Machines&Challenges on z3r0s

Hardware - Espresso

Fri, 05 Jun 2026 00:00:00 +0000

Hack The Box Challenge Writeup: Espresso Link to heading

Challenge Link to heading

Name: Espresso

Scenario:

Someone leaked the new Espresso firmware, can you try to figure out what it does?

The challenge provides an ESP32 firmware image. The firmware checks whether it is running on expected hardware by comparing the ESP32 factory MAC address against zero bytes. If the check fails, it prints anti-clone messages. If the check passes, it generates the flag by XOR decoding a 31 byte table stored in the firmware data segment.

HTB - DevHub

Sat, 30 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The Logo Link to heading

The machine logo shows a caged beast with red glowing eyes trapped behind bars. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Caged beast behind bars: A system designed to restrict access, block unsafe operations, or confine environments (sandboxing / containerization).
Red glowing eyes: A powerful or potentially dangerous interface that is supposed to be fully locked down, but might have vulnerabilities in its containment.
Caged element: An environment escape (sandbox escape) or a container escape scenario.

The Name Link to heading

"DevHub" combined with the logo points toward:

A centralized developer platform or gateway (like GitLab, JupyterHub, or a custom tool manager) that coordinates multiple services.
An environment where developers deploy models, notebooks, or scripts, pointing directly to development-centric protocols like Model Context Protocol (MCP) or Jupyter.

The Instant Hypothesis Link to heading

Combining name and logo before even running nmap:

"This is a developer platform (DevHub) managing internal development or model tools. The caged beast suggests containerization, sandboxing, or restricted environments that we must escape. The primary attack vector will likely involve exploiting development utilities or container/sandbox escape vulnerabilities."

This hypothesis is confirmed within minutes of enumeration, revealing an exposed Model Context Protocol (MCP) debugger and Jupyter notebook.

HTB - Reactor

Sun, 24 May 2026 00:00:00 +0000

Difficulty: Easy | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The Logo Link to heading

The machine logo shows a nuclear reactor facility - cooling towers with radiation symbols (☢), smoke/steam rising, set inside a green circle. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Nuclear reactor theme → the web app will be a reactor monitoring dashboard, ICS/SCADA-style interface with sensor readings, logs, and personnel panels
Green color scheme → "nominal / online" status indicators - a live running service dashboard
Radiation symbols → nuclear operations terminology ahead: coolant flow, pressure, neutron flux, core temperature - all realistic dashboard labels that give no obvious attack surface

The Name Link to heading

"Reactor" combined with the logo points toward two things at once:

React/Next.js - "Reactor" is almost certainly a pun on React, the JavaScript framework. HTB machine names frequently reference the intended technology this way. This immediately narrows the attack surface to a Node.js web application.
Nuclear monitoring theme - the app will look like a static read-only dashboard with no login, no forms, no visible input - pushing the attacker toward framework-level vulnerabilities rather than application logic.

The Instant Hypothesis Link to heading

Combining name + logo before even running nmap:

"This is a Next.js app themed as a nuclear reactor dashboard. The name 'Reactor' punning on React strongly suggests a Next.js vulnerability is the intended path. The dashboard will look static but the attack vector will be server-side - likely Server Actions, API routes, or RSC deserialization."

This hypothesis was confirmed within minutes:

Port 3000 → X-Powered-By: Next.js in response headers
No login page, no visible forms → the framework itself is the attack surface, not the application logic
Next.js Server Actions prototype pollution (CVE-2025-55182) → exact match

This is why reading the logo matters. A good HTB player can often narrow the entire attack path to 1-2 CVEs before the nmap scan finishes.

HTB - SmartHire

Mon, 18 May 2026 00:37:12 +0300

SmartHire HTB Write-up Link to heading

Executive Summary Link to heading

SmartHire was compromised in two stages:

Initial access / user shell The SmartHire web application relied on an external MLflow instance to load a model by name during resume prediction. Because the MLflow registry was exposed and protected only by weak credentials (admin:password), it was possible to register a malicious pyfunc model under the exact name expected by the application. When the application later loaded that model during a prediction request, it deserialized attacker-controlled pickle content and executed a reverse shell as svcweb.

HTB - Browsed

Sun, 10 May 2026 23:19:05 +0300

After get the target ip lets scan with nmap

We have port 80 lets check it

sudo nano /etc/hosts

ip browsed.htb

lets go to check Samples Page

http://browsed.htb/samples.html

lets Download any file, I'll download second file

**After download the file we got zip file lets unzip it

It Looks interesting

lets Check upload page

We can Upload Chrome Extension (.zip)

Pwn - cyKer

Sun, 10 May 2026 22:54:00 +0300

cyKer — Kernel Exploitation Writeup Link to heading

Category: Pwn / Kernel Flag: CyCTF{3c03ee481e3c39c175d1a8baed7f9bbe}

Overview Link to heading

We are given a QEMU-based kernel challenge containing:

bzImage — Linux 5.4.0 kernel
initramfs.cpio.gz — root filesystem with a vulnerable kernel module hackme.ko
run.sh — QEMU launch script with all mitigations disabled:
```
nokaslr nosmep nosmap mitigations=off
```

The VM boots, loads hackme.ko, then drops us into a shell as uid 1000. The flag at /flag is owned by root with chmod 600.

Crypto - aliens

Sun, 10 May 2026 00:00:00 +0000

Crypto Aliens Write-up Link to heading

Challenge Summary Link to heading

We are given a remote service and a local copy of the challenge logic in server.py.

The service asks for a message, applies a custom padding routine, appends a similarly padded flag, and then encrypts the result with AES-ECB.

At first glance this looks annoying rather than breakable, because:

Crypto - BabyEncryption

Sun, 10 May 2026 00:00:00 +0000

Baby encryption Link to heading

You are after an organised crime group which is responsible for the illegal weapon market in your country. As a secret agent, you have infiltrated the group enough to be included in meetings with clients. During the last negotiation, you found one of the confidential messages for the customer. It contains crucial information about the delivery. Do you think you can decrypt it?

Crypto - raining primes

Sun, 10 May 2026 00:00:00 +0000

Raining Primes Write-up Link to heading

Summary Link to heading

The service mixes three ideas:

Prime generation of the form p = a*r + b
A homomorphic-looking key update routine
RSA encryption of an AES-encrypted flag

The design breaks because the same hidden 640-bit prime r is reused everywhere:

every prime returned by option 1
both RSA primes
the update_key() routine

Once r is recovered, the rest of the scheme collapses:

Crypto - the last dance

Sun, 10 May 2026 00:00:00 +0000

To be accepted into the upper class of the Berford Empire, you had to attend the annual Cha-Cha Ball at the High Court. Little did you know that among the many aristocrats invited, you would find a burned enemy spy. Your goal quickly became to capture him, which you succeeded in doing after putting something in his drink. Many hours passed in your agency's interrogation room, and you eventually learned important information about the enemy agency's secret communications. Can you use what you learned to decrypt the rest of the messages?

Crypto - twisted entanglement

Sun, 10 May 2026 00:00:00 +0000

Twisted Entanglement Write-Up Link to heading

Target Link to heading

Host: 154.57.164.77:30486
Flag: HTB{Ek3rT_W4s_s000_b0R1nG_1N_1991_4nD_1_h4t3_Pr0b4b1l1Ty_s0_I_Us3_4_ECC_S33d!}

Vulnerabilities Link to heading

The challenge has two independent weaknesses that chain together cleanly.

1. Invalid-curve scalar multiplication Link to heading

Menu option 1 accepts an arbitrary user point and computes:

public_key = multiply(private_key, point, E)

There is no validation that the input point lies on the original secp256k1 curve. The code only uses a and p inside the EC formulas, so any point on any curve of the form:

Hardware - defusal

Sun, 10 May 2026 00:00:00 +0000

Hardware Defusal Writeup Link to heading

Files Link to heading

Ignoring file.zip as requested, the challenge files are:

Defusal
circuit.png
C4-BOMB.mp4

1. Triage Link to heading

Defusal is an AVR firmware ELF:

ELF 32-bit LSB executable, Atmel AVR 8-bit, statically linked, with debug_info, not stripped

That makes this mostly a firmware reverse-engineering problem.

2. Key Firmware Findings Link to heading

Useful strings inside the binary:

Hardware - line

Sun, 10 May 2026 00:00:00 +0000

Hardware Line Link to heading

Target: 154.57.164.83:31804

Summary Link to heading

The service on 31804/tcp speaks LPD. The queue name lp is accepted, and the implementation is vulnerable to command execution via Shellshock in user-controlled LPD control-file fields.

The working primitive is:

() { :;}; <command>

That payload can be injected into the control-file fields and filenames during a standard LPD Receive a printer job request.

Hardware - mission pinpossible

Sun, 10 May 2026 00:00:00 +0000

Mission Pinpossible Writeup Link to heading

Files Link to heading

op_pinpossible.logicdata
security_keypad.jpeg

Goal Link to heading

Recover the password shown on the keypad LCD from the intercepted monitor traffic.

1. Identify the bus Link to heading

The photo shows a standard 16x2 HD44780 LCD connected through a common I2C backpack based on a PCF8574.

Hardware - ProjectPower

Sun, 10 May 2026 00:00:00 +0000

Project Power Writeup Link to heading

Summary Link to heading

The challenge exposes a remote interface to an embedded device performing AES-128 encryption. The interface lets us:

send a chosen 16-byte plaintext and receive a corresponding power trace
submit a candidate AES key and receive the flag if the key is correct

This is a standard side-channel setup. A simple Correlation Power Analysis (CPA) attack against the first AES round is enough to recover the key.

Hardware - rflag

Sun, 10 May 2026 00:00:00 +0000

hardware_rflag Writeup Link to heading

Flag Link to heading

HTB{RF_H4ck1n6_1s_c00l!!!}

Approach Link to heading

The archive only contains one useful file: signal.cf32, a raw complex64 IQ capture.

I loaded the samples with NumPy and inspected the amplitude envelope:

The capture has 476160 complex samples.
Thresholding the magnitude shows runs quantized almost perfectly at ~899 samples and ~1798 samples.
The first part of the signal is a preamble, followed by data encoded as alternating 01 / 10 unit pairs.

That pattern is consistent with Manchester-style encoding.

Hardware - Secret Treasures

Sun, 10 May 2026 00:00:00 +0000

Hardware Secret Treasures Link to heading

Flag Link to heading

HTB{m3M0ry_5cR4Mbl1Ng_4nd_1CG_423_n07_3n0u9h7!$#}

Files Link to heading

embedded_software: ARM ELF, not stripped
flash_memory_dump.bin: 16 MiB flash contents
input_channel_trace.sal: Saleae capture of the passcode line

1. Reverse the firmware Link to heading

The firmware is an ARM binary with useful symbols:

main
random_generator
get_UniqieID
get_secret
W25Q128_init

Important observations from main:

Hardware - signals

Sun, 10 May 2026 00:00:00 +0000

Hardware Signals Writeup Link to heading

The WAV file is an SSTV transmission, not packet radio.

The giveaway is the VIS/header pattern at the start of the audio:

1900 Hz leader
1200 Hz break
1900 Hz leader
VIS bits around 1100/1300 Hz

Decoding the VIS bits gives decimal 95, which corresponds to PD120. That also matches the total duration of the file: about 126 s, which is the expected PD120 transmission time used in ISS SSTV events.

Hardware - wander

Sun, 10 May 2026 00:00:00 +0000

Hardware Challenge: Wander Link to heading

Target Link to heading

154.57.164.83:31454

Summary Link to heading

The exposed service is a Flask/Werkzeug web app that forwards user-supplied PJL commands to the printer backend.
The /jobs page exposes a form with the placeholder @PJL INFO ID, which is enough to identify the intended attack surface: raw Printer Job Language.

Herald

Sun, 10 May 2026 00:00:00 +0000

Nmap Scan

[12ms][127][~/herald]$ nmap -sCV 10.0.12.3
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-13 17:45 -0400
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.95% done; ETC: 17:46 (0:00:00 remaining)
Nmap scan report for herald.htb (10.0.12.3)
Host is up (0.00091s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-13 21:45:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: herald.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
| 10.0.12.3:1433: 
| Version: 
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2026-04-13T21:46:08+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-13T21:42:38
|_Not valid after: 2056-04-13T21:42:38
| ms-sql-ntlm-info: 
| 10.0.12.3:1433: 
| Target_Name: HERALD
| NetBIOS_Domain_Name: HERALD
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: herald.htb
| DNS_Computer_Name: DC01.herald.htb
| DNS_Tree_Name: herald.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: herald.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
MAC Address: 08:00:27:0F:D0:78 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
| 3.1.1: 
|_ Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 3s, median: 1s
| smb2-time: 
| date: 2026-04-13T21:45:35
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0f:d0:78 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.04 seconds

add in etc/hosts

HTB - Helix

Sun, 10 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux | Date: 2026-05-10

Summary Link to heading

Helix presents a realistic industrial operations scenario built around Apache NiFi, OPC UA, and a custom maintenance console. The attack chain is:

Vhost fuzzing → flow.helix.htb (Apache NiFi 1.21.0, unauthenticated)
NiFi RCE via ExecuteScript processor → shell as nifi
SSH private key for operator found in NiFi support bundles
Privilege escalation via OPC UA node manipulation to open a timed maintenance window → root shell

misc,CyCTF-Luxor - sonnet-jail

Sun, 10 May 2026 00:00:00 +0000

Sonnet Jail - Writeup Link to heading

Challenge Link to heading

Name: Sonnet Jail
Category: Misc / PyJail
Description: "I told Sonnet create me a creative pyjail even you can't solve, does it make the job?"
Goal: Read ./flag.txt

Reconnaissance Link to heading

Connecting to the service presents a Python REPL with several restrictions:

>>> print(1+1)
2
>>> print(open("flag.txt").read())
[blocked] no dots
>>> print(open("flag" + chr(46) + "txt"))
[blocked] 'open' is blocked

Blocked keywords Link to heading

Keyword	Message
`.` (dot character)	`no dots`
`open`	`'open' is blocked`
`eval`	`'eval' is blocked`
`exec`	`'exec' is blocked`
`dir`	`'dir' is blocked`
`getattr`	`'getattr' is blocked`
`hasattr` / `setattr` / `delattr`	blocked
`__builtins__`	blocked
`__import__`	blocked
`globals`	blocked
`breakpoint`	blocked
`compile`	blocked
`input`	blocked
`__subclasses__`	`blocked string`
`__init__`	`blocked string`
`flag`	`blocked string`

Allowed builtins Link to heading

print, type, chr, isinstance, vars, list, map, filter, zip, object, bytes, int, str, range, enumerate, len, tuple, set, dict, frozenset, hex, oct, ord, bin, abs, round, sorted, reversed, min, max, sum, any, all, bool, float, complex, super, staticmethod, classmethod, property, slice, memoryview, bytearray

pwn - bil

Sun, 10 May 2026 00:00:00 +0000

bil - PWN Writeup Link to heading

Challenge Info Link to heading

Name: bil
Category: PWN
Remote: 0.cloud.chals.io:18850

Files Provided Link to heading

app - ELF 64-bit binary
libc.so.6 - GLIBC 2.36
ld-linux-x86-64.so.2 - dynamic linker
flag - placeholder flag

Binary Analysis Link to heading

Checksec Link to heading

Protection	Status
RELRO	Full RELRO
Stack Canary	No
NX	Enabled
PIE	Disabled

Key Functions Link to heading

vuln() @ 0x4011c6

Quantum - flagportation

Sun, 10 May 2026 00:00:00 +0000

HTB Write-up: Flagportation Link to heading

Link - https://app.hackthebox.com/challenges/Flagportation

Category: Quantum Difficulty: Very Easy

Summary Link to heading

The server implements a simplified quantum teleportation protocol: it encodes bit pairs (00, 01, 10, 11) into a 3-qubit state, measures the first two qubits and prints the measurement results and the basis (Z or X) used to encode the original bits. Your job is to send instructions (which gates to apply to the third qubit) and choose the measurement basis for the third qubit. From the returned measurement you can reconstruct the original two-bit pair.

Quantum - global hyperlink zone

Sun, 10 May 2026 00:00:00 +0000

HTB Write-up: Global Hyperlink Zone Link to heading

Link - https://app.hackthebox.com/challenges/Global%2520Hyperlink%2520Zone

Category: Quantum Difficulty: Very Easy

Summary Link to heading

The challenge provides a Python script for a server that expects a specific sequence of quantum gates. The goal is to build a quantum circuit that satisfies a set of conditions defined in a validation function within the script. The solution involves creating a specific entangled state across five qubits.

Quantum - noisy vault

Sun, 10 May 2026 00:00:00 +0000

Noisy Vault Writeup Link to heading

Summary Link to heading

The challenge description mentions a 13-qubit system and a 9-bit key, but the actual service uses:

64 data qubits
16 ancilla qubits
a single oracle query
4096 noisy measurement shots

The goal is to recover the hidden 64-bit secret_key and submit it in one unlock attempt.

Root Cause Link to heading

The service prepares the secret as a computational basis state by applying X on each data qubit whose key bit is 1.

Quantum - phase madness

Sun, 10 May 2026 00:00:00 +0000

Title: Phase Madness

Category: Quantum

Difficulty: Easy

Link: https://app.hackthebox.com/challenges/Phase%20Madness

Brief Description Link to heading

The description says "Qubitrix stores data unlike any other. At its core, every secret is locked in a silent quantum spiral, inaccessible to classical developers. The engineers swore it was flawless, yet something in its design hums and breathes. To them, it's madness. To us, clarity."

So, essentially, we are given the server code in Python, server.py.

Quantum - qlotto

Sun, 10 May 2026 00:00:00 +0000

Name - QLotto

Category - Quantum

Difficulty - Easy

Link - https://app.hackthebox.com/challenges/qlotto

Summary Link to heading

The challenge description sets the scene: "They call it QLotto â€” a dazzling new quantum lottery table provided by Qubitrix... If you can predict their draws, you can beat the system." We are provided with a server.py file. The core task is to bypass a restrictive input check on the quantum circuit indices and then manipulate the quantum state to create a predictable correlation between the "house card" and our draws. By using negative indexing and specific quantum gates, we can rig the lottery.

Quantum - untrusted node

Sun, 10 May 2026 00:00:00 +0000

Name - Untrusted Node

Category - Quantum

Difficulty - Medium

Link - https://app.hackthebox.com/challenges/Untrusted%2520Node

Summary Link to heading

The challenge presents a Quantum Key Distribution (QKD) simulation. The "Transmitter" (Alice) sends qubits to a "Receiver" (Bob), but there is a redundancy flaw: for every bit of the key, Alice sends a "chunk" of identical qubits. We act as the compromised "Trusted Node" in the middle. By measuring the first two qubits of each chunk in different bases and letting the rest pass to Bob, we can recover the key without alerting the protocol during the reconciliation phase.

Reverse Engineering - Coffee Invocation

Sun, 10 May 2026 00:00:00 +0000

Coffee Invocation Writeup Link to heading

Flag Link to heading

HTB{1_c4nt_c4ptur3_fl4g5_unt17_1v3_h4d_a1l_my_0xCAFEBABE}

Overview Link to heading

coffee_invocation is a PIE ELF that embeds two Java class files and drives them through JNI.

The native code:

creates a JVM
hooks java/lang/Shutdown.halt0
rewrites cached boxed values such as Byte, Short, Character, Boolean
runs Verify1
runs Verify2
if both wrappers return 0, prints the supplied password as HTB{<password>}

So the solve is to recover the exact 52-character password accepted by both verifiers.

Reverse Engineering - Cyberpsychosis

Sun, 10 May 2026 00:00:00 +0000

HackTheBox - Cyberpsychosis (Reverse Engineering) Link to heading

Challenge Description Link to heading

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

Difficulty: Medium
Category: Reverse Engineering
Files: diamorphine.ko, LICENSE.txt
Target: TCP service hosting a QEMU VM

Analysis Link to heading

Identifying the Rootkit Link to heading

The challenge provides diamorphine.ko, a Linux kernel module (LKM). Diamorphine is a well-known open-source Linux rootkit. Basic identification:

Reverse Engineering - Maze

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: Maze Link to heading

Challenge Overview Link to heading

Category: Reverse Engineering
Difficulty: Medium
Flag: HTB{w0W_Y0u_C0uld_E5c4p3_Th1s_M4Z33!!}

We are given a Windows executable (maze.exe), an encrypted zip (enc_maze.zip), and an image (maze.png). The goal is to navigate through multiple layers of obfuscation to find the flag.

Solution Link to heading

Step 1: Identify and Unpack PyInstaller Link to heading

$ file maze.exe
maze.exe: PE32+ executable for MS Windows, x86-64
$ strings maze.exe | grep PyInstaller
PyInstaller: pyi_win32_utils_to_utf8 failed.

The binary is a PyInstaller-packed Python 3.8 application. We extract it using pyinstxtractor:

Reverse Engineering - rauth

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: rauth Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: "My implementation of authentication mechanisms in C turned out to be failures. But my implementation in Rust is unbreakable. Can you retrieve my password?"
Flag: HTB{I_Kn0w_h0w_t0_5al54}

Analysis Link to heading

The binary is a 64-bit ELF Rust executable, dynamically linked, with debug info and not stripped.

Reverse Engineering - Regas Town

Sun, 10 May 2026 00:00:00 +0000

Rega's Town - HTB Reverse Engineering Challenge Writeup Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: Welcome to Rega Town, a quaint little place where everyone communicates through the magic of patterns and rules!

Analysis Link to heading

The challenge provides a 64-bit ELF binary written in Rust. Running it prompts for a "secret passphrase" and validates it against a series of regex patterns.

Reverse Engineering - VirtuallyMad

Sun, 10 May 2026 00:00:00 +0000

VirtuallyMad - HTB Reverse Engineering Challenge Link to heading

Flag Link to heading

HTB{0210010002100100031100010112110004130000}

Overview Link to heading

The challenge provides a stripped ELF binary (virtually.mad) that implements a custom virtual machine. The user must supply a hex-encoded "code" string that, when executed by the VM, produces a specific register state.

VM Architecture Link to heading

Registers & State Link to heading

The VM allocates a 0x38-byte structure:

Reverse Engineering - vvm

Sun, 10 May 2026 00:00:00 +0000

rev_vvm Writeup Link to heading

Flag Link to heading

HTB{v1rTu4L_p4sSw0rD_t3ChN0loGy}

Summary Link to heading

The binary is a stripped PIE ELF that implements a small VM. The visible flow is:

Print the banner.
Build a dispatch table for VM opcodes by XOR-decoding multiple handler stubs from .data.
Execute a dword-based bytecode program stored in .data at 0x5540.

Running the binary directly is not useful because one VM opcode calls ptrace and exits under tracing/debugged environments. The solve is easier statically by reconstructing the VM handlers and emulating the bytecode.

Web - NextBlog

Sun, 10 May 2026 00:00:00 +0000

NextBlog - CTF Writeup Link to heading

Challenge Info Link to heading

Name: NextBlog
URL: https://cyctf-luxor-cbaff7649acb-nextblog-0-0.chals.io
Category: Web
Flag: CyCTF{F7oXj5sHY4xfvfrIo2x2pkbr4eIVEW3DoYSQe1WHsx_iffn39-InchEsJKhkGtnfg8VA60x6WfCvKRQjmHzftiAxx1TvnXF8FA}

Overview Link to heading

A Next.js 16 blog application with a hidden flag server running on localhost:3001. The goal is to exploit a Server-Side Request Forgery (SSRF) vulnerability in a server action to reach the internal flag server.

WEB - Resizer

Sun, 10 May 2026 00:00:00 +0000

Resizer Writeup Link to heading

Challenge Link to heading

Name: Resizer
Category: Web
Target: http://154.57.164.66:30462

TL;DR Link to heading

The core bug is an arbitrary file write through path traversal in the upload filename:

filename = file.filename
filepath = os.path.join(app.config['UPLOAD_FOLDER'], filename)
file.save(filepath)

Because filename is never sanitized with secure_filename() and os.path.join() does not stop ../, we can write files outside uploads/.

HTB - WingData

Fri, 08 May 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux
CVEs	CVE-2025-47812 · CVE-2025-4517 · CVE-2025-4138

Summary Link to heading

WingData is an Easy Linux machine. A company website redirects to an FTP client portal running Wing FTP Server v7.4.3, which is vulnerable to an unauthenticated RCE (CVE-2025-47812). Post-exploitation enumeration reveals a salted SHA-256 hash for user wacky stored in Wing FTP config files. After cracking the hash with hashcat and gaining SSH access, a misconfigured sudo rule allows execution of a Python backup restoration script as root. The script is vulnerable to CVE-2025-4517, a tarfile PATH_MAX bypass that allows arbitrary file write - used to overwrite /etc/sudoers and gain root.

HTB - VariaType

Tue, 05 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-66034 · CVE-2024-25082 · CVE-2025-47273

Summary Link to heading

VariaType is a Linux medium box centered around a typography company's web infrastructure. The attack chain involves three distinct CVEs:

CVE-2025-66034 - fonttools DesignSpace output path traversal → PHP webshell (www-data)
CVE-2024-25082 - FontForge archive filename command injection → SSH as steve (user)
CVE-2025-47273 - setuptools PackageIndex path traversal → SSH as root

Attack Chain Overview Link to heading

#	Stage	Technique	CVE/Tool
1	Recon	Nmap + vhost fuzzing + `.git` dump	-
2	Foothold	DesignSpace filename path traversal	CVE-2025-66034
3	User (steve)	FontForge archive filename cmd injection	CVE-2024-25082
4	Root	setuptools PackageIndex path traversal	CVE-2025-47273

01 - Reconnaissance Link to heading

rustscan -a <TARGET_IP> --ulimit 5000 -b 1500 -- -sV -sC

Port 22 OpenSSH 9.2p1
Port 80 nginx/1.22.1

Virtual Host Discovery Link to heading

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
 -u http://<TARGET_IP> -H "Host: FUZZ.variatype.htb" -fs <default_size>
# → portal.variatype.htb

Git Repository Leak Link to heading

curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master

Dumping the repository reveals hardcoded credentials in commit history:

HTB - Pterodactyl

Sun, 03 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-49132 · CVE-2025-6018 · CVE-2025-6019

Summary Link to heading

Pterodactyl is a Linux machine that chains three critical vulnerabilities for full system compromise. The Pterodactyl Panel (a Laravel-based game server management platform) is hosted on a discovered subdomain. PHP PEAR is enabled with writable config paths, vulnerable to CVE-2025-49132 - unauthenticated RCE. Database credentials extracted from Laravel's .env file reveal a secondary user. Privilege escalation leverages CVE-2025-6018 (PAM environment variable injection) chained with CVE-2025-6019 (UDisks2 XFS filesystem privilege escalation) to achieve root.

HTB - Pirate

Sun, 26 Apr 2026 00:00:00 +0000

Field	Value
Difficulty	Hard
OS	Windows (Active Directory)
Domain	PIRATE.HTB

Summary Link to heading

Pirate is a Hard-rated multi-host Windows Active Directory machine simulating a realistic corporate environment with three domain-joined machines. The attack chains six distinct AD primitives with no CVEs required - every step exploits misconfigurations:

Pre-Windows 2000 Compatible Access (MS01$ machine account auth) → gMSA password extraction via LDAP → Pass-the-Hash over WinRM on DC01 → L3 network pivot via Ligolo-ng to the internal 192.168.100.0/24 subnet → NTLM relay to LDAPS with RBCD to gain WEB01 Administrator → user flag → SPN injection with Constrained Delegation abuse to impersonate Domain Admin on DC01 → root flag.

HTB - PingPong

Sun, 19 Apr 2026 00:00:00 +0000

Difficulty: Insane
OS: Windows
Points: 50
Release: 2026-04-27
Starting Creds: c.roberts / AssumedBreach123

Attack Chain Link to heading

c.roberts (PING.HTB)
 → ESC13 (TemporaryWinRM) → PKINIT TGT + TempWinRMAccess SID → WinRM on DC1
 → Ligolo-ng tunnel → DC2 reachable (192.168.2.2)
 → WriteDACL on gMSA Managers (PONG) → GenericAll → scope flip (Global→Universal→DomainLocal)
 → Add cross-forest FSP → ReadGMSAPassword → Pong_gMSA$ NTLM/AES
 → JEA endpoint on DC1 (restricted) → PSReadLine history → c.carlssen / A()DUJ!@414
 → WinRM on DC2 → user.txt
 → c.carlssen GenericWrite on svc_sql → RBCD (Pong_gMSA$ → svc_sql)
 → S4U2Proxy impersonate c.adam → MSSQL xp_cmdshell → local admin on DC2
 → c.carlssen → Domain Admins (PONG) → DCSync → R.Martinelli
 → R.Martinelli ∈ CA Managers (PING) → ESC4 on SmartcardAuthentication → ESC1
 → cert for Administrator@ping.htb → PKINIT → root.txt on DC1

Recon Link to heading

Classic Windows DC port profile: 53, 88, 135, 389, 445, 464, 636, 3268, 3269, 5985, 9389

HTB - Silentium

Tue, 14 Apr 2026 00:00:00 +0000

1. Port Scan Link to heading

nmap -sV -A -T4 10.129.30.114 -o port_scan

Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-14 15:20 -0400
Nmap scan report for 10.129.30.114
Host is up (0.088s latency).
Not shown: 998 closed tcp ports (reset)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://silentium.htb/

OS details: Linux 5.0 - 5.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH (22) and HTTP (80) are exposed. Add silentium.htb to /etc/hosts.

HTB - Logging

Sun, 12 Apr 2026 00:00:00 +0000

Overview Link to heading

Field	Value
OS	Windows Server 2019
Difficulty	Hard
IP	10.129.X.X
Domain	logging.htb
DC	dc01.logging.htb

Attack Chain: Anonymous SMB → Credentials in Logs → Shadow Credentials (gMSA) → WinRM → DLL Hijack → Domain User Shell → ESC17 (ADCS + WSUS MitM) → SYSTEM

1. Reconnaissance Link to heading

Port Scan Link to heading

rustscan -a 10.129.X.X --ulimit 5000 -- -sV

Key open ports:

HTB - Kobold

Sun, 05 Apr 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu)
CVE	CVE-2026-23744
Tags	`docker` `gshadow` `lfi` `mcp` `mcpjam` `pastebin` `path-traversal` `rce`

Summary Link to heading

Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. Initial access requires exploiting CVE-2026-23744 - an unauthenticated RCE in MCPJam Inspector - by sending a crafted JSON payload to /api/mcp/connect to execute arbitrary commands. Privilege escalation abuses a discrepancy between /etc/gshadow and the running session, allowing the sg command to switch into the docker group and mount the host filesystem inside a container.

HTB - Interpreter

Sun, 29 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Debian 12)
CVEs	CVE-2023-43208 · CVE-2023-37679

Summary Link to heading

Interpreter is a Medium-difficulty Linux machine centred around Mirth Connect 4.4.0, a widely-deployed open-source healthcare integration engine. The attack chain exploits CVE-2023-43208 - an unauthenticated pre-auth RCE via XStream deserialization - to gain an initial shell as the service user. Database credentials extracted from Mirth's config file lead to a PBKDF2-hashed password in the internal MySQL/PostgreSQL database. After cracking the hash offline with hashcat, SSH access is gained as user sedric. A locally-bound Python Flask service (notif.py) running as root exposes an eval() sink vulnerable to SSTI, which is abused to plant a SUID bash binary and achieve full root compromise.

HTB - Garfield

Sun, 22 Mar 2026 00:00:00 +0000

Difficulty: Hard | Platform: Windows Active Directory | Category: Seasonal
Tags: active-directory smb kerberos rbcd rodc golden-ticket keylist mimikatz rubeus

Machine Info Link to heading

Field	Details
Machine Name	Garfield
IP Address	10.129.27.196 (initial) / 10.129.23.120 (reset)
OS	Windows Server 2019 (Domain Controller)
Domain	garfield.htb (GARFIELD.HTB)
Difficulty	Hard
Starting Creds	`j.arbuckle / Th1sD4mnC4t!@1978`

1. Executive Summary Link to heading

Garfield is a Hard-rated Windows Active Directory machine on Hack The Box's seasonal lineup. It simulates a real-world corporate AD environment with multiple chained vulnerabilities spanning SMB misconfigurations, AD ACL abuse, logon script hijacking, RBCD (Resource-Based Constrained Delegation) attacks, Read-Only Domain Controller (RODC) compromise, and a KeyList attack to retrieve the main DC's Administrator hash - ultimately achieving full domain compromise.

HTB - Facts

Sun, 15 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux
Techniques	Mass Assignment · MinIO · ssh2john · facter GTFOBin

Summary Link to heading

Facts is an Easy Linux machine running a Ruby on Rails CMS. The intended foothold is a Mass Assignment vulnerability in the password change endpoint - by appending &password[role]=admin to the intercepted request, a low-privilege user escalates to admin without touching the LFI path. As admin, MinIO S3 credentials are exposed in the General Site filesystem settings. Using the mc client, an SSH private key is pulled from the internal MinIO bucket. The key passphrase is cracked offline with ssh2john + john (rockyou.txt → dragonballz). SSH access lands as trivia, who can run /usr/bin/facter as root via sudo. A malicious Ruby script planted in /tmp/piv and loaded via --custom-dir gives a root shell.

HTB - DevArea

Sun, 08 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Ubuntu 24.04)
Season	10

Summary Link to heading

DevArea is a Medium Linux machine. An anonymous FTP share exposes a Java SOAP service JAR. Decompiling it reveals Apache CXF with XOP/MTOM processing, vulnerable to CVE-2022-46364 - allowing Local File Inclusion via <xop:Include href="file:///..."/> elements. Using this LFI, plaintext HoverFly credentials are extracted from a systemd service file. HoverFly's middleware API then provides unauthenticated RCE. Privilege escalation abuses a world-writable /bin/bash combined with a passwordless sudo rule.

HTB - CCTV

Sun, 01 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu 24.04)
CVE	CVE-2024-51482

Summary Link to heading

CCTV is an Easy Linux machine running ZoneMinder, a CCTV management web application. The attack chain involves exploiting a boolean-based SQL injection vulnerability (CVE-2024-51482) to enumerate the database and dump credentials, then pivoting through an internal Motion/MotionEye camera stack via command injection in the picture_filename parameter to gain a root shell.