// Writeups
Technical breakdowns of HTB machines and CTF challenges. Active machine writeups are locked until retirement.
SSRF through a dual-layer filter bypass leaks EC2 metadata IAM credentials, a PyYAML unsafe-loader RCE via SQS delivers a worker shell inside Docker, and a privileged LocalStack CodeBuild job writes to the overlay upperdir to hijack modprobe and pop root on the host.
Windows Server 2025 Domain Controller chaining an AD ACL misconfiguration to restore a deleted account, credential reuse to land a malicious VS Code extension, a dMSA BadSuccessor attack to recover a service account hash, and Volatility memory forensics from a VM snapshot to reach Administrator.
Anonymous FTP drops an Apache CXF JAR: WSDL analysis reveals a SOAP endpoint vulnerable to SSRF/LFI via MTOM (CVE-2022-46364). File read leaks Hoverfly credentials, and CVE-2025-54123 turns the dashboard into RCE.
Subdomain enumeration reveals MCPJam v1.4.2 vulnerable to unauthenticated RCE via CVE-2026-23744. A base64-encoded reverse shell bypasses filtering, and docker group access lets us mount the host filesystem to read root's flag.
A headless Chrome extension testing service enables browser-context SSRF to pivot into internal Gitea and Flask apps. Bash arithmetic expansion injection in a shell script delivers the reverse shell as larry.
CVE-2023-43208 gives unauthenticated RCE on Mirth Connect 4.4.0 via Java deserialization. DB credentials lead to a PBKDF2 hash crack for SSH as sedric, then an SSTI in a Flask notif service running as root closes the chain.
An exposed .git directory leaks hardcoded credentials, two CVEs in font processing libraries chain together for RCE as www-data then steve, and a sudo misconfiguration in setuptools lets you write an SSH key directly to /root/.ssh/authorized_keys.
MSSQL impersonation pivots to a financial database where PBKDF2 hashes crack to domain credentials, then the badSuccessor RBCD technique chains through Kerberos to a full DCSync: every NTLM hash in the domain dumped.
TryHackMe Mr. Robot CTF: three flags hidden across a WordPress machine. Covers robots.txt disclosure, WordPress brute-force with a custom wordlist, reverse shell via theme editor, MD5 hash cracking, and root via SUID nmap interactive mode.