Downloads a password-protected .accdb from an open SMB, decrypts it, and extracts AD credentials in VBA; leverages a pre-configured computer account with GenericWrite permiss...

2025-10-10 05:59 30.0 KB 9 images HTB Easy

VulnEscape

VulnEscape is an Easy Windows machine: Log in via default RDP as KioskUser0 without a password. Edge's file:// bypass allows browsing the file system and opening PowerShell in a restricted environment...

2025-10-10 05:59 13.7 KB 22 images HTB Easy

VulnCicada

VulnCicada is a mid-level Windows AD machine: after discovering an image with a hidden password in a public share, it used that password to identify a vulnerability that could be exploited by ESC8, wh...

2025-10-10 05:59 25.1 KB 2 images HTB Medium

Data

By exploiting Grafana's CVE-2021-43798 path traversal, the database can be read, hashes that can be cracked by Hashcat can be extracted and converted, and then boris's SSH login can be obtained; this ...

2025-10-07 06:52 19.0 KB 1 images HTB Easy
Jump to