> m4rt@CTF_ARCHIVE:~$

// SYSTEM_INFO — READ BEFORE PROCEEDING

Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.

You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.

Feel free to explore, learn, and hack responsibly.

WRITEUPS: 87

MACHINE LINUX
DIFFICULTY: EASY

Hack The Box — WingData (Linux)

CVE-2025-47812 in Wing FTP Server v7.4.3 allows to get a reverse shell as wingftp. Some user data are contained in XML files and we can crack the password of user wacky and login via SSH. User wacky can run a Python script with sudo privileges. The script uses the tar package and `tar.extractall()`. CVE-2025-4517 allows to modify existing files, so we can modify /etc/passwd to add a root user.

Hack The Box [READ MORE →]
MACHINE WINDOWS
DIFFICULTY: HARD

Hack The Box — NanoCorp (Windows)

A File Explorer vulnerability (CVE-2025-24071) allows to steal the credentials of a user. That user can change the password of another user which has shell access on the machine. Finally we can exploit a vulnerability in Checkmk (CVE-2024-0670) to get a reverse shell as nt authority/system.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: MEDIUM

Hack The Box — VariaType (Linux)

Fonttools file write via CVE-2025-66034 exposes portal credentials, FontForge archive handling yields RCE as steve, and a setuptools path traversal in a sudo-allowed validator script leads to root.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: EASY

Hack The Box — Facts (Linux)

A CMS role escalation exposes S3 credentials, a protected SSH key gets cracked, and a sudo-allowed Facter invocation leads to root.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: MEDIUM

Hack The Box — Interpreter (Linux)

A vulnerable bash routine runner turns a path-controlled argument into RCE, leading to a reverse shell and full root compromise.

Hack The Box [READ MORE →]
MACHINE WINDOWS
DIFFICULTY: EASY

Hack The Box - MonitorsFour (Windows)

Type juggling bypasses API token checks, exposed credentials and Cacti username enumeration lead to authenticated RCE, and a Docker Desktop API exposure provides a host filesystem escape to the Windows root flag.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: MEDIUM

Hack The Box — Pterodactyl (Linux)

Pterodactyl Panel LFI to config read, PEAR argument injection to RCE, MySQL hash cracking for SSH, and chained udisksd escalation via PAM CVE to root.

Hack The Box [READ MORE →]
CHALLENGE PWN
DIFFICULTY: EASY

Hack The Box — Bad Grades (pwn)

Exploit a double-based buffer overflow to bypass a stack canary by taking advantage of scanf reading '-' without storing it, then build a ROP chain to get a shell using the provided libc.

Hack The Box [READ MORE →]
CHALLENGE PWN
DIFFICULTY: MEDIUM

Hack The Box — Pixel Audio (pwn)

Format string vulnerability exploitation to overwrite two stack variables with desired values by identifying their stack offsets and using the %n format specifier.

Hack The Box [READ MORE →]
MACHINE WINDOWS
DIFFICULTY: MEDIUM

Hack The Box — Overwatch (Windows)

SMB share recon and .NET decompilation reveal MSSQL credentials, a linked server spoof with DNS + Responder leaks new creds, WinRM access exposes an internal SOAP service, and a KillProcess command injection yields SYSTEM.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: INSANE

Hack The Box — Sorcery (Linux)

Cypher injection in a Next.js shop leaks credentials, XSS + WebAuthn abuse yields an admin token, Kafka RCE via debug leads to a container foothold, and a multi-stage LDAP/FreeIPA path ends in root.

Hack The Box [READ MORE →]
MACHINE LINUX
DIFFICULTY: MEDIUM

Hack The Box — AirTouch (Linux)

SNMP leaks initial credentials, pivot through PSK Wi-Fi and router web upload RCE, certificate theft enables WPA2-Enterprise evil twin credential capture, and chained lateral movement reaches final root access.

Hack The Box [READ MORE →]