Walkthrough for Cursed Stale Policy challenge from Hack The Box. An easy web challenge where the Content Security Policy uses a non-randomized (stale) nonce, allowing an attacker to craft an XSS payload with the known nonce to bypass the CSP and exfiltrate the bot's cookies containing the flag.

Walkthrough for Passman challenge from Hack The Box. An easy web challenge where a GraphQL UpdatePassword mutation enforces authentication but not authorization, allowing an attacker to reset the admin's password and retrieve the flag stored in the password manager.

Walkthrough of Baby NginxAtsu from Hack The Box. An easy web challenge featuring nginx configuration file generation functionality with directory listing vulnerability on /storage. Database backup file (tar.gz) accessible through autoindex reveals SQLite database containing admin credentials. MD5 password hash cracked via hashcat with rockyou wordlist enables admin account access and flag retrieval.

Complete walkthrough of Down from Hack The Box. An easy Linux machine featuring SSRF vulnerability exploiting curl's multiple URL feature to bypass file:// scheme filter and leak index.php source code. Parameter discovery reveals expertmode=tcp with netcat command injection through port parameter exploiting intval() validation bypass. Password manager vault file (pswm) in user home directory cracked with rockyou wordlist reveals SSH credentials enabling sudo access to root.

Complete walkthrough of Rabbit from Hack The Box. An insane Windows machine featuring time-based SQL injection in complain management system requiring extensive sqlmap enumeration to extract credentials from secret database. Microsoft Exchange OWA access enables phishing attack with malicious OpenOffice ODT macro using living off the land techniques (certutil/bitsadmin) to bypass Windows Defender and PowerShell constrained mode. Privilege escalation exploits writable C:\wamp64\www directory with BUILTIN\Users permissions for webshell upload. Box stability issues with frequent crashes required 30+ resets during completion.

Complete walkthrough of Ransom from Hack The Box. A medium Linux machine featuring Laravel web application vulnerable to type juggling attack through JSON in GET request body, bypassing authentication without credentials. Encrypted ZIP file containing home directory requires ZipCrypto plaintext attack using bkcrack tool with known .bash_logout content to extract SSH keys. Web root enumeration of Laravel AuthController reveals hardcoded password enabling root SSH access. LinPEAS false positives intentionally patched by box creator.

Complete walkthrough of Calamity from Hack The Box. A hard Linux machine featuring PHP code injection through admin.php with password in HTML comments, enabling webshell upload for initial access. Audio steganography using Audacity invert effect on WAV files reveals user password. Privilege escalation exploits SUID binary with complex 3-stage buffer overflow: leaking hey.secret, accessing debug function, and executing shellcode after mprotect disables NX protection. One of HTB's most difficult binary exploitation challenges.

Complete walkthrough of WifineticTwo from Hack The Box. A medium Linux machine featuring OpenPLC webserver with default credentials vulnerable to CVE-2021-31630 authenticated RCE. Initial root access in container provides only user flag, requiring pivoting through WiFi enumeration. WPS exploitation with oneshot.py script obtains wireless credentials, enabling dhclient IP acquisition and SSH access to OpenWrt access point for root flag.

Complete walkthrough of Expressway from Hack The Box. An easy Linux machine featuring IKE/IPsec enumeration. TCP scanning reveals only SSH on port 22, but UDP enumeration uncovers TFTP and IKE services. A TFTP file leak exposes a Cisco router config revealing a user named ike. IKE aggressive mode is enabled, allowing PSK hash capture and offline cracking with hashcat. Credentials are used to authenticate via SSH and get the user flag. Privilege escalation is achieved by exploiting CVE-2025-32463, a sudo vulnerability, to gain a root shell.

Complete walkthrough of Snapped from Hack The Box. A hard Linux machine featuring Nginx UI vulnerable to CVE-2026-27944, allowing unauthenticated backup download and decryption. Extracted database contains bcrypt hashes, with the admin password enabling SSH access as jonathan through credential reuse. Privilege escalation exploits CVE-2026-3888 in snapd, requiring precise timing across three terminals to perform a race condition attack on snap-confine, ultimately achieving root access through dynamic linker hijacking inside AppArmor sandbox.