Write-up of the HTB OutBound machine: exploit Roundcube 1.6.10 (CVE-2025-49112) for RCE and gain www-data in Docker. Priv-esc via password reuse, DB creds, and decrypting stored data to access Jacob and SSH. Final root via abusing sudo-allowed below by symlinking its log to /etc/group to add user to sudo.

RustyKey is an assumed-breach AD box using Kerberos. Timeroast cracked IT-COMPUTER3 computer account, added to Helpdesk, removed groups from Protected Objects to reset BB.MORGAN and EE.REED passwords. Gained WinRM and RunasCs shells, abused writable 7-Zip registry DLL paths to escalate to MM.TURNER, then performed RBCD to impersonate DC and get Admin.

Voleur is a medium Windows box simulating an assumed-breach with low-priv user creds. Crack an encrypted Excel to get creds, use WinRM via password-spraying and DACL abuse, restore an AD user from Recycle Bin, decrypt DPAPI to extract an SSH key for WSL, access mounted `C:\` as root to dump NTDS backups and parse NTDS to obtain a Domain Administrator shell.

Writeup for HTB’s Artificial machine, covering enumeration, exploiting a TensorFlow deserialization flaw for initial RCE, cracking weak MD5 hashes to pivot to user gael, abusing Backrest backups via bcrypt credential cracking and port forwarding, then restoring snapshots to retrieve root’s SSH key for full compromise.

A full writeup of the HTB TombWatcher machine, covering a multi-stage AD privilege-escalation path. Starting from user access, it chains WriteSPN abuse, GMSA password extraction, shadow credentials, OU control, tombstone restoration, and finally an ESC15 ADCS exploit to forge an Administrator certificate and gain system compromise.

I passed the Hack The Box Certified Penetration Testing Specialist (CPTS) exam, a 10-day, VPN-based real-world pentest covering AD, web, pivoting, and privilege escalation. The lab was stable, realistic, and required a professional report. Prep with HTB Academy, retired machines, IppSec videos, and careful methodology made success possible.

Walkthrough of the HTB Puppy machine: starting with levi.james, the tester abuses HR’s GenericWrite to join DEVELOPERS, accesses a DEV SMB share, cracks a KeePass DB, and sprays creds to gain ant.edwards. Using SENIOR DEVS’ GenericAll, they activate adam.silver, find backups revealing steph.cooper creds, decrypt DPAPI data, and escalate to admin.