// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 79
Hack The Box — Pterodactyl (Linux)
Pterodactyl Panel LFI to config read, PEAR argument injection to RCE, MySQL hash cracking for SSH, and chained udisksd escalation via PAM CVE to root.
Hack The Box — Overwatch (Windows)
SMB share recon and .NET decompilation reveal MSSQL credentials, a linked server spoof with DNS + Responder leaks new creds, WinRM access exposes an internal SOAP service, and a KillProcess command injection yields SYSTEM.
Hack The Box — Sorcery (Linux)
Cypher injection in a Next.js shop leaks credentials, XSS + WebAuthn abuse yields an admin token, Kafka RCE via debug leads to a container foothold, and a multi-stage LDAP/FreeIPA path ends in root.
Hack The Box — AirTouch (Linux)
SNMP leaks initial credentials, pivot through PSK Wi-Fi and router web upload RCE, certificate theft enables WPA2-Enterprise evil twin credential capture, and chained lateral movement reaches final root access.
Hack The Box — Eighteen (Windows)
MSSQL impersonation and hash capture lead to web/admin and WinRM access, then BadSuccessor abuse with dMSA enables DCSync-style extraction of Administrator credentials.
Hack The Box — DarkZero (Windows)
Initial AD foothold with provided credentials, MSSQL linked-server pivot to darkzero.ext, AD CS abuse and local privilege escalation to SYSTEM on DC02, then cross-forest unconstrained delegation abuse to compromise DC01 and obtain root.
Hack The Box — Browsed (Linux)
Malicious Chrome extension recon reveals an internal Gitea host, argument injection in a local routine runner yields RCE as larry, and Python bytecode injection in a sudo-allowed extension tool leads to root.
Hack The Box — Gavel (Linux)
SQL injection in inventory.php to recover credentials, admin rule RCE, then privilege escalation via gavel-util and PHP config abuse to root.
Hack The Box — Expressway (Linux)
IKE/IPsec enumeration reveals a valid group ID and PSK, cracking gives SSH access as ike, and sudo CVE-2025-32463 leads to root.
Hack The Box — Guardian (Linux)
IDOR in student chats reveals Gitea credentials, XLSX sheet-name XSS steals a lecturer session, notice-link admin browsing enables PHP filter-chain RCE, then hash cracking and sudo abuse lead to root.
Hack The Box — GiveBack (Linux)
WordPress (GiveWP) RCE, pivot in Kubernetes environment, secret extraction, SSH access as babywyrm, and root via runc CVE-2024-21626 through /opt/debug.
Hack The Box — Soulmate (Linux)
CrushFTP authentication bypass gives admin panel control, uploaded PHP web shell yields www-data, local credential discovery gives ben, and Erlang SSH CVE-2025-32433 leads to root.