Hack The Box Writeups


Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.


Below you will find my personal writeups of the various boxes that can be found on hackthebox.eu, ranked by difficulty.

Personal Cherrytree Pentesting Notes

Ech0

Hack The Box - Easy Boxes

Template Page

  1. ✅ - Lame
  2. ✅ - Legacy
  3. ✅ - Devel
  4. ✅ - Beep
  5. ✅ - Optimum
  6. ✅ - Arctic
  7. ✅ - Grandpa
  8. ✅ - Granny
  9. ✅ - Bank
  10. ✅ - Blocky
  11. ✅ - Blue
  12. ✅ - Mirai
  13. ✅ - Shocker
  14. ✅ - Sense
  15. ✅ - Bashed
  16. ✅ - Nibbles
  17. ✅ - Valentine
  18. ✅ - Sunday
  19. ✅ - Bounty
  20. ✅ - Jerry
  21. ✅ - Active
  22. ✅ - Access
  23. ✅ - Frolic
  24. ✅ - Curling
  25. ✅ - Irked
  26. ✅ - Teacher
  27. ✅ - Help
  28. ✅ - FriendZone
  29. ✅ - Netmon
  30. ✅ - CasaDePapel
  31. ✅ - Bastion
  32. ✅ - SwagShop
  33. ✅ - Writeup
  34. ✅ - Haystack
  35. ✅ - Safe
  36. ✅ - Heist
  37. ✅ - Networked
  38. ✅ - Forest
  39. ✅ - Postman
  40. ✅ - Traverxec
  41. ✅ - OpenAdmin
  42. ✅ - Nest
  43. ✅ - Traceback
  44. ✅ - Remote
  45. ✅ - Servmon
  46. ✅ - Admirer
  47. ✅ - Blunder
  48. ✅ - Tabby
  49. ✅ - Buff
  50. ✅ - Omni
  51. ✅ - Doctor
  52. ✅ - Academy
  53. ✅ - Laboratory
  54. ✅ - Luanne
  55. ✅ - Delivery
  56. ✅ - Toolbox
  57. ✅ - Sauna
  58. ✅ - ScriptKiddie
  • | CVE-2007-2447, vsftpd 2.3.4
  • | CVE-2008-4245, ms08_067_netapi
  • | Anonymous FTP, ms10_015_kitrap0d
  • | Elastix, Webmin, vtiger
  • | HttpFileServer 2.3, rejetto, 41020
  • | ColdFusion 8, JRun Web Server
  • | IIS 6.0, webdav
  • | IIS 6.0, webdav
  • | DNS, reverse php shell, root binary
  • | Wordpress, jar
  • | MS17-010, EternalBlue, Win7 SP1
  • | PiHole
  • | ShellShock, 34900
  • | FreeBSD, pfSense
  • | PHPBash, kernel 4.4, 44298
  • | NibbleBlog 4.0.3
  • | HeartBleed
  • | Solaris, SunOS, fingerd, unshadow, john
  • | IIS 7.5, transfer.aspx
  • | Tomcat, tomcat_mgr_login, mgr_upload
  • | SMB, Kerberoast, gpp encrypt
  • | ftp, telnet, pst, mbox, readpst, runas
  • | Brainfuck, nginx, ROP exploit
  • | Joomla , reverse php
  • | UnrealIRCd
  • | Moodle, MariaDB, hashes
  • | HelpdeskZ, reverse php, 44298
  • | smb, ssl certs, dns
  • | ftp, prtg network monitor
  • | ssl certs, cron
  • | smb, share mounting, vhd, mRemoteNG
  • | Magento, lfi, reverse php
  • | CMS made Simple, 46635 , reverse py
  • | Elasticsearch, json, kibana
  • | ROP, ghidra, gef, keepass hashes
  • | Cisco pass, smb, sysinternals
  • | Reverse php gif, cmd execution
  • | BloodHound AD Navigation, Exchange Windows
  • | Redis 4.0.x, Webmin 1.910, RCE
  • | nostromo 1.9.6, journalctl
  • | OpenNetAdmin, nano shell
  • | Visual Basic, SMB, telnet
  • | Web-Shells, SSH Motd script
  • | Umbraco v7.12 ,TeamViewer v7
  • | xc.exe, nsclient++, ftp, winpeas
  • | Adminer, MySQL, Python library Hijacking
  • | Bludit 3.9.2, SHA1, sudo 1.8.25p1
  • | Tomcat, LFI, lxc container
  • | Gym Management RCE, Buffer Overflow
  • | Windows IOT, SirepRAT.py, Import-CliXml
  • | XML SSTI splunkd RCE
  • | PHP Laravel token deserialization, composer
  • | Gitlab CE 12.8.1 gitlab-rails, SUID bit
  • | NetBSD lua code injection, doas, netpgp
  • | OSTicket, Mattermost, hashcat custom list
  • | SQL Injection reverse shell, boot2docker
  • | LDAP, kerberos, mimikatz, NTLM hash
  • | Msfvenom apk exploit, command injection

Ech0

Hack The Box - Medium Boxes

Template Page

  1. ✅ - Popcorn
  2. ✅ - Bastard
  3. ✅ - Tenten
  4. ✅ - Cronos
  5. ✅ - October
  6. ✅ - Lazy
  7. ✅ - Sneaky
  8. ✅ - Haircut
  9. ✅ - Europa
  10. ✅ - Nineveh
  11. ✅ - Apocalyst
  12. ✅ - SolidState
  13. ✅ - Node
  14. ✅ - Enterprise
  15. ✅ - Jeeves
  16. ✅ - Inception
  17. ✅ - FluxCapacitor
  18. ✅ - Chatterbox
  19. ✅ - Aragog
  20. ✅ - Bart
  21. ✅ - Stratosphere
  22. ✅ - Celestial
  23. ✅ - Silo
  24. ✅ - Poison
  25. ✅ - Canape
  26. ✅ - Olympus
  27. ✅ - TartarSauce
  28. ✅ - DevOops
  29. ✅ - Hawk
  30. ✅ - Waldo
  31. ✅ - SecNotes
  32. ✅ - Giddy
  33. ✅ - Ypuffy
  34. ✅ - Carrier
  35. ✅ - Vault
  36. ✅ - Redcross
  37. ✅ - Lightweight
  38. ✅ - Chaos
  39. ✅ - Querier
  40. ✅ - Arkham
  41. ✅ - Unattended
  42. ✅ - Luke
  43. ✅ - Jarvis
  44. ✅ - Craft
  45. ✅ - Bitlab
  46. ✅ - Wall
  47. 🟠 - Json
  48. 🟠 - AI
  49. ❌ - Sniper
  50. ❌ - Mango
  51. ❌ - Obscurity
  52. ❌ - Monteverde
  53. ❌ - Book
  54. ❌ - Cascade
  55. ❌ - Magic
  56. ❌ - Cache
  57. ❌ - Fuse
  58. ❌ - SneakyMailer
  59. ❌ - OpenKeyS
  60. ❌ - Worker
  61. ❌ - Passage
  62. ❌ - Jewel
  63. ❌ - Bucket
  64. ❌ - Time
  65. ❌ - Ready
  • | Torrent Hoster
  • | Drupal 7
  • | Wordpress
  • | php lavarel, sql injection
  • | OctoberCMS
  • | cookie authentification padding abuse
  • | udp snmp ipv6
  • | php rce, GNU screen 4.50
  • | europacorp v0.2b, sqlmap, RCE
  • | phpLiteAdmin v1.9, hydra port knocking
  • | wordpress, wordlists
  • | james smtpd, james pop3d
  • | myplace nodejs api, mongodb, binexp
  • | php sql inj, joomla, wp, binexp
  • | askjeeves, kdbx, rdesktop
  • | dompdf, webdav, pivot
  • | Fuzzing
  • | AChat, Win7
  • | xml-content XXE, wordpress
  • | server monitor, simple chat User-Agent
  • | OGNL RCE, mysql, python lib hijacking
  • | Node.js concatenating deserialization
  • | Oracle DB RCE
  • | FreeBSD, php LFI
  • | cPickle, couchDB, pip
  • | xdebug 2.5.5, airgeddon, knock, docker
  • | Wordpress, gwolle-gb, tar
  • | XXE, github repository enumeration
  • | aes-256-cbc, ssh tunnel, H2 database
  • | Evasive LFI, Container, cap_dac_read_search
  • | XSRF, SQLi, nc.exe, smb, IIS,
  • | SQLi, xp_dirtree, Ubiquiti UniFi-Video
  • | FreeBSD, ldap, smb, putty, ssh certificates
  • | Lyghtspeed, Quagga v0.99, BGP routes MITM
  • | SOCKS5 Port Forwarding, double pivoting, gpg
  • | SQLi, PHPSESSID, cmd injection, psql, sudo gid
  • | LDAP, getcap, tcpdump, binary capabilities
  • | WebMin, roundcube, ajax.php, LaTeX, firefox
  • | smb, excel macros, mssql, xp_dirtree, winRM
  • | smb, LUKS, javax.ViewState, powershell privesc
  • | 2nd order blind SQL injection, luks initrd.img
  • | Boostrap4, JWT, Ajenti, FreeBSD amd64
  • | SQL Injection, python privesc, systemctl SUID
  • | Gogs, REST api, docker, mysql sqlAlchemy
  • | Gitlab, hardcoded creds in js, sudo git pull
  • | Centreon, uncompyle, linpeas, GNU Screen 4.5.0
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |
  • |

Ech0

Hack The Box - Insane Boxes

Template Page...

Ech0

The Concept

The Goal is to capture both the User and the Root flags by gaining unauthorized access to the machines on HTB's private network, in order to get the flags, one has to employ various sets of pentesting skills, from finding out common vulnerabilities in the easier boxes, to crafting custom-exploitation for the harder boxes.