Walkthrough for flipper equation challenge from OliCyber-IT. A cryptography and web challenge featuring a Flask application with AES CBC encryption vulnerable to bit flipping attacks. The application requires solving 1 billion equations to obtain the flag, but by manipulating the session token through XOR operations on CBC ciphertext blocks, the points value can be forged to bypass the requirement.

Complete walkthrough of Baby from Hack The Box. An easy Windows Active Directory machine featuring LDAP anonymous bind enumeration revealing initial password in Teresa Bell's description field. Extended LDAP queries discover hidden user Caroline Robinson with STATUS_PASSWORD_MUST_CHANGE. After password reset via smbpasswd, WinRM access grants shell as member of Backup Operators group. SeBackupPrivilege exploitation using SeBackupPrivilegeCmdLets copies the root flag from Administrator's desktop.

Complete walkthrough of Job from Hack The Box. A medium Windows machine featuring an SMTP open relay server and LibreOffice document exploitation. A malicious ODT file captures NetNTLMv2 hashes via Responder, but the hash is uncrackable. Leveraging the open relay, a second malicious ODT with embedded PowerShell payload grants shell access as jack.black. The developers group has Full Control over IIS wwwroot, enabling Antak webshell deployment. As IIS APPPOOL\defaultapppool with SeImpersonatePrivilege, GodPotato impersonates SYSTEM to read the root flag.

Complete walkthrough of CodePartTwo from Hack The Box. An easy Linux machine featuring a Python web application with js2py 0.74, vulnerable to CVE-2024-28397 sandbox escape. Code execution reveals a SQLite database containing MD5 password hashes. After cracking credentials and SSH access as marco, sudo privileges on npbackup-cli 3.0.1 are exploited through malicious configuration file to backup and dump the root flag.

Complete walkthrough of Breach from Hack The Box. A medium Windows machine featuring a Domain Controller with an exposed SMB share. A malicious .url file triggers NTLM authentication via Responder, capturing Julia Wong's hash. After cracking credentials, Kerberoasting reveals svc_mssql service account credentials. A Silver Ticket attack grants Administrator access to MSSQL, where xp_cmdshell is enabled for code execution. GodPotato privilege escalation from the C:\Windows\Tasks bypass directory achieves SYSTEM access.

Walkthrough for El Pipo challenge from Hack The Box. A very easy pwn challenge involving a simple buffer overflow that directly reveals the flag without requiring ROP chains or address manipulation.

Walkthrough for Baby RE challenge from Hack The Box. A reversing challenge where the `strings` command reveals a partial flag, and Ghidra is used to decompile the binary and recover the complete hardcoded key.

Walkthrough for WIDE challenge from Hack The Box. A reversing challenge where Ghidra is used to decompile an ELF binary and extract a hardcoded decryption key, which unlocks an encrypted dimension entry containing the flag.

Walkthrough for baby BoneChewerCon challenge from Hack The Box. An easy web challenge where a maintenance page with a booking form throws a Symfony debugger error. The debug mode exposes sensitive environment variables including the APP_KEY which contains the flag.

Complete walkthrough of Retro from Hack The Box. An easy Windows machine featuring Active Directory Certificate Services (AD CS) exploitation. Anonymous SMB access reveals hints about a trainee account with weak credentials. RID brute-forcing identifies the trainee user whose password is simply 'trainee'. Enumeration reveals a Pre-Windows 2000 computer account (BANKING$) with default password pattern. Using this computer account, an ESC1 vulnerability in the RetroClients certificate template is exploited to request a certificate with arbitrary SAN, allowing authentication as Administrator and domain compromise.