https://x3ric.com/blog/categories/machine/CTF notes, systems work, and writeups.Hugoen-usSat, 06 Jun 2026 21:41:13 +0200https://x3ric.com/blog/posts/HackTheBox-Backfire/https://x3ric.com/blog/posts/HackTheBox-Backfire/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxcve-2024-41570Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-UnderPass/https://x3ric.com/blog/posts/HackTheBox-UnderPass/Sat, 28 Dec 2024 09:20:00 +0800machinehtblinuxdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Heal/https://x3ric.com/blog/posts/HackTheBox-Heal/Sun, 15 Dec 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-LinkVortex/https://x3ric.com/blog/posts/HackTheBox-LinkVortex/Sun, 08 Dec 2024 09:20:00 +0800machinehtblinuxdockercve-2023-40028LinkVortex: use CVE-2023-40028 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bizness/https://x3ric.com/blog/posts/HackTheBox-Bizness/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2023-49070cve-2023-51467Bizness: use CVE-2023-49070 and CVE-2023-51467 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Inject/https://x3ric.com/blog/posts/HackTheBox-Inject/Thu, 05 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorycve-2022-22963Inject: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Unrested/https://x3ric.com/blog/posts/HackTheBox-Unrested/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2024-36467cve-2024-42327Unrested: use CVE-2024-36467 and CVE-2024-42327 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Vintage/https://x3ric.com/blog/posts/HackTheBox-Vintage/Wed, 04 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapVintage: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Alert/https://x3ric.com/blog/posts/HackTheBox-Alert/Sun, 24 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-BlockBlock/https://x3ric.com/blog/posts/HackTheBox-BlockBlock/Tue, 19 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Ghost/https://x3ric.com/blog/posts/HackTheBox-Ghost/Tue, 19 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Administrator/https://x3ric.com/blog/posts/HackTheBox-Administrator/Sun, 17 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapAdministrator: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Certified/https://x3ric.com/blog/posts/HackTheBox-Certified/Thu, 07 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapCertified: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Blazorized/https://x3ric.com/blog/posts/HackTheBox-Blazorized/Fri, 01 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapBlazorized: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Epsilon/https://x3ric.com/blog/posts/HackTheBox-Epsilon/Fri, 01 Nov 2024 09:20:00 +0800machinehtblinuxEpsilon: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Mist/https://x3ric.com/blog/posts/HackTheBox-Mist/Sat, 26 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapcve-2024-9405Mist: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Axlle/https://x3ric.com/blog/posts/HackTheBox-Axlle/Tue, 22 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapAxlle: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Beep/https://x3ric.com/blog/posts/HackTheBox-Beep/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxcve-2012-4869Beep: use CVE-2012-4869 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MagicGardens/https://x3ric.com/blog/posts/HackTheBox-MagicGardens/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxdockerMagicGardens: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Chemistry/https://x3ric.com/blog/posts/HackTheBox-Chemistry/Sat, 19 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-23334cve-2024-23346Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Compiled/https://x3ric.com/blog/posts/HackTheBox-Compiled/Fri, 18 Oct 2024 15:20:00 +0800machinehtbwindowslinuxactive-directorycve-2024-20656cve-2024-32002Compiled: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Union/https://x3ric.com/blog/posts/HackTheBox-Union/Wed, 16 Oct 2024 09:22:00 +0800machinehtblinuxUnion: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Jarmis/https://x3ric.com/blog/posts/HackTheBox-Jarmis/Wed, 16 Oct 2024 09:20:00 +0800machinehtbwindowslinuxcve-2021-38647Jarmis: use CVE-2021-38647 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Lantern/https://x3ric.com/blog/posts/HackTheBox-Lantern/Tue, 15 Oct 2024 09:20:00 +0800machinehtblinuxcve-2022-38580Lantern: use CVE-2022-38580 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-25641Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Resource/https://x3ric.com/blog/posts/HackTheBox-Resource/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxdockerResource: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Instant/https://x3ric.com/blog/posts/HackTheBox-Instant/Sat, 12 Oct 2024 12:10:50 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-YPuffy/https://x3ric.com/blog/posts/HackTheBox-YPuffy/Sat, 12 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorysmbldapcve-2018-14665YPuffy: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/TryHackMe-Brains/https://x3ric.com/blog/posts/TryHackMe-Brains/Thu, 10 Oct 2024 09:20:00 +0800machinethmlinuxcve-2024-27198Brains: use CVE-2024-27198 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Help/https://x3ric.com/blog/posts/HackTheBox-Help/Wed, 09 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2017-16995cve-2017-5899cve-2021-22555Help: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-GoodGames/https://x3ric.com/blog/posts/HackTheBox-GoodGames/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxdockerGoodGames: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Valentine/https://x3ric.com/blog/posts/HackTheBox-Valentine/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxcve-2014-0160cve-2016-5195Valentine: use CVE-2014-0160 and CVE-2016-5195 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Yummy/https://x3ric.com/blog/posts/HackTheBox-Yummy/Sun, 06 Oct 2024 00:15:50 +0800machinehtblinuxYummy: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/Thu, 03 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-47076cve-2024-47175cve-2024-47176cve-2024-47177EvilCUPS: use CVE-2024-47076 and CVE-2024-47175 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Prioritise/https://x3ric.com/blog/posts/TryHackMe-Prioritise/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPrioritise: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Pyrat/https://x3ric.com/blog/posts/TryHackMe-Pyrat/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPyrat: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Cicada/https://x3ric.com/blog/posts/HackTheBox-Cicada/Wed, 02 Oct 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapCicada: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Gobox/https://x3ric.com/blog/posts/HackTheBox-Gobox/Mon, 30 Sep 2024 09:20:00 +0800machinehtblinuxGobox: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bashed/https://x3ric.com/blog/posts/HackTheBox-Bashed/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxBashed: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Shocker/https://x3ric.com/blog/posts/HackTheBox-Shocker/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2014-6271Shocker: use CVE-2014-6271 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-TwoMillion/https://x3ric.com/blog/posts/HackTheBox-TwoMillion/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-0386TwoMillion: use CVE-2023-0386 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Soccer/https://x3ric.com/blog/posts/HackTheBox-Soccer/Wed, 25 Sep 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2021-45010Soccer: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-GreenHorn/https://x3ric.com/blog/posts/HackTheBox-GreenHorn/Mon, 23 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-50564GreenHorn: use CVE-2023-50564 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-BoardLight/https://x3ric.com/blog/posts/HackTheBox-BoardLight/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2022-37706cve-2023-30253BoardLight: use CVE-2022-37706 and CVE-2023-30253 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Editorial/https://x3ric.com/blog/posts/HackTheBox-Editorial/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxEditorial: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-PermX/https://x3ric.com/blog/posts/HackTheBox-PermX/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-4220PermX: use CVE-2023-4220 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Headless/https://x3ric.com/blog/posts/HackTheBox-Headless/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxHeadless: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Trickster/https://x3ric.com/blog/posts/HackTheBox-Trickster/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-47268cve-2024-32651cve-2024-34716Trickster: use CVE-2023-47268 and CVE-2024-32651 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Sea/https://x3ric.com/blog/posts/HackTheBox-Sea/Mon, 16 Sep 2024 00:12:50 +0800machinehtblinuxcve-2023-41425Sea: use CVE-2023-41425 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Caption/https://x3ric.com/blog/posts/HackTheBox-Caption/Mon, 16 Sep 2024 00:10:50 +0800machinehtblinuxCaption: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bastion/https://x3ric.com/blog/posts/HackTheBox-Bastion/Fri, 13 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorysmbBastion: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Curling/https://x3ric.com/blog/posts/HackTheBox-Curling/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxjoomlaCurling: abuse the Joomla exposure for a shell, then use local enumeration to reach root.https://x3ric.com/blog/posts/HackTheBox-Sightless/https://x3ric.com/blog/posts/HackTheBox-Sightless/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockercve-2022-0944cve-2024-34070Sightless: use CVE-2022-0944 and CVE-2024-34070 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Spooktroll/https://x3ric.com/blog/posts/HackTheBox-Spooktroll/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockerSpooktrol: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Writeup/https://x3ric.com/blog/posts/HackTheBox-Writeup/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxcve-2022-41544Writeup: use CVE-2022-41544 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Active/https://x3ric.com/blog/posts/HackTheBox-Active/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapActive: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Codify/https://x3ric.com/blog/posts/HackTheBox-Codify/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxkerberosCodify: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Paper/https://x3ric.com/blog/posts/HackTheBox-Paper/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxwordpresscve-2019-17671cve-2021-3560Paper: use CVE-2019-17671 and CVE-2021-3560 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Perfection/https://x3ric.com/blog/posts/HackTheBox-Perfection/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxPerfection: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Blog/https://x3ric.com/blog/posts/TryHackMe-Blog/Thu, 13 Jun 2024 03:20:00 +0800machinethmwindowslinuxwordpressBlog: abuse the WordPress foothold, stabilize the shell, and escalate through the local weakness.https://x3ric.com/blog/posts/HackTheBox-DevVortex/https://x3ric.com/blog/posts/HackTheBox-DevVortex/Tue, 16 Apr 2024 00:10:50 +0800machinehtblinuxjoomlacve-2023-23752DevVortex: use CVE-2023-23752 where it fits the service, gain a shell, and escalate to root.