// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 79
Hack The Box — Signed (Windows)
MSSQL pivot from low-priv credentials, NTLM hash capture/cracking, Kerberos ticket forging for SQL privilege escalation, and NTLM reflection to WinRMS SYSTEM.
Hack The Box — CodeTwo (Linux)
js2py sandbox escape (CVE-2024-28397) gives initial shell, SQLite hash extraction yields SSH credentials, and npbackup-cli raw restic abuse discloses root data and SSH key.
Hack The Box — Imagery (Linux)
Stored XSS steals an admin session, path traversal exposes source and hashes, command injection grants web shell, and charcol abuse leads to root.
Hack The Box — HackNet (Linux)
Django SSTI leaks user credentials, SSH access is obtained as mikey, file-based Django cache poisoning leads to sandy, and cracked GPG backup secrets lead to root.
Hack The Box — Previous (Linux)
Next.js middleware authorization bypass and path traversal lead to credential disclosure, then Terraform provider override abuse yields root via malicious plugin execution.
Hack The Box — WhiteRabbit (Linux)
Uptime Kuma and exposed workflow intelligence lead to signed webhook SQLi, credential extraction from restic artifacts, SSH pivots through bob and morpheus, and deterministic password generation abuse to root via neo.
Hack The Box — Editor (Linux)
XWiki exploitation via CVE-2025-24893 grants initial access, credential reuse gives SSH as oliver, then Netdata ndsudo abuse (CVE-2024-32019) leads to root.
Hack The Box — Era (Linux)
IDOR-based file harvesting exposes backups and credentials, admin account takeover enables PHP ssh2 wrapper RCE, then signed ELF replacement in AV monitor cron path gives root.
Hack The Box — Mirage (Windows)
NFS report leakage enables NATS credential theft via DNS spoofing, AD compromise chains through Kerberoasting and delegated rights abuse, ending in ESC10 + RBCD to dump Administrator hash and full domain takeover.
Hack The Box — Outbound (Linux)
Roundcube RCE (CVE-2025-49113) gives container access, decrypted IMAP credentials lead to SSH as jacob, and below log-file symlink abuse (CVE-2025-27591) enables root by modifying /etc/passwd.
Hack The Box — RustyKey (Windows)
Timeroast-based machine-account foothold, Helpdesk abuse and COM hijacking to pivot into delegation rights, then RBCD to impersonate backupadmin and reach Administrator.
Hack The Box — Voleur (Windows)
Kerberos-first Active Directory compromise from provided credentials, multi-user pivots with DPAPI credential extraction, Linux backup abuse, and final Administrator access.