HTB-Machines on

Fluffy - HTB Machine

Sat, 20 Sep 2025 03:38:50 -0300

Summary (How?)

We started by enumerating the provided credentials for the user j.fleischman and identified an SMB share named IT. After downloading files from the share, we discovered a PDF detailing vulnerabilities, including CVE-2025-24071, which enabled me to craft a malicious .zip file to leak NTLM hashes via Windows Explorer’s automatic file parsing. Using this exploit, we captured the NTLM hash for the user p.agila and cracked its password.

With p.agila’s credentials, we found that the user had GenericAll permissions over the SERVICE ACCOUNTS group. This allowed us to add p.agila to the group and, subsequently, perform a Shadow Credentials attack to impersonate the WINRM_SVC account, successfully gaining access to the system as that user.

Cypher - HTB Machine

Thu, 10 Jul 2025 03:38:50 -0300

Cypher is a Hack The Box machine released on 01 Mar 2025

Summary (How?)

Cypher is a HTB machine running a web app that relies on a Neo4j graph database. A Cypher-injection flaw lets us bypass the login logic and enumerate data. Then, an exposed directory holds a JAR file whose decompiled code reveals a custom Neo4j procedure that executes shell commands without sanitisation (command injection); exploiting that procedure yields remote code execution and a reverse shell.

Artificial - HTB Machine

Tue, 24 Jun 2025 03:38:50 -0300

Artificial is a Hack The Box machine from season 8

Summary (How?)

Artificial is a machine with a web interface that allows to upload and execute TensorFlow .h5 model files. The initial foothold was obtained by embedding a reverse shell code inside a Lambda layer and exploiting the backend’s behavior which loads these models without sandboxing. From there, we accessed the Flask app’s source code, extracted database credentials, dumped the user table, cracked hashes using rockyou.txt, and obtained valid SSH credentials for user gael, leading to the user flag.

Nocturnal - HTB Machine

Sat, 21 Jun 2025 03:38:50 -0300

Nocturnal is a Hack The Box machine released on 12 Apr 2025

Summary (How?)

Nocturnal is a Hack The Box machine which serves a web application that allows file upload and download. The interesting/weird thing is that it utilizes a username parameter in the URL to retrieve and show files for an specific user. This is vulnerable to Insecure Direct Object Reference (IDOR) and also allowed us to enumerate users. Using ffuf we found user amanda and were able to read her files finding credentials.

Code - HTB Machine

Sat, 14 Jun 2025 03:38:50 -0300

Code is a Hack The Box machine released on 22 Mar 2025

Summary (How?)

We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).

To do so, we leverage object-oriented introspection to enumerate loaded Python subclasses and locate the index of the sys module. With access to sys.modules, we enumerate all loaded modules and identify one that exposes a call function—specifically, subprocess.call()—which enables us to execute system commands and obtain a reverse shell.

Dog - HTB Machine

Tue, 10 Jun 2025 03:38:50 -0300

Dog is a Hack The Box machine released on 08 Mar 2025

Summary (How?)

Started by identifying the CMS version and other services running on the target, including Backdrop CMS 1.27.1. Through endpoint enumeration and exploration of accessible files and directories, I discovered several opened directories, among them .git which can be downloaded using git-dumper to retrieve the source code of the applicaiton

In the source code I found credentials for the database and some usernames. A lot of password reuse after I managed to access the admin panel using a combination of them. Once there, leveraged an exploit (CVE-2022-43422) to achieve remote code execution (RCE). From there, I established a web shell, which had a trick since it was getting deleted after a minute, so I modified the paylod to get a reverse shell as the www-data user.

Planning - HTB Machine

Mon, 12 May 2025 03:38:50 -0300

Planning is a Hack The Box machine released on 10 May 2025

Summary (How?)

Planning is a box with a huge fuzzing to do in order to find a Grafana instance, which was vulnerable to CVE-2024-9264, a critical vulnerability allowing arbitrary command execution via unsanitized SQL input to the DuckDB CLI. Using a proof-of-concept exploit, I was able to read files and execute commands, confirming access to the Grafana container but not the host system. Further enumeration revealed valid credentials for the user enzo, which allowed SSH access to the host system.

Titanic - HTB Machine

Fri, 09 May 2025 03:38:50 -0300

Titanic is a Hack The Box machine released on 15 Feb 2025

Summary (How?)

Titanic is a web application with a Local File Inclusion (LFI) vulnerability, which allowed me to enumerate sensitive files, including the /etc/hosts file that revealed a secondary host dev.titanic.htb. This led to a Gitea instance where I found configuration files exposing the path to Gitea’s database. Using the LFI vulnerability, I downloaded the database, extracted password hashes for the developer user, and cracked them to gain SSH access to the machine as developer.