https://x3ric.com/blog/tags/linux/CTF notes, systems work, and writeups.Hugoen-usSat, 06 Jun 2026 21:41:13 +0200https://x3ric.com/blog/posts/HackTheBox-LicenseGenerator/https://x3ric.com/blog/posts/HackTheBox-LicenseGenerator/Fri, 27 Jun 2025 01:20:00 +0800challengehtbrevxorlinuxLicenseGenerator: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-SatelliteHijack/https://x3ric.com/blog/posts/HackTheBox-SatelliteHijack/Fri, 27 Jun 2025 01:20:00 +0800challengehtbrevgdbxorlinuxSatelliteHijack: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-BinCrypt-Breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-BinCrypt-Breaker-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbrevxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Curse-Breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-Curse-Breaker-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbrevlinuxCurse Breaker: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Maze-Challenge/https://x3ric.com/blog/posts/HackTheBox-Maze-Challenge/Tue, 04 Feb 2025 17:20:00 +0800challengehtbrevdotnetlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Partial-Encryption-Challenge/https://x3ric.com/blog/posts/HackTheBox-Partial-Encryption-Challenge/Tue, 04 Feb 2025 17:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/Binary-Exploitation/https://x3ric.com/blog/posts/Binary-Exploitation/Tue, 04 Feb 2025 04:10:00 +0800notesnoteslinuxpwnAssembly Overview Assembly language is a low-level programming language that translates high-level code into machine instructions. Registers temporarily hold data and facilitate operations.https://x3ric.com/blog/posts/HackTheBox-Behind-the-Scenes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Behind-the-Scenes-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevgdblinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Cyberpsychosis-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cyberpsychosis-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ReRop-Challenge/https://x3ric.com/blog/posts/HackTheBox-ReRop-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Coffee-Invocation-Challenge/https://x3ric.com/blog/posts/HackTheBox-Coffee-Invocation-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Backfire/https://x3ric.com/blog/posts/HackTheBox-Backfire/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxcve-2024-41570Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Anti-Flag-Challenge/https://x3ric.com/blog/posts/HackTheBox-Anti-Flag-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxAnti Flag: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Baby-Crypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-Baby-Crypt-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevxorlinuxBaby Crypt: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-Baby-RE-Challenge/https://x3ric.com/blog/posts/HackTheBox-Baby-RE-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevelflinuxBaby RE: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Eat-the-Cake-Challenge/https://x3ric.com/blog/posts/HackTheBox-Eat-the-Cake-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxEat the Cake: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Encryption-Bot-Challenge/https://x3ric.com/blog/posts/HackTheBox-Encryption-Bot-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxEncryption Bot: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Impossible-Password-Challenge/https://x3ric.com/blog/posts/HackTheBox-Impossible-Password-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevxorlinuxImpossible Password: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-IRCWare-Challenge/https://x3ric.com/blog/posts/HackTheBox-IRCWare-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxIRCWare: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Metagaming-Challenge/https://x3ric.com/blog/posts/HackTheBox-Metagaming-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxMetagaming: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Ouija-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ouija-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxOuija: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Ransom-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ransom-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxRansom: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Rebuilding-Challenge/https://x3ric.com/blog/posts/HackTheBox-Rebuilding-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbpwnlinuxRebuilding: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Secured-Transfer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Secured-Transfer-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSecured Transfer: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Sekure-Decrypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sekure-Decrypt-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSekure Decrypt: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Shuffleme-Challenge/https://x3ric.com/blog/posts/HackTheBox-Shuffleme-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevelflinuxShuffleme: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Snakecode-Challenge/https://x3ric.com/blog/posts/HackTheBox-Snakecode-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSnakecode: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Tear-Or-Dear-Challenge/https://x3ric.com/blog/posts/HackTheBox-Tear-Or-Dear-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevdotnetlinuxTear Or Dear: decompile the .NET logic, rebuild the check, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-The-Art-of-Reversing-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Art-of-Reversing-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevdotnetlinuxThe Art of Reversing: decompile the .NET logic, rebuild the check, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-You-Cant-C-Me-Challenge/https://x3ric.com/blog/posts/HackTheBox-You-Cant-C-Me-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxYou Cant C Me: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Under-the-web-Challenge/https://x3ric.com/blog/posts/HackTheBox-Under-the-web-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbpwnlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Rauth-Challenge/https://x3ric.com/blog/posts/HackTheBox-Rauth-Challenge/Thu, 09 Jan 2025 12:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Regas-Town-Challenge/https://x3ric.com/blog/posts/HackTheBox-Regas-Town-Challenge/Mon, 06 Jan 2025 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Exatlon-Challenge/https://x3ric.com/blog/posts/HackTheBox-Exatlon-Challenge/Sat, 28 Dec 2024 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-UnderPass/https://x3ric.com/blog/posts/HackTheBox-UnderPass/Sat, 28 Dec 2024 09:20:00 +0800machinehtblinuxdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Spooky-License-Challenge/https://x3ric.com/blog/posts/HackTheBox-Spooky-License-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbrevlinuxSpooky License: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-ChromeMiner-Challenge/https://x3ric.com/blog/posts/HackTheBox-ChromeMiner-Challenge/Wed, 18 Dec 2024 09:20:00 +0800challengehtbrevlinuxChromeMiner: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Vault-breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-Vault-breaker-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbpwnlinuxVault-breaker: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Heal/https://x3ric.com/blog/posts/HackTheBox-Heal/Sun, 15 Dec 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-FlagCasino-Challenge/https://x3ric.com/blog/posts/HackTheBox-FlagCasino-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevelflinuxFlagCasino: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Getting-Started-Challenge/https://x3ric.com/blog/posts/HackTheBox-Getting-Started-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxGetting Started: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-Hunting-License-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hunting-License-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevelfxorlinuxHunting License: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-LinkHands-Challenge/https://x3ric.com/blog/posts/HackTheBox-LinkHands-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevlinuxLinkHands: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Questionnaire-Challenge/https://x3ric.com/blog/posts/HackTheBox-Questionnaire-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnbofformat-stringcanarylinuxQuestionnaire: use the format-string bug for a leak or write, then redirect execution to the flag path.https://x3ric.com/blog/posts/HackTheBox-Space-Pirate-Going-Deeper-Challenge/https://x3ric.com/blog/posts/HackTheBox-Space-Pirate-Going-Deeper-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnlinuxSpace Pirate Going Deeper: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Terrorfryer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Terrorfryer-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevlinuxTerrorfryer: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Wizards-Diary-Challenge/https://x3ric.com/blog/posts/HackTheBox-Wizards-Diary-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxWizard's Diary: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-Writing-on-the-Wall-Challenge/https://x3ric.com/blog/posts/HackTheBox-Writing-on-the-Wall-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnlinuxWriting on the Wall: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Crushing-Challenge/https://x3ric.com/blog/posts/HackTheBox-Crushing-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevlinuxCrushing: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Entity-Challenge/https://x3ric.com/blog/posts/HackTheBox-Entity-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnlinuxEntity: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Golfer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Golfer-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevelflinuxGolfer: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Graverobber-Challenge/https://x3ric.com/blog/posts/HackTheBox-Graverobber-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevgdblinuxGraverobber: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Pixel-Audio-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pixel-Audio-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnlinuxPixel Audio: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Potion-Master-Challenge/https://x3ric.com/blog/posts/HackTheBox-Potion-Master-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevxorlinuxPotion Master: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-QuickScan-Challenge/https://x3ric.com/blog/posts/HackTheBox-QuickScan-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevelflinuxQuickScan: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-RaceCar-Challenge/https://x3ric.com/blog/posts/HackTheBox-RaceCar-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnformat-stringlinuxRaceCar: use the format-string bug for a leak or write, then redirect execution to the flag path.https://x3ric.com/blog/posts/HackTheBox-El-Mundo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Mundo-Challenge/Mon, 09 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxEl Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-El-Pipo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Pipo-Challenge/Mon, 09 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxEl Pipo: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-LinkVortex/https://x3ric.com/blog/posts/HackTheBox-LinkVortex/Sun, 08 Dec 2024 09:20:00 +0800machinehtblinuxdockercve-2023-40028LinkVortex: use CVE-2023-40028 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bizness/https://x3ric.com/blog/posts/HackTheBox-Bizness/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2023-49070cve-2023-51467Bizness: use CVE-2023-49070 and CVE-2023-51467 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Inject/https://x3ric.com/blog/posts/HackTheBox-Inject/Thu, 05 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorycve-2022-22963Inject: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Unrested/https://x3ric.com/blog/posts/HackTheBox-Unrested/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2024-36467cve-2024-42327Unrested: use CVE-2024-36467 and CVE-2024-42327 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Vintage/https://x3ric.com/blog/posts/HackTheBox-Vintage/Wed, 04 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapVintage: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Kernel-Adventures-2-Challenge/https://x3ric.com/blog/posts/HackTheBox-Kernel-Adventures-2-Challenge/Tue, 03 Dec 2024 09:20:00 +0800challengehtbpwnshellcodelinuxKernel Adventures 2: build the shellcode path, control execution, and read the flag.https://x3ric.com/blog/posts/HackTheBox-Execute-Challenge/https://x3ric.com/blog/posts/HackTheBox-Execute-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbpwnbofshellcodelinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Alert/https://x3ric.com/blog/posts/HackTheBox-Alert/Sun, 24 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Dontt-Panic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Dontt-Panic-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbrevghidralinuxDont't Panic: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-El-Teteo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Teteo-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnshellcodelinuxEl Teteo: build the shellcode path, control execution, and read the flag.https://x3ric.com/blog/posts/HackTheBox-Mathematricks-Challenge/https://x3ric.com/blog/posts/HackTheBox-Mathematricks-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxMathematricks: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Que-Onda-Challenge/https://x3ric.com/blog/posts/HackTheBox-Que-Onda-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxQue Onda: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Regularity-Challenge/https://x3ric.com/blog/posts/HackTheBox-Regularity-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxRegularity: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-SpellBrewery-Challenge/https://x3ric.com/blog/posts/HackTheBox-SpellBrewery-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxSpellBrewery: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-BlockBlock/https://x3ric.com/blog/posts/HackTheBox-BlockBlock/Tue, 19 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Ghost/https://x3ric.com/blog/posts/HackTheBox-Ghost/Tue, 19 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Wayback-Challenge/https://x3ric.com/blog/posts/HackTheBox-Wayback-Challenge/Mon, 18 Nov 2024 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Administrator/https://x3ric.com/blog/posts/HackTheBox-Administrator/Sun, 17 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapAdministrator: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Certified/https://x3ric.com/blog/posts/HackTheBox-Certified/Thu, 07 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapCertified: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Blazorized/https://x3ric.com/blog/posts/HackTheBox-Blazorized/Fri, 01 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapBlazorized: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Epsilon/https://x3ric.com/blog/posts/HackTheBox-Epsilon/Fri, 01 Nov 2024 09:20:00 +0800machinehtblinuxEpsilon: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Shattered-Tablet-Challenge/https://x3ric.com/blog/posts/HackTheBox-Shattered-Tablet-Challenge/Wed, 30 Oct 2024 09:20:00 +0800challengehtbrevghidralinuxShattered Tablet: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Mist/https://x3ric.com/blog/posts/HackTheBox-Mist/Sat, 26 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapcve-2024-9405Mist: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Axlle/https://x3ric.com/blog/posts/HackTheBox-Axlle/Tue, 22 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapAxlle: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Beep/https://x3ric.com/blog/posts/HackTheBox-Beep/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxcve-2012-4869Beep: use CVE-2012-4869 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MagicGardens/https://x3ric.com/blog/posts/HackTheBox-MagicGardens/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxdockerMagicGardens: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Simple-Encryptor-Challenge/https://x3ric.com/blog/posts/HackTheBox-Simple-Encryptor-Challenge/Sun, 20 Oct 2024 01:20:00 +0800challengehtbrevelfxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Chemistry/https://x3ric.com/blog/posts/HackTheBox-Chemistry/Sat, 19 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-23334cve-2024-23346Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Compiled/https://x3ric.com/blog/posts/HackTheBox-Compiled/Fri, 18 Oct 2024 15:20:00 +0800machinehtbwindowslinuxactive-directorycve-2024-20656cve-2024-32002Compiled: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Union/https://x3ric.com/blog/posts/HackTheBox-Union/Wed, 16 Oct 2024 09:22:00 +0800machinehtblinuxUnion: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Jarmis/https://x3ric.com/blog/posts/HackTheBox-Jarmis/Wed, 16 Oct 2024 09:20:00 +0800machinehtbwindowslinuxcve-2021-38647Jarmis: use CVE-2021-38647 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Lantern/https://x3ric.com/blog/posts/HackTheBox-Lantern/Tue, 15 Oct 2024 09:20:00 +0800machinehtblinuxcve-2022-38580Lantern: use CVE-2022-38580 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-25641Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Resource/https://x3ric.com/blog/posts/HackTheBox-Resource/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxdockerResource: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Instant/https://x3ric.com/blog/posts/HackTheBox-Instant/Sat, 12 Oct 2024 12:10:50 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-YPuffy/https://x3ric.com/blog/posts/HackTheBox-YPuffy/Sat, 12 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorysmbldapcve-2018-14665YPuffy: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/TryHackMe-Brains/https://x3ric.com/blog/posts/TryHackMe-Brains/Thu, 10 Oct 2024 09:20:00 +0800machinethmlinuxcve-2024-27198Brains: use CVE-2024-27198 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Help/https://x3ric.com/blog/posts/HackTheBox-Help/Wed, 09 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2017-16995cve-2017-5899cve-2021-22555Help: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/BloodHound/https://x3ric.com/blog/posts/BloodHound/Wed, 09 Oct 2024 08:20:00 +0800notesnotesbloodhoundactive-directorylinuxwindowsBloodHound: collect BloodHound data, read the AD graph, and prioritize attack paths.https://x3ric.com/blog/posts/HackTheBox-GoodGames/https://x3ric.com/blog/posts/HackTheBox-GoodGames/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxdockerGoodGames: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Valentine/https://x3ric.com/blog/posts/HackTheBox-Valentine/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxcve-2014-0160cve-2016-5195Valentine: use CVE-2014-0160 and CVE-2016-5195 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Yummy/https://x3ric.com/blog/posts/HackTheBox-Yummy/Sun, 06 Oct 2024 00:15:50 +0800machinehtblinuxYummy: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/Thu, 03 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-47076cve-2024-47175cve-2024-47176cve-2024-47177EvilCUPS: use CVE-2024-47076 and CVE-2024-47175 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Prioritise/https://x3ric.com/blog/posts/TryHackMe-Prioritise/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPrioritise: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Pyrat/https://x3ric.com/blog/posts/TryHackMe-Pyrat/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPyrat: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Cicada/https://x3ric.com/blog/posts/HackTheBox-Cicada/Wed, 02 Oct 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapCicada: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Gobox/https://x3ric.com/blog/posts/HackTheBox-Gobox/Mon, 30 Sep 2024 09:20:00 +0800machinehtblinuxGobox: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/Chisel/https://x3ric.com/blog/posts/Chisel/Sun, 29 Sep 2024 09:20:00 +0800notesnotessshnmaplinuxChisel Forwarding: fix SSH configuration and permissions so remote access works predictably.https://x3ric.com/blog/posts/HackTheBox-Bashed/https://x3ric.com/blog/posts/HackTheBox-Bashed/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxBashed: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Shocker/https://x3ric.com/blog/posts/HackTheBox-Shocker/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2014-6271Shocker: use CVE-2014-6271 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-TwoMillion/https://x3ric.com/blog/posts/HackTheBox-TwoMillion/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-0386TwoMillion: use CVE-2023-0386 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Soccer/https://x3ric.com/blog/posts/HackTheBox-Soccer/Wed, 25 Sep 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2021-45010Soccer: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-GreenHorn/https://x3ric.com/blog/posts/HackTheBox-GreenHorn/Mon, 23 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-50564GreenHorn: use CVE-2023-50564 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-BoardLight/https://x3ric.com/blog/posts/HackTheBox-BoardLight/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2022-37706cve-2023-30253BoardLight: use CVE-2022-37706 and CVE-2023-30253 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Editorial/https://x3ric.com/blog/posts/HackTheBox-Editorial/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxEditorial: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-PermX/https://x3ric.com/blog/posts/HackTheBox-PermX/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-4220PermX: use CVE-2023-4220 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Headless/https://x3ric.com/blog/posts/HackTheBox-Headless/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxHeadless: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Trickster/https://x3ric.com/blog/posts/HackTheBox-Trickster/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-47268cve-2024-32651cve-2024-34716Trickster: use CVE-2023-47268 and CVE-2024-32651 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Sea/https://x3ric.com/blog/posts/HackTheBox-Sea/Mon, 16 Sep 2024 00:12:50 +0800machinehtblinuxcve-2023-41425Sea: use CVE-2023-41425 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Caption/https://x3ric.com/blog/posts/HackTheBox-Caption/Mon, 16 Sep 2024 00:10:50 +0800machinehtblinuxCaption: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bastion/https://x3ric.com/blog/posts/HackTheBox-Bastion/Fri, 13 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorysmbBastion: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Curling/https://x3ric.com/blog/posts/HackTheBox-Curling/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxjoomlaCurling: abuse the Joomla exposure for a shell, then use local enumeration to reach root.https://x3ric.com/blog/posts/HackTheBox-Sightless/https://x3ric.com/blog/posts/HackTheBox-Sightless/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockercve-2022-0944cve-2024-34070Sightless: use CVE-2022-0944 and CVE-2024-34070 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Spooktroll/https://x3ric.com/blog/posts/HackTheBox-Spooktroll/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockerSpooktrol: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Writeup/https://x3ric.com/blog/posts/HackTheBox-Writeup/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxcve-2022-41544Writeup: use CVE-2022-41544 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/Nmap/https://x3ric.com/blog/posts/Nmap/Thu, 12 Sep 2024 09:20:00 +0800notesnotesnmaplinuxNmap Scanning: run focused Nmap scans, capture service evidence, and keep enumeration reproducible.https://x3ric.com/blog/posts/HackTheBox-Active/https://x3ric.com/blog/posts/HackTheBox-Active/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapActive: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Codify/https://x3ric.com/blog/posts/HackTheBox-Codify/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxkerberosCodify: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Paper/https://x3ric.com/blog/posts/HackTheBox-Paper/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxwordpresscve-2019-17671cve-2021-3560Paper: use CVE-2019-17671 and CVE-2021-3560 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Perfection/https://x3ric.com/blog/posts/HackTheBox-Perfection/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxPerfection: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/Bluetooth-Linux-Fix/https://x3ric.com/blog/posts/Bluetooth-Linux-Fix/Sat, 13 Jul 2024 22:10:00 +0800notesnotesbluetoothlinuxBluetooth Linux Fix: reset the Linux Bluetooth stack, verify adapter state, and pair from a clean baseline.https://x3ric.com/blog/posts/TryHackMe-DearQA-Challenge/https://x3ric.com/blog/posts/TryHackMe-DearQA-Challenge/Fri, 28 Jun 2024 01:20:00 +0800challengethmpwnbofformat-stringheapshellcodelinuxDearQA: shape the heap state, gain the needed write or leak, and pivot to flag access.https://x3ric.com/blog/posts/TryHackMe-Blog/https://x3ric.com/blog/posts/TryHackMe-Blog/Thu, 13 Jun 2024 03:20:00 +0800machinethmwindowslinuxwordpressBlog: abuse the WordPress foothold, stabilize the shell, and escalate through the local weakness.https://x3ric.com/blog/posts/HackTheBox-DevVortex/https://x3ric.com/blog/posts/HackTheBox-DevVortex/Tue, 16 Apr 2024 00:10:50 +0800machinehtblinuxjoomlacve-2023-23752DevVortex: use CVE-2023-23752 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/Ssh/https://x3ric.com/blog/posts/Ssh/Fri, 12 Apr 2024 00:10:00 +0800notesnotessshlinuxCompact OpenSSH reference for key authentication, client and server config, tunneling, X11 forwarding, and public-key troubleshooting.