Zipping is a nice medium linux box on HackTheBox. It starts with exploiting a descrepancy on how gz (CLI) and ZipArchive (PHP) works to fool the web app into extracting a ZIP file containing a PHP ...

Topology is an easy linux machine on HackTheBox. It starts with exploiting a custom LaTeX parser to get LFI and leak creds to get a foothold on the box. Root involves exploiting gnuplot. Info ...

Sau is probably the shortest box ever released on HackTheBox. Foothold involves exploiting Request Baskets to access a hidden instance of Maltrail, which is vulnerable to RCE. Privesc is through th...

Sandworm is a nice medium linux box on HackTheBox. It starts with exploiting an SSTI vulnerability in a custom web app that does some PGP operations using user input. Once inside, you’ll need to br...

Pilgrimage is an easy linux machine on HackTheBox. It starts with a exploiting a CVE on ImageMagick to leak a local sqlite database. Privesc to root is through a binwalk exploit. Info ...

Keeper is an easy linux machine on HackTheBox. It starts with exploiting an administrative feature on Best Practical RT instance that was using default creds to add a custom event handler that run ...

Jupiter is a very nice medium linux box on HackTheBox. It starts with exploiting an instance of Grafana that’s making an API call containing full SQL queries, which are executed without validation....

Gofer is a very nice, hard box on HackTheBox. It starts with a verb tampering attack on a custom proxy to bypass access control, then a phishing attack on a local user using LibreOffice macro. Priv...

PC is an easy linux machine on HackTheBox. It starts with exploiting an SQL injection vulnerability on an open RPC service to dump a user password. Once inside, you will have access to a local inst...

Format is a nice medium linux machine on HackTheBox. It features a custom web application for creating blogs that is vulnerable to arbitrary read and write, which is easy to detect as the full appl...