## https://sploitus.com/exploit?id=D76A21BF-6752-5EA7-9A28-57E690095E03
# HackTheBox โ Writeups, Tooling & Exploitation Pipelines
A working archive of my HackTheBox machines and challenges: full recon
output, custom exploit scripts, privilege-escalation notes, cred matrices
and writeups. Everything is here **except the flags**, which are redacted
by policy (see below).
> Built and operated under an authorized red-team / CTF context. The
> material is published for educational and portfolio purposes.
---
## โ ๏ธ Read this first โ flags & HackTheBox Terms of Service
- **No flags.** Every `flags/` directory is git-ignored, and the flag
values that were embedded in `state.json`, writeups and cred matrices
have been replaced in-tree with the token `REDACTED_FLAG`. The git
history was started fresh so no flag ever lived in a prior commit.
- **MD5/NTLM hashes you see are NOT flags.** Hashes in `nmap/*.xml`
(`` service fingerprints) and in cred matrices are
legitimate recon/credential artifacts and were intentionally kept.
- **Active machines.** Some boxes here belong to **Season 11**
(DevHub, Reactor) and may still be active. Publishing writeups for an
active machine can violate HTB's Terms of Service. Consume accordingly.
- **Third-party tools are not re-hosted.** Public exploit repos used
during these engagements are referenced by URL in each machine's
`EXPLOITS.md`, never vendored here.
---
## Machines
| Machine | OS | Difficulty | Owned | Primary vector |
|---|---|---|---|---|
| [Barrier](machines/Barrier) | Linux | Medium | user + root | CVE-2024-45409 SAML signature bypass โ Guacamole credential chain |
| [Bruno](machines/Bruno) | Windows (DC) | Medium | user | AD: AS-REP roast + Kerberos relay (KrbRelay) โ root WIP |
| [Fries](machines/Fries) | Windows | Hard | assumed-breach | AD siege, external vectors documented (paused) |
| [Gavel](machines/Gavel) | Linux | Medium | user + root | `runkit` PHP code injection โ sandbox escape *(retired)* |
| [Giveback](machines/Giveback) | Linux | Medium | user + root | WordPress GiveWP CVE-2024-5932 object injection โ k8s SA chain *(retired)* |
| [Helix](machines/Helix) | Linux | Medium | user | Apache NiFi RCE (ExecuteProcess + provenance API) |
| [Logging](machines/Logging) | Windows | Medium | in progress | WSUS abuse (pywsus) |
| [SmartHire](machines/SmartHire) | Linux | โ | user + root | CVE-2024-37054 MLflow RCE (`models.smarthire.htb`) |
| [DevHub](seasons/season11/DevHub) | Linux | Medium | user + root | CVE-2026-23744 โ OPSMCP privesc *(Season 11)* |
| [Reactor](seasons/season11/Reactor) | Linux | Easy | user + root | Next.js CVE-2026-44578 / CVE-2025-55182 *(Season 11)* |
## Challenges
None published yet โ see [`challenges/`](challenges) for the layout this
repo will use as challenge writeups land.
---
## Repository layout
```
HackTheBox/
โโโ machines/ # standalone & lab machines
โ โโโ /
โ โโโ nmap/ # port/service scans (xml/gnmap/nmap)
โ โโโ recon/ # ffuf, crawling, enumeration output
โ โโโ loot/ # state.json, cred matrices, recon json (flags redacted)
โ โโโ exploits/ # MY scripts; third parties referenced in EXPLOITS.md
โ โโโ notes/ # writeups & privesc notes
โ โโโ webs/ # captured pages / web enumeration
โโโ seasons/
โ โโโ season11/ # season machines (DevHub, Reactor)
โโโ challenges/ # category writeups (placeholder for now)
```
## What is *not* in this repo
- `flags/` directories and every flag value (HTB ToS).
- SSH **private** keys (foothold keys) โ public `.pub` keys are kept.
- Third-party exploit clones (`krbrelayx`, `KrbRelay`, `pywsus`,
`CVE-2024-45409`, `CVE-2026-44578`, `CVE-2025-55182`, GiveWP PoC) โ
each machine's `EXPLOITS.md` has the upstream URL to reconstruct them.
- Machine-sourced material that is not mine: Gavel's leaked web-app
source tree, Fries' internal git repo (its remote URL leaked creds).
- Python `.venv/`, caches, heavy media (`*.mp4`, `*.pcap`).
## License / use
Educational and portfolio use. The exploit code targets the specific
HackTheBox machines named above; do not point it at systems you are not
explicitly authorized to test.