This Hack-The-Box Editor write-up details exploiting an unauthenticated XWiki RCE (CVE-2025-24893) to gain an xwiki shell. Plaintext credentials found in config files allow pivoting to the oliver user, while final root access is achieved by abusing Netdata’s SUID ndsudo binary (CVE-2024-32019) through PATH hijacking.
HTB Era exposes FTP and HTTP. VHOST enumeration reveals file.era.htb with a vulnerable file manager. An IDOR leaks a full backup, SQLite DB, and OpenSSL keys. Cracked creds and an unsafe admin-only PHP wrapper enable RCE. Abusing security questions grants admin, and a signed cron-executed binary leads to root access.
Write-up of the HTB OutBound machine: exploit Roundcube 1.6.10 (CVE-2025-49112) for RCE and gain www-data in Docker. Priv-esc via password reuse, DB creds, and decrypting stored data to access Jacob and SSH. Final root via abusing sudo-allowed below by symlinking its log to /etc/group to add user to sudo.
An assumed-breach AD box using Kerberos. Timeroast cracked IT-COMPUTER3 computer account, added to Helpdesk, removed groups from Protected Objects to reset BB.MORGAN and EE.REED passwords. Gained WinRM and RunasCs shells, abused writable 7-Zip registry DLL paths to escalate to MM.TURNER, then performed RBCD to impersonate DC and get Admin.
Voleur is a medium Windows box simulating an assumed-breach with low-priv user creds. Crack an encrypted Excel to get creds, use WinRM via password-spraying and DACL abuse, restore an AD user from Recycle Bin, decrypt DPAPI to extract an SSH key for WSL, access mounted `C:\` as root to dump NTDS backups and parse NTDS to obtain a Domain Administrator shell.
Writeup for HTB’s Artificial machine, covering enumeration, exploiting a TensorFlow deserialization flaw for initial RCE, cracking weak MD5 hashes to pivot to user gael, abusing Backrest backups via bcrypt credential cracking and port forwarding, then restoring snapshots to retrieve root’s SSH key for full compromise.
A full writeup of the HTB TombWatcher machine, covering a multi-stage AD privilege-escalation path. Starting from user access, it chains WriteSPN abuse, GMSA password extraction, shadow credentials, OU control, tombstone restoration, and finally an ESC15 ADCS exploit to forge an Administrator certificate and gain system compromise.