Base
Public-source handoff exists in research.md. Live evidence has not been recorded yet in this support folder. 1. Enumerate services. 2. Enumerate web paths and confirm /login/ listing. 3. Recover login.php.swp and inspect PHP login
Find out moreKnowledge Centre / Machines
Machine walkthroughs separated by difficulty.
Each machine page is rendered from a local walkthrough and presented as a sanitized narrative: overview, evidence, reproduction notes, and the core operator lessons without raw flags or reusable secrets.
57Machines
2Very Easy
29Easy
7Medium
5Hard
2Insane
Reading model
How the machine notes are structured
1. Context
Start with the objective, difficulty, source workspace, and the safest sanitized summary.
2. Method
Follow the evidence trail and the technique decisions that mattered, without exposing raw secret material.
3. Lesson
End with reusable operator learning: what to notice next time and how to validate the same class of issue.
Very Easy
Very Easy Machines
2 writeups
HTB Dancing - Full
Host is up, TTL=127 indicates Windows (default TTL 128, minus 1 hop) Quick scan (default scripts + version detection): Results: - 135/tcp - msrpc (Microsoft Windows
Find out moreEasy
Easy Machines
29 writeups
Archetype Walkthrough - HTB Starting Point
Archetype Walkthrough - HTB Starting Point is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
Base
Directory listing leak -> .swp source code exposure -> PHP strcmp type juggling auth bypass -> File upload to webshell -> Credential reuse for SSH -> sudo find privesc 1. Directory listing + swap files = source code disclosure 2. PHP strcmp() with loose ==...
Find out more
Bike
Only 2 ports. The HTTP service is Node.js with Express -- the box name "Bike" hints at template injection. Found a simple page with an email subscription form: Response reveals Handlebars: Response: We will contact you at: [object Object] -- input is rendered...
Find out more
Crocodile
FTP Anonymous Access → Credential Lists → Web Admin Login → Flag 1. Anonymous FTP is a goldmine — Always check for anonymous access and download everything. 2. Positional pairing — When you find parallel user/password lists, pair them by line number. 3....
Find out more
Facts
Facts is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
Funnel
Result: christine still has the default password and SSH access. Reveals PostgreSQL listening on <TARGET>:5432 (not externally accessible). This forwards local port 15432 through the SSH connection to the target's localhost:5432. Databases found: christine,...
Find out more
HTB Three
1. Discovered web app "The Toppers" on port 80 with domain thetoppers.htb 2. Identified S3-compatible service at s3.thetoppers.htb (LocalStack) 3. Listed S3 bucket thetoppers.htb — found it's the web root (contains index.php) 4. Uploaded PHP webshell via AWS...
Find out more
Ignition
Result: Only port 80 open, nginx 1.14.2, HTTP title shows redirect to http://ignition.htb/. The web server redirects all requests to ignition.htb. Added to /etc/hosts: Browsing to http://ignition.htb/ reveals a Magento 2 storefront. The standard Magento admin...
Find out more
Included
Completed. 1. Run initial recon from the fresh Pwnbox and identify exposed services. 2. Load the matching HTB methodology memory based on the discovered surface. 3. Research the machine name and service pattern as requested, treating outside information as...
Find out more
Markup
1. Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows 2. Web login with default creds admin:password 3. Authenticated order form submits XML -- vulnerable to XXE 4. XXE reads Daniel's SSH private
Find out more
Markup
Ports 22 (SSH), 80 (HTTP), 443 (HTTPS) open. Apache 2.4.41 Win64, PHP 7.2.28, OpenSSH for Windows 8.1. The root page (/) serves a login form (POST to same page). Default credentials admin:password work — 302 redirect to home.php. The Order page...
Find out more
Markup
1. Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows 2. Web login with default creds admin:password 3. Authenticated order form submits XML -- vulnerable to XXE 4. XXE reads Daniel's SSH private
Find out more
Mongod
Verified Pwnbox SSH, VPN (<TARGET>), and target reachability: Result: Port 22 (SSH) open. Port 27017 not detected (not in top 1000). Result: Ports 22 (SSH) and 27017 (mongod) open. The nmap mongodb-databases script automatically enumerated all databases...
Find out more
MonitorsFour
Status: in progress. Completion state: <secret redacted>. The target exposes HTTP on 80/tcp and WinRM on 5985/tcp. The HTTP app is a custom PHP application at monitorsfour.htb. Baseline enumeration found exposed .env configuration and a token-backed user API...
Find out more
Oopsie
Results: Ports 22 (SSH OpenSSH 7.6p1) and 80 (Apache 2.4.29) open. Full port scan confirmed no additional ports. The main page is a "Welcome" page for MegaCorp Automotive. Inspecting the page source and checking known paths revealed a login panel at...
Find out more
Pennyworth
Pennyworth is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
Reactor
Completion state: <secret redacted> - User flag: not captured - Root flag: not captured 1. Establish Pwnbox SSH execution context and create
Find out more
Responder
Windows Easy box exploiting PHP file inclusion to trigger NTLM authentication to an attacker-controlled Responder instance, capturing the Administrator NTLMv2 hash, cracking it, and connecting via WinRM. Attack Chain: LFI/RFI (PHP page= param) -> Responder...
Find out more
Sequel
Sequel is an Easy Starting Point machine on HackTheBox running Linux (Debian 10). The only exposed service is MariaDB 10.3.27 on port 3306, accessible as root with no password. The flag is stored in a database table. Result: Single open port -- 3306/tcp...
Find out more
Silentium
1. Enumerate ports 22 and 80. 2. Add silentium.htb and staging.silentium.htb. 3. Confirm Flowise 3.0.5 on the staging vhost. 4. Use Flowise account reset/token leak and chatflow prediction RCE to enumerate the
Find out more
Tactics
Target blocks ICMP, so -Pn is required. Result: Ports 135 (MSRPC), 139 (NetBIOS), 445 (SMB) open. Windows Server 2019. Null session denied. Tried Administrator with blank password: <redacted> [+] Tactics\Administrator: (Pwn3d!) -- Full admin access with blank...
Find out more
Unified
Completed. 1. Confirm UniFi version and Log4Shell injection point. 2. Use rogue JNDI for command execution. 3. Prefer blind exfiltration and local service access over reverse shell if egress stays
Find out more
Unified - HTB Starting Point
The target machine is not currently reachable. It needs to be spawned from the HTB Starting Point interface. All tooling is prepared and ready on Pwnbox. - Shell arrives as unifi user - Get user
Find out more
Vaccine - HTB Starting Point
FTP Anonymous -> backup.zip -> crack zip (741852963) -> web app creds (admin:qwerty789) -> SQLi on dashboard search -> RCE as postgres -> SSH key extraction -> sudo vi shell escape -> root 1. Credential chaining: Anonymous FTP -> ZIP password -> MD5 hash ->...
Find out more
Walkthrough -- Explosion (<TARGET>)
Open ports: 135 (MSRPC), 139 (NetBIOS), 445 (SMB), 3389 (RDP) Additional ports: 5985 (WinRM), 47001 (WinRM alt), 49664-49671 (RPC high ports) - Guest access works but only reads IPC$ - No custom shares -- only ADMIN$, C$,
Find out more
Walkthrough — <TARGET> (Easy / Starting Point)
Linux box running nginx 1.14.2 with a PHP admin login page at /admin.php. Default credentials admin:admin yield the flag immediately. No shell access or privilege escalation required -- this is a single-flag Starting Point machine. Result: Port 80/tcp open...
Find out more
Walkthrough: Appointment (HTB Starting Point)
Target: <TARGET> | OS: Linux | Difficulty: Easy | Date: 2026-05-05 Result: Port 80 open (Apache 2.4.38, page title "Login"). Port 8254 filtered (irrelevant). Full port scan confirmed no additional services. Result: Simple login form with username and password...
Find out more
WingData
WingData is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out moreMedium
Medium Machines
7 writeups
DevArea - Full
DevArea is a Medium Linux HTB machine featuring a 4-phase attack chain: FTP reconnaissance, Apache CXF SSRF via MTOM (<secret redacted>), Hoverfly middleware RCE, and privilege escalation through a world-writable bash binary. Anonymous FTP login reveals a JAR...
Find out more
Helix
Completion state: COMPLETE. The machine was completed against live target IP <TARGET>. Full evidence and loot are in: - <local workspace><TARGET>-Helix/ Successful
Find out more
Helix
Completion state: COMPLETE. The live target matched the corrected operator-first route: flow.helix.htb NiFi anonymous ExecuteScript -> nifi -> NiFi support bundle operator SSH material -> operator -> OPC UA maintenance window -> sudo helix-maint-console ->...
Find out more
Pterodactyl -- HTB Medium Linux
Pterodactyl -- HTB Medium Linux is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
SmartHire
Status: COMPLETE. Raw flags and reusable secrets are stored only in <local workspace><TARGET>-SmartHire/loot/. 1. Recon found only SSH and HTTP. HTTP redirected to smarthire.htb; vhost fuzzing discovered models.smarthire.htb. 2. models.smarthire.htb exposed...
Find out more
VariaType
VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
VariaType
VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out moreHard
Hard Machines
5 writeups
Garfield Walkthrough - HTB Hard
Garfield Walkthrough - HTB Hard is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
HTB Fries — Complete Walkthrough (Hard/Windows)
The provided <email redacted> / D4LE11maan!! credentials worked on pgAdmin (form-encoded POST to /authenticate/login). pgAdmin 9.1.0 is vulnerable to Python eval() injection in the query tool download endpoint. Exploitation flow: 1. Login → get CSRF
Find out more
Pirate
Phase A is complete per user-provided handoff. Raw Phase A command artifacts are not yet synced into this local folder, so notes currently distinguish the values as a handoff state. 1. Enumerate DC01 and confirm pirate.htb. 2. Validate starting credential...
Find out more
VariaType Walkthrough — <TARGET>
The target is fully compromised from the refreshed Pwnbox at <TARGET>. Raw flags are stored only under loot/. 1. Confirmed 22/tcp SSH and 80/tcp HTTP. The HTTP service redirects to variatype.htb. 2. Added variatype.htb and portal.variatype.htb to Pwnbox hosts...
Find out more
VariaType Walkthrough — Current Respawned Instance
VariaType Walkthrough — Current Respawned Instance is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out moreInsane
Insane Machines
2 writeups
Cobblestone
Cobblestone is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
Eloquia
Eloquia is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out moreDocumented
Documented Machines
12 writeups
Checkpoint
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Find out more
Checkpoint
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Find out more
Connected
The live respawn at <TARGET> still exposed FreePBX <TARGET> on connected.htb, so the previously validated endpoint branch remained the fastest initial access path. I revalidated the exact endpoint route family, reused the <secret redacted> chain to regain...
Find out more
Connected
<secret redacted> reached. The live chain was: 1. Enumerate the validated FreePBX <TARGET> admin surface at /admin/. 2. Prove that same-origin browser headers remove the generic AJAX referrer
Find out more
Connected
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Find out more
DevHub
Completion state: COMPLETE. DevHub exposed a static nginx site on port 80 and MCPJam Inspector v1.4.2 on port 6274. The MCPJam Inspector /api/mcp/connect endpoint accepted unauthenticated stdio MCP server configs, allowing command execution as mcp-dev. Local...
Find out more
Hercules
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets. Target: Hercules IP: <TARGET>...
Find out more
Hercules
Hercules is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more
HTB: Synced
A standard nmap scan reveals a single open port: The machine name "Synced" is a direct hint toward rsync. With only one port open, the attack surface is clear. Output: One module named public is available with anonymous (no authentication)
Find out more
PingPong
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Find out more
TwoMillion
TwoMillion exposed a web app on 2million.htb. The invite workflow allowed account creation, the authenticated API exposed admin and VPN routes, and the admin settings endpoint accepted a JSON request that promoted the current user. The admin VPN generation...
Find out more
TwoMillion
TwoMillion is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Find out more