https://x3ric.com/blog/writeups/Challenge and machine writeups.Hugoen-usSat, 06 Jun 2026 21:41:13 +0200https://x3ric.com/blog/posts/HackTheBox-Agriweb-Challenge/https://x3ric.com/blog/posts/HackTheBox-Agriweb-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodenodejsEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-CommNet-Challenge/https://x3ric.com/blog/posts/HackTheBox-CommNet-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodenodejsEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Cred-Hunter-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cred-Hunter-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Flagportation-Challenge/https://x3ric.com/blog/posts/HackTheBox-Flagportation-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcryptoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-FlappyFlopper-Challenge/https://x3ric.com/blog/posts/HackTheBox-FlappyFlopper-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbgamepwnunityunity-monounity-il2cppEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Hexecution-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hexecution-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbrevangrEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Hydroadmin-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hydroadmin-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodenodejsEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Jigsaw-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jigsaw-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbmobileandroidfridaEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Not-Posixtive-Challenge/https://x3ric.com/blog/posts/HackTheBox-Not-Posixtive-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Phoenix-Pipeline-Challenge/https://x3ric.com/blog/posts/HackTheBox-Phoenix-Pipeline-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodephpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-PINsmith-Challenge/https://x3ric.com/blog/posts/HackTheBox-PINsmith-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Pivot-Chain-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pivot-Chain-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Powergrid-Challenge/https://x3ric.com/blog/posts/HackTheBox-Powergrid-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodenodejsEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Resourcehub-Core-Challenge/https://x3ric.com/blog/posts/HackTheBox-Resourcehub-Core-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbcodeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Social-Media-Investigation-Hub-Challenge/https://x3ric.com/blog/posts/HackTheBox-Social-Media-Investigation-Hub-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbosintEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-The-Suspicious-Domain-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Suspicious-Domain-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbosintEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-The-Suspicious-Reviewer-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Suspicious-Reviewer-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbosintEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-TicTacToed-Challenge/https://x3ric.com/blog/posts/HackTheBox-TicTacToed-Challenge/Sat, 06 Jun 2026 00:00:00 +0200challengehtbpwnbofformat-stringheapEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-CachedWeb-Challenge/https://x3ric.com/blog/posts/HackTheBox-CachedWeb-Challenge/Tue, 23 Sep 2025 00:20:00 +0800challengehtbwebssrfpath-traversalfile-uploadrceflaskCachedWeb: chain SSRF with path control to reach the internal target and read the flag.https://x3ric.com/blog/posts/HackTheBox-LicenseGenerator/https://x3ric.com/blog/posts/HackTheBox-LicenseGenerator/Fri, 27 Jun 2025 01:20:00 +0800challengehtbrevxorlinuxLicenseGenerator: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-SatelliteHijack/https://x3ric.com/blog/posts/HackTheBox-SatelliteHijack/Fri, 27 Jun 2025 01:20:00 +0800challengehtbrevgdbxorlinuxSatelliteHijack: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-400Curves-Challenge/https://x3ric.com/blog/posts/HackTheBox-400Curves-Challenge/Mon, 05 May 2025 09:20:00 +0800challengehtbcryptorsalatticeecc400Curves: turn the RSA leak into a lattice recovery, rebuild the secret values, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-A-Nightmare-On-Math-Street-Challenge/https://x3ric.com/blog/posts/HackTheBox-A-Nightmare-On-Math-Street-Challenge/Mon, 05 May 2025 09:20:00 +0800challengehtbmiscA Nightmare On Math Street: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Defusal-Challenge/https://x3ric.com/blog/posts/HackTheBox-Defusal-Challenge/Mon, 05 May 2025 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Dark-Runes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Dark-Runes-Challenge/Sun, 02 Mar 2025 00:20:00 +0800challengehtbwebcve-2023-0835Enter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Amidst-Us-Challenge/https://x3ric.com/blog/posts/HackTheBox-Amidst-Us-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebrceAmidst Us: find the command execution path, trigger it cleanly, and read the flag.https://x3ric.com/blog/posts/HackTheBox-baby-sql-Challenge/https://x3ric.com/blog/posts/HackTheBox-baby-sql-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebsql-injectionbaby sql: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Letter-Dispair-Challenge/https://x3ric.com/blog/posts/HackTheBox-Letter-Dispair-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebrcephpcve-2016-10045Letter Dispair: find the command execution path, trigger it cleanly, and read the flag.https://x3ric.com/blog/posts/HackTheBox-M0rsarchive-Challenge/https://x3ric.com/blog/posts/HackTheBox-M0rsarchive-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbmiscM0rsarchive: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Money-Flowz-Challenge/https://x3ric.com/blog/posts/HackTheBox-Money-Flowz-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbosintblockchainMoney Flowz: correlate the public clues, pivot through the evidence, and identify the final answer.https://x3ric.com/blog/posts/HackTheBox-OnlyHacks-Challenge/https://x3ric.com/blog/posts/HackTheBox-OnlyHacks-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebxssOnlyHacks: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/HackTheBox-0ld-is-g0ld-Challenge/https://x3ric.com/blog/posts/HackTheBox-0ld-is-g0ld-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbmisc0ld is g0ld: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-BinCrypt-Breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-BinCrypt-Breaker-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbrevxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Console-Challenge/https://x3ric.com/blog/posts/HackTheBox-Console-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbwebphpConsole: abuse php to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Curse-Breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-Curse-Breaker-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbrevlinuxCurse Breaker: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Down-the-Rabinhole-Challenge/https://x3ric.com/blog/posts/HackTheBox-Down-the-Rabinhole-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbcryptorsaDown the Rabinhole: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-secure-source-Challenge/https://x3ric.com/blog/posts/HackTheBox-secure-source-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbcryptoprnglatticeecchashsecure source: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-signup-Challenge/https://x3ric.com/blog/posts/HackTheBox-signup-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbcryptohashsignup: reduce the hash constraint to a small search, test candidates, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Spooky-RSA-Challenge/https://x3ric.com/blog/posts/HackTheBox-Spooky-RSA-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbcryptorsaSpooky RSA: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-The-secret-of-a-Queen-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-secret-of-a-Queen-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbmiscThe secret of a Queen: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-TurboCipher-Challenge/https://x3ric.com/blog/posts/HackTheBox-TurboCipher-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbcryptoTurboCipher: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-BitsNBytes-Challenge/https://x3ric.com/blog/posts/HackTheBox-BitsNBytes-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscBitsNBytes: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Branching-Tactics-Challenge/https://x3ric.com/blog/posts/HackTheBox-Branching-Tactics-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscBranching Tactics: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-fs0ciety-Challenge/https://x3ric.com/blog/posts/HackTheBox-fs0ciety-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscfs0ciety: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Hackerman-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hackerman-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscHackerman: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Hidden-Path-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hidden-Path-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscHidden Path: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Insane-Bolt-Challenge/https://x3ric.com/blog/posts/HackTheBox-Insane-Bolt-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscInsane Bolt: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Path-of-Survival-Challenge/https://x3ric.com/blog/posts/HackTheBox-Path-of-Survival-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscPath of Survival: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-QuickR-Challenge/https://x3ric.com/blog/posts/HackTheBox-QuickR-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscQuickR: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Type-Exception-Challenge/https://x3ric.com/blog/posts/HackTheBox-Type-Exception-Challenge/Fri, 14 Feb 2025 00:20:00 +0800challengehtbmiscType Exception: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-alphascii-clashing-Challenge/https://x3ric.com/blog/posts/HackTheBox-alphascii-clashing-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbcryptohashalphascii clashing: reduce the hash constraint to a small search, test candidates, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-APKrypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-APKrypt-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbmobileandroidAPKrypt: inspect the Android app, trace the validation path, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Dont-Overreact-Challenge/https://x3ric.com/blog/posts/HackTheBox-Dont-Overreact-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbmobileandroidDon't Overreact: inspect the Android app, trace the validation path, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Manager-Challenge/https://x3ric.com/blog/posts/HackTheBox-Manager-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbmobileandroidManager: inspect the Android app, trace the validation path, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Pinned-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pinned-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbmobileandroidfridaPinned: hook the mobile app with Frida, bypass the check, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Supermarket-Challenge/https://x3ric.com/blog/posts/HackTheBox-Supermarket-Challenge/Thu, 13 Feb 2025 00:20:00 +0800challengehtbmobileandroidfridaSupermarket: hook the mobile app with Frida, bypass the check, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Maze-Challenge/https://x3ric.com/blog/posts/HackTheBox-Maze-Challenge/Tue, 04 Feb 2025 17:20:00 +0800challengehtbrevdotnetlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Partial-Encryption-Challenge/https://x3ric.com/blog/posts/HackTheBox-Partial-Encryption-Challenge/Tue, 04 Feb 2025 17:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Canvas-Challenge/https://x3ric.com/blog/posts/HackTheBox-Canvas-Challenge/Tue, 04 Feb 2025 09:20:00 +0800challengehtbmiscCanvas: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Lazy-Ballot-Challenge/https://x3ric.com/blog/posts/HackTheBox-Lazy-Ballot-Challenge/Tue, 04 Feb 2025 09:20:00 +0800challengehtbmiscLazy Ballot: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Digital-Safety-Annex-Challenge/https://x3ric.com/blog/posts/HackTheBox-Digital-Safety-Annex-Challenge/Tue, 04 Feb 2025 00:20:00 +0800challengehtbcryptoecchashDigital-Safety-Annex: use the curve leak or invalid-curve path to recover the secret and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Interception-Challenge/https://x3ric.com/blog/posts/HackTheBox-Interception-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptolatticehashInterception: model the leak as a small lattice problem, recover the secret, and verify the flag.https://x3ric.com/blog/posts/HackTheBox-Multipage-Recyclings-Challenge/https://x3ric.com/blog/posts/HackTheBox-Multipage-Recyclings-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptoaesMultipage Recyclings: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Not-that-random-Challenge/https://x3ric.com/blog/posts/HackTheBox-Not-that-random-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptoprnghashNot that random: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Nuclear-Sale-Challenge/https://x3ric.com/blog/posts/HackTheBox-Nuclear-Sale-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptoNuclear Sale: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-One-Step-Closer-Challenge/https://x3ric.com/blog/posts/HackTheBox-One-Step-Closer-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptorsaOne Step Closer: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Partial-Tenacity-Challenge/https://x3ric.com/blog/posts/HackTheBox-Partial-Tenacity-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptorsaPartial Tenacity: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-pcalc-Challenge/https://x3ric.com/blog/posts/HackTheBox-pcalc-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbwebpcalc: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Permuted-Challenge/https://x3ric.com/blog/posts/HackTheBox-Permuted-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptorsaaeshashPermuted: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-RLotto-Challenge/https://x3ric.com/blog/posts/HackTheBox-RLotto-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptoprngRLotto: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-sanitize-Challenge/https://x3ric.com/blog/posts/HackTheBox-sanitize-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbwebsql-injectionsanitize: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Weak-RSA-Challenge/https://x3ric.com/blog/posts/HackTheBox-Weak-RSA-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptorsaWeak RSA: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Whole-Lotta-Candy-Challenge/https://x3ric.com/blog/posts/HackTheBox-Whole-Lotta-Candy-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbcryptoaesxorWhole Lotta Candy: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Behind-the-Scenes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Behind-the-Scenes-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevgdblinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Cyberpsychosis-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cyberpsychosis-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ReRop-Challenge/https://x3ric.com/blog/posts/HackTheBox-ReRop-Challenge/Thu, 30 Jan 2025 00:20:00 +0800challengehtbrevxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Coffee-Invocation-Challenge/https://x3ric.com/blog/posts/HackTheBox-Coffee-Invocation-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Factory-Challenge/https://x3ric.com/blog/posts/HackTheBox-Factory-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Line-Challenge/https://x3ric.com/blog/posts/HackTheBox-Line-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwaresignalcve-2014-6271Enter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Photon-Lockdown-Challenge/https://x3ric.com/blog/posts/HackTheBox-Photon-Lockdown-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwaresignalPhoton-Lockdown: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Sudoking-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sudoking-Challenge/Wed, 29 Jan 2025 00:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Backfire/https://x3ric.com/blog/posts/HackTheBox-Backfire/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxcve-2024-41570Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/https://x3ric.com/blog/posts/HackTheBox-EscapeTwo/Mon, 27 Jan 2025 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-NoMap3D-Challenge/https://x3ric.com/blog/posts/HackTheBox-NoMap3D-Challenge/Mon, 27 Jan 2025 00:20:00 +0800challengehtbgamepwnsdlEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-NoRadar-Challenge/https://x3ric.com/blog/posts/HackTheBox-NoRadar-Challenge/Mon, 27 Jan 2025 00:20:00 +0800challengehtbgamepwnsdlEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Bare-Metal-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bare-Metal-Challenge/Fri, 24 Jan 2025 00:23:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Project-Power-Challenge/https://x3ric.com/blog/posts/HackTheBox-Project-Power-Challenge/Fri, 24 Jan 2025 00:21:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Bounty-Head-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bounty-Head-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwaresignalcve-2017-7650Enter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Debugging-Interface-Challenge/https://x3ric.com/blog/posts/HackTheBox-Debugging-Interface-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwarelogic-analyzersignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Interstellar-Challenge/https://x3ric.com/blog/posts/HackTheBox-Interstellar-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbwebsql-injectionssrfrcephpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Mission-Pinpossible-Challenge/https://x3ric.com/blog/posts/HackTheBox-Mission-Pinpossible-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwarei2clogic-analyzersignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-RFlag-Challenge/https://x3ric.com/blog/posts/HackTheBox-RFlag-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Anti-Flag-Challenge/https://x3ric.com/blog/posts/HackTheBox-Anti-Flag-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxAnti Flag: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Art-Challenge/https://x3ric.com/blog/posts/HackTheBox-Art-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbmiscArt: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Baby-Crypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-Baby-Crypt-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevxorlinuxBaby Crypt: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-Baby-RE-Challenge/https://x3ric.com/blog/posts/HackTheBox-Baby-RE-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevelflinuxBaby RE: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Eat-the-Cake-Challenge/https://x3ric.com/blog/posts/HackTheBox-Eat-the-Cake-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxEat the Cake: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Encryption-Bot-Challenge/https://x3ric.com/blog/posts/HackTheBox-Encryption-Bot-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxEncryption Bot: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Impossible-Password-Challenge/https://x3ric.com/blog/posts/HackTheBox-Impossible-Password-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevxorlinuxImpossible Password: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-Inside-the-Matrix-Challenge/https://x3ric.com/blog/posts/HackTheBox-Inside-the-Matrix-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptorsalatticeInside the Matrix: turn the RSA leak into a lattice recovery, rebuild the secret values, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-IRCWare-Challenge/https://x3ric.com/blog/posts/HackTheBox-IRCWare-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxIRCWare: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Jenny-From-The-Block-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jenny-From-The-Block-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptohashJenny From The Block: reduce the hash constraint to a small search, test candidates, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Living-with-Elegance-Challenge/https://x3ric.com/blog/posts/HackTheBox-Living-with-Elegance-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptoLiving with Elegance: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Lost-Modulus-Challenge/https://x3ric.com/blog/posts/HackTheBox-Lost-Modulus-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptorsaLost Modulus: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-LunaCrypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-LunaCrypt-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptoxorLunaCrypt: derive the XOR key stream, invert the transform, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Mayday-Mayday-Challenge/https://x3ric.com/blog/posts/HackTheBox-Mayday-Mayday-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptolatticeMayday Mayday: model the leak as a small lattice problem, recover the secret, and verify the flag.https://x3ric.com/blog/posts/HackTheBox-Metagaming-Challenge/https://x3ric.com/blog/posts/HackTheBox-Metagaming-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxMetagaming: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-MSS-Challenge/https://x3ric.com/blog/posts/HackTheBox-MSS-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbcryptorsaaeshashMSS: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Ouija-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ouija-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxOuija: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Ransom-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ransom-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxRansom: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Rebuilding-Challenge/https://x3ric.com/blog/posts/HackTheBox-Rebuilding-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbpwnlinuxRebuilding: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Secured-Transfer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Secured-Transfer-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSecured Transfer: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Sekure-Decrypt-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sekure-Decrypt-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSekure Decrypt: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Shuffleme-Challenge/https://x3ric.com/blog/posts/HackTheBox-Shuffleme-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevelflinuxShuffleme: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Snakecode-Challenge/https://x3ric.com/blog/posts/HackTheBox-Snakecode-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxSnakecode: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Tear-Or-Dear-Challenge/https://x3ric.com/blog/posts/HackTheBox-Tear-Or-Dear-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevdotnetlinuxTear Or Dear: decompile the .NET logic, rebuild the check, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-The-Art-of-Reversing-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Art-of-Reversing-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevdotnetlinuxThe Art of Reversing: decompile the .NET logic, rebuild the check, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-You-Cant-C-Me-Challenge/https://x3ric.com/blog/posts/HackTheBox-You-Cant-C-Me-Challenge/Thu, 23 Jan 2025 09:20:00 +0800challengehtbrevlinuxYou Cant C Me: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-AHS512-Challenge/https://x3ric.com/blog/posts/HackTheBox-AHS512-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoprnghashAHS512: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Arranged-Challenge/https://x3ric.com/blog/posts/HackTheBox-Arranged-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoaeslatticeecchashArranged: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-baby-quick-maffs-Challenge/https://x3ric.com/blog/posts/HackTheBox-baby-quick-maffs-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptobaby quick maffs: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Bank-er-smith-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bank-er-smith-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptorsahashBank-er-smith: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Battle-in-OrlOn-Challenge/https://x3ric.com/blog/posts/HackTheBox-Battle-in-OrlOn-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbaipytorchprompt-injectionneural-networkBattle in OrlOn: shape the prompt path, bypass the model guard, and recover the target output.https://x3ric.com/blog/posts/HackTheBox-BBGun06-Challenge/https://x3ric.com/blog/posts/HackTheBox-BBGun06-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptorsaBBGun06: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Bloom-Bloom-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bloom-Bloom-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoaeslatticehashBloom Bloom: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Brainys-Chyper-Challenge/https://x3ric.com/blog/posts/HackTheBox-Brainys-Chyper-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptorsaBrainy's Chyper: exploit the RSA structure, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Classic-yet-complicated-Challenge/https://x3ric.com/blog/posts/HackTheBox-Classic-yet-complicated-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptovigenereClassic, yet complicated: recover the Vigenere key from the ciphertext, decrypt the message, and verify the flag.https://x3ric.com/blog/posts/HackTheBox-Deaths-Glance-Challenge/https://x3ric.com/blog/posts/HackTheBox-Deaths-Glance-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbaipytorchprompt-injectionneural-networkDeath's Glance: shape the prompt path, bypass the model guard, and recover the target output.https://x3ric.com/blog/posts/HackTheBox-ElElGamal-Challenge/https://x3ric.com/blog/posts/HackTheBox-ElElGamal-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoeccElElGamal: use the curve leak or invalid-curve path to recover the secret and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Fast-Carmichael-Challenge/https://x3ric.com/blog/posts/HackTheBox-Fast-Carmichael-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoeccFast Carmichael: use the curve leak or invalid-curve path to recover the secret and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-How-The-Columns-Have-Turned-Challenge/https://x3ric.com/blog/posts/HackTheBox-How-The-Columns-Have-Turned-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoHow The Columns Have Turned: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-I-know-Mag1k-Challenge/https://x3ric.com/blog/posts/HackTheBox-I-know-Mag1k-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoxorI know Mag1k: derive the XOR key stream, invert the transform, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Im-gRoot-Challenge/https://x3ric.com/blog/posts/HackTheBox-Im-gRoot-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptohashI'm gRoot: reduce the hash constraint to a small search, test candidates, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Iced-Tea-Challenge/https://x3ric.com/blog/posts/HackTheBox-Iced-Tea-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbcryptoaeseccIced Tea: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Sigma-Technology-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sigma-Technology-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbaiprompt-injectionneural-networkSigma Technology: shape the prompt path, bypass the model guard, and recover the target output.https://x3ric.com/blog/posts/HackTheBox-Under-Construction-Challenge/https://x3ric.com/blog/posts/HackTheBox-Under-Construction-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbwebsql-injectionjwtUnder Construction: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-CDNio-Challenge/https://x3ric.com/blog/posts/HackTheBox-CDNio-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbwebEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Jailbreak-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jailbreak-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbwebJailbreak: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Under-the-web-Challenge/https://x3ric.com/blog/posts/HackTheBox-Under-the-web-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbpwnlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Rauth-Challenge/https://x3ric.com/blog/posts/HackTheBox-Rauth-Challenge/Thu, 09 Jan 2025 12:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Noisy-Challenge/https://x3ric.com/blog/posts/HackTheBox-Noisy-Challenge/Wed, 08 Jan 2025 00:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Triangles-Challenge/https://x3ric.com/blog/posts/HackTheBox-Triangles-Challenge/Wed, 08 Jan 2025 00:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Urgent-Challenge/https://x3ric.com/blog/posts/HackTheBox-Urgent-Challenge/Wed, 08 Jan 2025 00:20:00 +0800challengehtbforensicsgitUrgent: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Alien-Cradle-Challenge/https://x3ric.com/blog/posts/HackTheBox-Alien-Cradle-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbforensicspowershellAlien Cradle: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Android-in-the-Middle-Challenge/https://x3ric.com/blog/posts/HackTheBox-Android-in-the-Middle-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbcryptoaeshashAndroid-in-the-Middle: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Full-of-Stars-Challenge/https://x3ric.com/blog/posts/HackTheBox-Full-of-Stars-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbaiprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Like-a-Glove-Challenge/https://x3ric.com/blog/posts/HackTheBox-Like-a-Glove-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbaiembeddingsprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Lost-in-Hyperspace-Challenge/https://x3ric.com/blog/posts/HackTheBox-Lost-in-Hyperspace-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbaisklearnembeddingsprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Man-In-The-Middle-Challenge/https://x3ric.com/blog/posts/HackTheBox-Man-In-The-Middle-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbmiscMan In The Middle: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Micro-Storage-Challenge/https://x3ric.com/blog/posts/HackTheBox-Micro-Storage-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Prometheon-Challenge/https://x3ric.com/blog/posts/HackTheBox-Prometheon-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbaiprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Red-Miners-Challenge/https://x3ric.com/blog/posts/HackTheBox-Red-Miners-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbforensicsRed Miners: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Secure-Server-Challenge/https://x3ric.com/blog/posts/HackTheBox-Secure-Server-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Spin-Glass-Brain-Challenge/https://x3ric.com/blog/posts/HackTheBox-Spin-Glass-Brain-Challenge/Tue, 07 Jan 2025 09:20:00 +0800challengehtbaiprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Deterministic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Deterministic-Challenge/Tue, 07 Jan 2025 00:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Regas-Town-Challenge/https://x3ric.com/blog/posts/HackTheBox-Regas-Town-Challenge/Mon, 06 Jan 2025 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-NoClip-Challenge/https://x3ric.com/blog/posts/HackTheBox-NoClip-Challenge/Fri, 03 Jan 2025 09:20:00 +0800challengehtbgamepwnmemorysdlEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Mini-Line-Challenge/https://x3ric.com/blog/posts/HackTheBox-Mini-Line-Challenge/Tue, 31 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalMini Line: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Out-of-Time-Challenge/https://x3ric.com/blog/posts/HackTheBox-Out-of-Time-Challenge/Tue, 31 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalOut of Time: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Space-Heist-Challenge/https://x3ric.com/blog/posts/HackTheBox-Space-Heist-Challenge/Tue, 31 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalSpace Heist: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Exatlon-Challenge/https://x3ric.com/blog/posts/HackTheBox-Exatlon-Challenge/Sat, 28 Dec 2024 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-UnderPass/https://x3ric.com/blog/posts/HackTheBox-UnderPass/Sat, 28 Dec 2024 09:20:00 +0800machinehtblinuxdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-APKey-Challenge/https://x3ric.com/blog/posts/HackTheBox-APKey-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmobileandroidEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Bashic-Calculator-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bashic-Calculator-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Cat-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cat-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmobileandroidEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Cryptohorrific-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cryptohorrific-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmobileandroidEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Investigator-Challenge/https://x3ric.com/blog/posts/HackTheBox-Investigator-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmobileandroidEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Nostalgia-Challenge/https://x3ric.com/blog/posts/HackTheBox-Nostalgia-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbgamepwngdbgbaEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-SAW-Challenge/https://x3ric.com/blog/posts/HackTheBox-SAW-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbmobileandroidEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Spooky-License-Challenge/https://x3ric.com/blog/posts/HackTheBox-Spooky-License-Challenge/Sat, 21 Dec 2024 09:20:00 +0800challengehtbrevlinuxSpooky License: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-CubeMadness1-Challenge/https://x3ric.com/blog/posts/HackTheBox-CubeMadness1-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbgamepwnunitymemoryEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-CubeMadness2-Challenge/https://x3ric.com/blog/posts/HackTheBox-CubeMadness2-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbgamepwnunityunity-il2cppEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-FastJson-and-Furious-Challenge/https://x3ric.com/blog/posts/HackTheBox-FastJson-and-Furious-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbmobileandroidFastJson and Furious: inspect the Android app, trace the validation path, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-InfiniteDoge-Challenge/https://x3ric.com/blog/posts/HackTheBox-InfiniteDoge-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbgamepwnunityunity-monoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-LightningFast-Challenge/https://x3ric.com/blog/posts/HackTheBox-LightningFast-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbgamepwnunityEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Signals-Challenge/https://x3ric.com/blog/posts/HackTheBox-Signals-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-StayInTheBoxCorp-Challenge/https://x3ric.com/blog/posts/HackTheBox-StayInTheBoxCorp-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbgamepwnunityunity-il2cppEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-The-Needle-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Needle-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Trace-Challenge/https://x3ric.com/blog/posts/HackTheBox-Trace-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Wander-Challenge/https://x3ric.com/blog/posts/HackTheBox-Wander-Challenge/Fri, 20 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-CubeBreaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-CubeBreaker-Challenge/Thu, 19 Dec 2024 09:20:00 +0800challengehtbgamepwnunityunity-monoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ChromeMiner-Challenge/https://x3ric.com/blog/posts/HackTheBox-ChromeMiner-Challenge/Wed, 18 Dec 2024 09:20:00 +0800challengehtbrevlinuxChromeMiner: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Sneak-peek-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sneak-peek-Challenge/Wed, 18 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalSneak peek: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Compressor-Challenge/https://x3ric.com/blog/posts/HackTheBox-Compressor-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbmiscCompressor: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Cubicle-Riddle-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cubicle-Riddle-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbmiscCubicle Riddle: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Gawk-Challenge/https://x3ric.com/blog/posts/HackTheBox-Gawk-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalGawk: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Locked-Away-Challenge/https://x3ric.com/blog/posts/HackTheBox-Locked-Away-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbmiscLocked Away: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Secure-Digital-Challenge/https://x3ric.com/blog/posts/HackTheBox-Secure-Digital-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwarespilogic-analyzersignalSecure Digital: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Vault-breaker-Challenge/https://x3ric.com/blog/posts/HackTheBox-Vault-breaker-Challenge/Tue, 17 Dec 2024 09:20:00 +0800challengehtbpwnlinuxVault-breaker: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Heal/https://x3ric.com/blog/posts/HackTheBox-Heal/Sun, 15 Dec 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Baby-Time-Capsule-Challenge/https://x3ric.com/blog/posts/HackTheBox-Baby-Time-Capsule-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-BabyEncryption-Challenge/https://x3ric.com/blog/posts/HackTheBox-BabyEncryption-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Birds-of-randomness-Challenge/https://x3ric.com/blog/posts/HackTheBox-Birds-of-randomness-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaprnglatticeeccEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Broken-Decryptor-Challenge/https://x3ric.com/blog/posts/HackTheBox-Broken-Decryptor-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoxorprngEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Diagnostic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Diagnostic-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbforensicspowershellEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Embryonic-Plant-Challenge/https://x3ric.com/blog/posts/HackTheBox-Embryonic-Plant-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoaesprnghashEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Lost-Modulus-Again-Challenge/https://x3ric.com/blog/posts/HackTheBox-Lost-Modulus-Again-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsalatticeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-LostKey-Challenge/https://x3ric.com/blog/posts/HackTheBox-LostKey-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaaeslatticeecchashEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Low-Logic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Low-Logic-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-POPO-Challenge/https://x3ric.com/blog/posts/HackTheBox-POPO-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Protein-Coockies-Challenge/https://x3ric.com/blog/posts/HackTheBox-Protein-Coockies-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Quantum-Safe-Challenge/https://x3ric.com/blog/posts/HackTheBox-Quantum-Safe-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Quick-Maffs-Challenge/https://x3ric.com/blog/posts/HackTheBox-Quick-Maffs-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptolatticeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ReMeeting-the-Wheel-Challenge/https://x3ric.com/blog/posts/HackTheBox-ReMeeting-the-Wheel-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaaeshashEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-RSAisEasy-Challenge/https://x3ric.com/blog/posts/HackTheBox-RSAisEasy-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptorsaEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Signing-Factory-Challenge/https://x3ric.com/blog/posts/HackTheBox-Signing-Factory-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoprnghashSigning Factory: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-The-Last-Dance-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Last-Dance-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoxoreccEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-XorXorXor-Challenge/https://x3ric.com/blog/posts/HackTheBox-XorXorXor-Challenge/Fri, 13 Dec 2024 09:20:00 +0800challengehtbcryptoaesxorEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-AI-SPACE-Challenge/https://x3ric.com/blog/posts/HackTheBox-AI-SPACE-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbaisklearnembeddingsprompt-injectionneural-networkEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-An-unusual-sighting-Challenge/https://x3ric.com/blog/posts/HackTheBox-An-unusual-sighting-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbforensicsAn unusual sighting: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-ApacheBlaze-Challenge/https://x3ric.com/blog/posts/HackTheBox-ApacheBlaze-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebApacheBlaze: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Breathtaking-View-Challenge/https://x3ric.com/blog/posts/HackTheBox-Breathtaking-View-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebtemplate-injectionrceEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-DoxPit-Challenge/https://x3ric.com/blog/posts/HackTheBox-DoxPit-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebtemplate-injectionssrffile-uploadflaskEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-FlagCasino-Challenge/https://x3ric.com/blog/posts/HackTheBox-FlagCasino-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevelflinuxFlagCasino: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Getting-Started-Challenge/https://x3ric.com/blog/posts/HackTheBox-Getting-Started-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxGetting Started: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-Hunting-License-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hunting-License-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevelfxorlinuxHunting License: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Insomnia-Challenge/https://x3ric.com/blog/posts/HackTheBox-Insomnia-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-JerryTok-Challenge/https://x3ric.com/blog/posts/HackTheBox-JerryTok-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbcryptoeccEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-LinkHands-Challenge/https://x3ric.com/blog/posts/HackTheBox-LinkHands-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevlinuxLinkHands: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-NextPath-Challenge/https://x3ric.com/blog/posts/HackTheBox-NextPath-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebpath-traversalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-No-Threshold-Challenge/https://x3ric.com/blog/posts/HackTheBox-No-Threshold-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebNo Threshold: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-PDFy-Challenge/https://x3ric.com/blog/posts/HackTheBox-PDFy-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Pentest-Notes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pentest-Notes-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebsql-injectionrceEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-POP-Restaurant-Challenge/https://x3ric.com/blog/posts/HackTheBox-POP-Restaurant-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ProxyAsAService-Challenge/https://x3ric.com/blog/posts/HackTheBox-ProxyAsAService-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebProxyAsAService: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Pursue-the-Tracks-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pursue-the-Tracks-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbforensicsPursue the Tracks: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Questionnaire-Challenge/https://x3ric.com/blog/posts/HackTheBox-Questionnaire-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnbofformat-stringcanarylinuxQuestionnaire: use the format-string bug for a leak or write, then redirect execution to the flag path.https://x3ric.com/blog/posts/HackTheBox-Rhome-Challenge/https://x3ric.com/blog/posts/HackTheBox-Rhome-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbcryptoaesprnghashEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Shamirs-Secret-Challenge/https://x3ric.com/blog/posts/HackTheBox-Shamirs-Secret-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbcryptolatticeshamirEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Space-Pirate-Going-Deeper-Challenge/https://x3ric.com/blog/posts/HackTheBox-Space-Pirate-Going-Deeper-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnlinuxSpace Pirate Going Deeper: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Terrorfryer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Terrorfryer-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbrevlinuxTerrorfryer: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Wizards-Diary-Challenge/https://x3ric.com/blog/posts/HackTheBox-Wizards-Diary-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxWizard's Diary: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-Writing-on-the-Wall-Challenge/https://x3ric.com/blog/posts/HackTheBox-Writing-on-the-Wall-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbpwnlinuxWriting on the Wall: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-YALM-Challenge/https://x3ric.com/blog/posts/HackTheBox-YALM-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbcryptorsalatticeEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-AbuseHumanDB-Challenge/https://x3ric.com/blog/posts/HackTheBox-AbuseHumanDB-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbwebAbuseHumanDB: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Ancored-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ancored-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbmobileandroidAncored: inspect the Android app, trace the validation path, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Computational-Recruting-Challenge/https://x3ric.com/blog/posts/HackTheBox-Computational-Recruting-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbmiscComputational Recruting: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Crushing-Challenge/https://x3ric.com/blog/posts/HackTheBox-Crushing-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevlinuxCrushing: reverse the validation logic, model the transform, and recover the accepted input.https://x3ric.com/blog/posts/HackTheBox-Easy-Phish-Challenge/https://x3ric.com/blog/posts/HackTheBox-Easy-Phish-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbosintEasy Phish: correlate the public clues, pivot through the evidence, and identify the final answer.https://x3ric.com/blog/posts/HackTheBox-Entity-Challenge/https://x3ric.com/blog/posts/HackTheBox-Entity-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnlinuxEntity: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Foggy-Intrusion-Challenge/https://x3ric.com/blog/posts/HackTheBox-Foggy-Intrusion-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbforensicspcapgitFoggy Intrusion: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Fuel-Crisis-Challenge/https://x3ric.com/blog/posts/HackTheBox-Fuel-Crisis-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbaitensorflowprompt-injectionneural-networkFuel Crisis: shape the prompt path, bypass the model guard, and recover the target output.https://x3ric.com/blog/posts/HackTheBox-Golfer-Challenge/https://x3ric.com/blog/posts/HackTheBox-Golfer-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevelflinuxGolfer: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Graverobber-Challenge/https://x3ric.com/blog/posts/HackTheBox-Graverobber-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevgdblinuxGraverobber: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Illumination-Challenge/https://x3ric.com/blog/posts/HackTheBox-Illumination-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbforensicsIllumination: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-Infiltration-Challenge/https://x3ric.com/blog/posts/HackTheBox-Infiltration-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbosintInfiltration: correlate the public clues, pivot through the evidence, and identify the final answer.https://x3ric.com/blog/posts/HackTheBox-Override-Challenge/https://x3ric.com/blog/posts/HackTheBox-Override-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwarespisignalOverride: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Perfect-Synchronization-Challenge/https://x3ric.com/blog/posts/HackTheBox-Perfect-Synchronization-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbcryptoaeseccvigenerePerfect Synchronization: recover the Vigenere key from the ciphertext, decrypt the message, and verify the flag.https://x3ric.com/blog/posts/HackTheBox-Pixel-Audio-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pixel-Audio-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnlinuxPixel Audio: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Potion-Master-Challenge/https://x3ric.com/blog/posts/HackTheBox-Potion-Master-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevxorlinuxPotion Master: recover the XOR transform from the binary and invert it to reveal the flag.https://x3ric.com/blog/posts/HackTheBox-Prision-Pipeline-Challenge/https://x3ric.com/blog/posts/HackTheBox-Prision-Pipeline-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbmiscPrision Pipeline: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Quantum-Conundrum-Challenge/https://x3ric.com/blog/posts/HackTheBox-Quantum-Conundrum-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbmiscQuantum Conundrum: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-QuickScan-Challenge/https://x3ric.com/blog/posts/HackTheBox-QuickScan-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbrevelflinuxQuickScan: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-RaceCar-Challenge/https://x3ric.com/blog/posts/HackTheBox-RaceCar-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbpwnformat-stringlinuxRaceCar: use the format-string bug for a leak or write, then redirect execution to the flag path.https://x3ric.com/blog/posts/HackTheBox-Sp00ky-Theme-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sp00ky-Theme-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbforensicsSp00ky Theme: isolate the relevant artifact, decode the evidence, and extract the flag.https://x3ric.com/blog/posts/HackTheBox-VHDLock-Challenge/https://x3ric.com/blog/posts/HackTheBox-VHDLock-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalVHDLock: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-The-Last-Frontier-Challenge/https://x3ric.com/blog/posts/HackTheBox-The-Last-Frontier-Challenge/Tue, 10 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalThe Last Frontier: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-El-Mundo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Mundo-Challenge/Mon, 09 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxEl Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-El-Pipo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Pipo-Challenge/Mon, 09 Dec 2024 09:20:00 +0800challengehtbpwnboflinuxEl Pipo: calculate the overflow offset, redirect control flow, and land a reliable flag read.https://x3ric.com/blog/posts/HackTheBox-RsaCtfTool-Challenge/https://x3ric.com/blog/posts/HackTheBox-RsaCtfTool-Challenge/Mon, 09 Dec 2024 09:20:00 +0800challengehtbcryptoaeshashRsaCtfTool: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-LinkVortex/https://x3ric.com/blog/posts/HackTheBox-LinkVortex/Sun, 08 Dec 2024 09:20:00 +0800machinehtblinuxdockercve-2023-40028LinkVortex: use CVE-2023-40028 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bizness/https://x3ric.com/blog/posts/HackTheBox-Bizness/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2023-49070cve-2023-51467Bizness: use CVE-2023-49070 and CVE-2023-51467 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Inject/https://x3ric.com/blog/posts/HackTheBox-Inject/Thu, 05 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorycve-2022-22963Inject: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Unrested/https://x3ric.com/blog/posts/HackTheBox-Unrested/Thu, 05 Dec 2024 09:20:00 +0800machinehtblinuxcve-2024-36467cve-2024-42327Unrested: use CVE-2024-36467 and CVE-2024-42327 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Vintage/https://x3ric.com/blog/posts/HackTheBox-Vintage/Wed, 04 Dec 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapVintage: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Kernel-Adventures-2-Challenge/https://x3ric.com/blog/posts/HackTheBox-Kernel-Adventures-2-Challenge/Tue, 03 Dec 2024 09:20:00 +0800challengehtbpwnshellcodelinuxKernel Adventures 2: build the shellcode path, control execution, and read the flag.https://x3ric.com/blog/posts/HackTheBox-ScreenCrack-Challenge/https://x3ric.com/blog/posts/HackTheBox-ScreenCrack-Challenge/Tue, 03 Dec 2024 09:20:00 +0800challengehtbwebssrfrcephpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Touch-Challenge/https://x3ric.com/blog/posts/HackTheBox-Touch-Challenge/Tue, 03 Dec 2024 09:20:00 +0800challengehtbmiscEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Bag-Secured-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bag-Secured-Challenge/Sun, 01 Dec 2024 09:20:00 +0800challengehtbmiscBag Secured: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Intrusion-Challenge/https://x3ric.com/blog/posts/HackTheBox-Intrusion-Challenge/Sun, 01 Dec 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalIntrusion: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-MultiDigilingual-Challenge/https://x3ric.com/blog/posts/HackTheBox-MultiDigilingual-Challenge/Sun, 01 Dec 2024 09:20:00 +0800challengehtbmiscMultiDigilingual: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Addition-Challenge/https://x3ric.com/blog/posts/HackTheBox-Addition-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscAddition: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-C.O.P-Challenge/https://x3ric.com/blog/posts/HackTheBox-C.O.P-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebsql-injectiondeserializationrceC.O.P: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-CandyVault-Challenge/https://x3ric.com/blog/posts/HackTheBox-CandyVault-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbcryptoCandyVault: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Cursed-Stale-Policy-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cursed-Stale-Policy-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebwebsocketCursed Stale Policy: abuse websocket to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-DLLAMA-Challenge/https://x3ric.com/blog/posts/HackTheBox-DLLAMA-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebdeserializationDLLAMA: abuse unsafe deserialization to cross the trust boundary and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Execute-Challenge/https://x3ric.com/blog/posts/HackTheBox-Execute-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbpwnbofshellcodelinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Fishy-HTTP-Challenge/https://x3ric.com/blog/posts/HackTheBox-Fishy-HTTP-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbforensicspcapEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Gunship-Challenge/https://x3ric.com/blog/posts/HackTheBox-Gunship-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebGunship: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Jscalc-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jscalc-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalJscalc: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Juggling-facts-Challenge/https://x3ric.com/blog/posts/HackTheBox-Juggling-facts-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebJuggling facts: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-KORP-Terminal-Challenge/https://x3ric.com/blog/posts/HackTheBox-KORP-Terminal-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebsql-injectionKORP Terminal: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-MinMax-Challenge/https://x3ric.com/blog/posts/HackTheBox-MinMax-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscMinMax: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-misDIRection-Challenge/https://x3ric.com/blog/posts/HackTheBox-misDIRection-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscmisDIRection: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Neonify-Challenge/https://x3ric.com/blog/posts/HackTheBox-Neonify-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebNeonify: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Nothing-Without-A-Cost-Challenge/https://x3ric.com/blog/posts/HackTheBox-Nothing-Without-A-Cost-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscNothing Without A Cost: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Oddly-Even-Challenge/https://x3ric.com/blog/posts/HackTheBox-Oddly-Even-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscOddly Even: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Optimus-Prime-Challenge/https://x3ric.com/blog/posts/HackTheBox-Optimus-Prime-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbcryptoOptimus Prime: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-PetPet-Rcbee-Challenge/https://x3ric.com/blog/posts/HackTheBox-PetPet-Rcbee-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebfile-uploadPetPet Rcbee: abuse file-upload to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Phonebook-Challenge/https://x3ric.com/blog/posts/HackTheBox-Phonebook-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebPhonebook: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Prying-Eyes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Prying-Eyes-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalfile-uploadPrying Eyes: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Replacement-Challenge/https://x3ric.com/blog/posts/HackTheBox-Replacement-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscReplacement: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-Reversal-Challenge/https://x3ric.com/blog/posts/HackTheBox-Reversal-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbmiscReversal: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.https://x3ric.com/blog/posts/HackTheBox-SpookTastic-Challenge/https://x3ric.com/blog/posts/HackTheBox-SpookTastic-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebxssSpookTastic: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/HackTheBox-TimeKORP-Challenge/https://x3ric.com/blog/posts/HackTheBox-TimeKORP-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalTimeKORP: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Toxic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Toxic-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebdeserializationrcephpToxic: abuse unsafe deserialization to cross the trust boundary and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Trapped-Source-Challenge/https://x3ric.com/blog/posts/HackTheBox-Trapped-Source-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebTrapped Source: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Weather-App-Challenge/https://x3ric.com/blog/posts/HackTheBox-Weather-App-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebssrfWeather App: use SSRF to reach the hidden service or file path and pull the flag.https://x3ric.com/blog/posts/HackTheBox-Alert/https://x3ric.com/blog/posts/HackTheBox-Alert/Sun, 24 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Ancient-Encodings-Challenge/https://x3ric.com/blog/posts/HackTheBox-Ancient-Encodings-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbcryptoAncient Encodings: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Dontt-Panic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Dontt-Panic-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbrevghidralinuxDont't Panic: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-El-Teteo-Challenge/https://x3ric.com/blog/posts/HackTheBox-El-Teteo-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnshellcodelinuxEl Teteo: build the shellcode path, control execution, and read the flag.https://x3ric.com/blog/posts/HackTheBox-FF-Jump-Street-Challenge/https://x3ric.com/blog/posts/HackTheBox-FF-Jump-Street-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalFF Jump Street: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Flippin-Bank-Challenge/https://x3ric.com/blog/posts/HackTheBox-Flippin-Bank-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbcryptoaesprngFlippin Bank: reconstruct the generator state, derive the AES material, and decrypt the final ciphertext.https://x3ric.com/blog/posts/HackTheBox-Gonna-Lift-Em-All-Challenge/https://x3ric.com/blog/posts/HackTheBox-Gonna-Lift-Em-All-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbcryptoprngGonna Lift Em All: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Hacky-Bird-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hacky-Bird-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbgamepwnmemoryHacky Bird: inspect the game logic, control the relevant state, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Mathematricks-Challenge/https://x3ric.com/blog/posts/HackTheBox-Mathematricks-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxMathematricks: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Que-Onda-Challenge/https://x3ric.com/blog/posts/HackTheBox-Que-Onda-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxQue Onda: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-Regularity-Challenge/https://x3ric.com/blog/posts/HackTheBox-Regularity-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxRegularity: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-SpellBrewery-Challenge/https://x3ric.com/blog/posts/HackTheBox-SpellBrewery-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbpwnlinuxSpellBrewery: build the exploit primitive, stabilize the payload, and use it to read the flag.https://x3ric.com/blog/posts/HackTheBox-yoU-ART-Challenge/https://x3ric.com/blog/posts/HackTheBox-yoU-ART-Challenge/Sat, 23 Nov 2024 09:20:00 +0800challengehtbhardwarefirmwaresignalyoU ART: decode the captured signal, map the bitstream, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-BlockBlock/https://x3ric.com/blog/posts/HackTheBox-BlockBlock/Tue, 19 Nov 2024 09:20:00 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Ghost/https://x3ric.com/blog/posts/HackTheBox-Ghost/Tue, 19 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapdockerEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Wayback-Challenge/https://x3ric.com/blog/posts/HackTheBox-Wayback-Challenge/Mon, 18 Nov 2024 09:20:00 +0800challengehtbrevlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Administrator/https://x3ric.com/blog/posts/HackTheBox-Administrator/Sun, 17 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapAdministrator: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Binary-Basis-Challenge/https://x3ric.com/blog/posts/HackTheBox-Binary-Basis-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoBinary Basis: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Brevi-Moduli-Challenge/https://x3ric.com/blog/posts/HackTheBox-Brevi-Moduli-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptorsalatticeBrevi Moduli: turn the RSA leak into a lattice recovery, rebuild the secret values, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Hybrid-Unifier-Challenge/https://x3ric.com/blog/posts/HackTheBox-Hybrid-Unifier-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoaeshashHybrid Unifier: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Inizialization-Challenge/https://x3ric.com/blog/posts/HackTheBox-Inizialization-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoaesxorInizialization: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Read-Before-You-Sign-Challenge/https://x3ric.com/blog/posts/HackTheBox-Read-Before-You-Sign-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoRead Before You Sign: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Sekur-Julius-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sekur-Julius-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoprngSekur Julius: reconstruct the PRNG state from the leak, replay it, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-SPG-Challenge/https://x3ric.com/blog/posts/HackTheBox-SPG-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoaesprnghashSPG: reconstruct the generator state, derive the AES material, and decrypt the final ciphertext.https://x3ric.com/blog/posts/HackTheBox-Sugar-Free-Candies-Challenge/https://x3ric.com/blog/posts/HackTheBox-Sugar-Free-Candies-Challenge/Sat, 16 Nov 2024 09:20:00 +0800challengehtbcryptoSugar Free Candies: model the crypto leak, recover the missing secret, and decrypt the flag.https://x3ric.com/blog/posts/HackTheBox-Certified/https://x3ric.com/blog/posts/HackTheBox-Certified/Thu, 07 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapCertified: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Feedback-Flux-Challenge/https://x3ric.com/blog/posts/HackTheBox-Feedback-Flux-Challenge/Sat, 02 Nov 2024 09:20:00 +0800challengehtbwebxssphpFeedback Flux: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Blazorized/https://x3ric.com/blog/posts/HackTheBox-Blazorized/Fri, 01 Nov 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberosldapBlazorized: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Epsilon/https://x3ric.com/blog/posts/HackTheBox-Epsilon/Fri, 01 Nov 2024 09:20:00 +0800machinehtblinuxEpsilon: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Secure-Singning-Challenge/https://x3ric.com/blog/posts/HackTheBox-Secure-Singning-Challenge/Fri, 01 Nov 2024 09:20:00 +0800challengehtbcryptoxorhashSecure Singning: derive the XOR key stream, invert the transform, and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Shattered-Tablet-Challenge/https://x3ric.com/blog/posts/HackTheBox-Shattered-Tablet-Challenge/Wed, 30 Oct 2024 09:20:00 +0800challengehtbrevghidralinuxShattered Tablet: trace the binary, isolate the validation routine, and invert it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Mist/https://x3ric.com/blog/posts/HackTheBox-Mist/Sat, 26 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapcve-2024-9405Mist: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Axlle/https://x3ric.com/blog/posts/HackTheBox-Axlle/Tue, 22 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberossmbldapAxlle: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Bypass-Challenge/https://x3ric.com/blog/posts/HackTheBox-Bypass-Challenge/Tue, 22 Oct 2024 01:20:00 +0800challengehtbrevdotnetEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Beep/https://x3ric.com/blog/posts/HackTheBox-Beep/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxcve-2012-4869Beep: use CVE-2012-4869 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MagicGardens/https://x3ric.com/blog/posts/HackTheBox-MagicGardens/Sun, 20 Oct 2024 09:20:00 +0800machinehtblinuxdockerMagicGardens: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Simple-Encryptor-Challenge/https://x3ric.com/blog/posts/HackTheBox-Simple-Encryptor-Challenge/Sun, 20 Oct 2024 01:20:00 +0800challengehtbrevelfxorlinuxEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Chemistry/https://x3ric.com/blog/posts/HackTheBox-Chemistry/Sat, 19 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-23334cve-2024-23346Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Compiled/https://x3ric.com/blog/posts/HackTheBox-Compiled/Fri, 18 Oct 2024 15:20:00 +0800machinehtbwindowslinuxactive-directorycve-2024-20656cve-2024-32002Compiled: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Union/https://x3ric.com/blog/posts/HackTheBox-Union/Wed, 16 Oct 2024 09:22:00 +0800machinehtblinuxUnion: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Jarmis/https://x3ric.com/blog/posts/HackTheBox-Jarmis/Wed, 16 Oct 2024 09:20:00 +0800machinehtbwindowslinuxcve-2021-38647Jarmis: use CVE-2021-38647 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Lantern/https://x3ric.com/blog/posts/HackTheBox-Lantern/Tue, 15 Oct 2024 09:20:00 +0800machinehtblinuxcve-2022-38580Lantern: use CVE-2022-38580 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/https://x3ric.com/blog/posts/HackTheBox-MonitorsThree/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-25641Enter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-Resource/https://x3ric.com/blog/posts/HackTheBox-Resource/Mon, 14 Oct 2024 09:20:00 +0800machinehtblinuxdockerResource: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Instant/https://x3ric.com/blog/posts/HackTheBox-Instant/Sat, 12 Oct 2024 12:10:50 +0800machinehtblinuxEnter the password to unlock this machine writeup.https://x3ric.com/blog/posts/HackTheBox-YPuffy/https://x3ric.com/blog/posts/HackTheBox-YPuffy/Sat, 12 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorysmbldapcve-2018-14665YPuffy: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/TryHackMe-Brains/https://x3ric.com/blog/posts/TryHackMe-Brains/Thu, 10 Oct 2024 09:20:00 +0800machinethmlinuxcve-2024-27198Brains: use CVE-2024-27198 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Help/https://x3ric.com/blog/posts/HackTheBox-Help/Wed, 09 Oct 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2017-16995cve-2017-5899cve-2021-22555Help: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-GoodGames/https://x3ric.com/blog/posts/HackTheBox-GoodGames/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxdockerGoodGames: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Valentine/https://x3ric.com/blog/posts/HackTheBox-Valentine/Sun, 06 Oct 2024 09:20:00 +0800machinehtblinuxcve-2014-0160cve-2016-5195Valentine: use CVE-2014-0160 and CVE-2016-5195 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Yummy/https://x3ric.com/blog/posts/HackTheBox-Yummy/Sun, 06 Oct 2024 00:15:50 +0800machinehtblinuxYummy: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/https://x3ric.com/blog/posts/HackTheBox-EvilCUPS/Thu, 03 Oct 2024 09:20:00 +0800machinehtblinuxcve-2024-47076cve-2024-47175cve-2024-47176cve-2024-47177EvilCUPS: use CVE-2024-47076 and CVE-2024-47175 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Flip-Challenge/https://x3ric.com/blog/posts/TryHackMe-Flip-Challenge/Thu, 03 Oct 2024 09:20:00 +0800challengethmcryptoaesxorFlip: abuse the AES misuse, derive the missing key material, and decrypt the flag.https://x3ric.com/blog/posts/TryHackMe-Prioritise/https://x3ric.com/blog/posts/TryHackMe-Prioritise/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPrioritise: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-Pyrat/https://x3ric.com/blog/posts/TryHackMe-Pyrat/Thu, 03 Oct 2024 09:20:00 +0800machinethmlinuxPyrat: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Cicada/https://x3ric.com/blog/posts/HackTheBox-Cicada/Wed, 02 Oct 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapCicada: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Gobox/https://x3ric.com/blog/posts/HackTheBox-Gobox/Mon, 30 Sep 2024 09:20:00 +0800machinehtblinuxGobox: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bashed/https://x3ric.com/blog/posts/HackTheBox-Bashed/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxBashed: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Shocker/https://x3ric.com/blog/posts/HackTheBox-Shocker/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2014-6271Shocker: use CVE-2014-6271 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-TwoMillion/https://x3ric.com/blog/posts/HackTheBox-TwoMillion/Fri, 27 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-0386TwoMillion: use CVE-2023-0386 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Soccer/https://x3ric.com/blog/posts/HackTheBox-Soccer/Wed, 25 Sep 2024 09:20:00 +0800machinehtbwindowslinuxactive-directorykerberoscve-2021-45010Soccer: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-GreenHorn/https://x3ric.com/blog/posts/HackTheBox-GreenHorn/Mon, 23 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-50564GreenHorn: use CVE-2023-50564 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-BoardLight/https://x3ric.com/blog/posts/HackTheBox-BoardLight/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2022-37706cve-2023-30253BoardLight: use CVE-2022-37706 and CVE-2023-30253 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Editorial/https://x3ric.com/blog/posts/HackTheBox-Editorial/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxEditorial: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-PermX/https://x3ric.com/blog/posts/HackTheBox-PermX/Sun, 22 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-4220PermX: use CVE-2023-4220 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Headless/https://x3ric.com/blog/posts/HackTheBox-Headless/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxHeadless: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Trickster/https://x3ric.com/blog/posts/HackTheBox-Trickster/Sat, 21 Sep 2024 09:20:00 +0800machinehtblinuxcve-2023-47268cve-2024-32651cve-2024-34716Trickster: use CVE-2023-47268 and CVE-2024-32651 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Sea/https://x3ric.com/blog/posts/HackTheBox-Sea/Mon, 16 Sep 2024 00:12:50 +0800machinehtblinuxcve-2023-41425Sea: use CVE-2023-41425 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Caption/https://x3ric.com/blog/posts/HackTheBox-Caption/Mon, 16 Sep 2024 00:10:50 +0800machinehtblinuxCaption: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Bastion/https://x3ric.com/blog/posts/HackTheBox-Bastion/Fri, 13 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorysmbBastion: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Curling/https://x3ric.com/blog/posts/HackTheBox-Curling/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxjoomlaCurling: abuse the Joomla exposure for a shell, then use local enumeration to reach root.https://x3ric.com/blog/posts/HackTheBox-Sightless/https://x3ric.com/blog/posts/HackTheBox-Sightless/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockercve-2022-0944cve-2024-34070Sightless: use CVE-2022-0944 and CVE-2024-34070 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Spooktroll/https://x3ric.com/blog/posts/HackTheBox-Spooktroll/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxdockerSpooktrol: turn the exposed service into a shell, pivot through the container boundary, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Writeup/https://x3ric.com/blog/posts/HackTheBox-Writeup/Fri, 13 Sep 2024 00:10:50 +0800machinehtblinuxcve-2022-41544Writeup: use CVE-2022-41544 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Active/https://x3ric.com/blog/posts/HackTheBox-Active/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxactive-directorykerberossmbldapActive: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Codify/https://x3ric.com/blog/posts/HackTheBox-Codify/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxkerberosCodify: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.https://x3ric.com/blog/posts/HackTheBox-Paper/https://x3ric.com/blog/posts/HackTheBox-Paper/Thu, 12 Sep 2024 00:10:50 +0800machinehtbwindowslinuxwordpresscve-2019-17671cve-2021-3560Paper: use CVE-2019-17671 and CVE-2021-3560 where it fits the service, gain a shell, and escalate to root.https://x3ric.com/blog/posts/HackTheBox-Perfection/https://x3ric.com/blog/posts/HackTheBox-Perfection/Thu, 12 Sep 2024 00:10:50 +0800machinehtblinuxPerfection: enumerate the services, turn the exposed weakness into a shell, and escalate to root.https://x3ric.com/blog/posts/TryHackMe-SQHell-Challenge/https://x3ric.com/blog/posts/TryHackMe-SQHell-Challenge/Fri, 16 Aug 2024 23:20:00 +0800challengethmwebsql-injectionSQHell: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/TryHackMe-DearQA-Challenge/https://x3ric.com/blog/posts/TryHackMe-DearQA-Challenge/Fri, 28 Jun 2024 01:20:00 +0800challengethmpwnbofformat-stringheapshellcodelinuxDearQA: shape the heap state, gain the needed write or leak, and pivot to flag access.https://x3ric.com/blog/posts/TryHackMe-Blog/https://x3ric.com/blog/posts/TryHackMe-Blog/Thu, 13 Jun 2024 03:20:00 +0800machinethmwindowslinuxwordpressBlog: abuse the WordPress foothold, stabilize the shell, and escalate through the local weakness.https://x3ric.com/blog/posts/HackTheBox-DevVortex/https://x3ric.com/blog/posts/HackTheBox-DevVortex/Tue, 16 Apr 2024 00:10:50 +0800machinehtblinuxjoomlacve-2023-23752DevVortex: use CVE-2023-23752 where it fits the service, gain a shell, and escalate to root.