// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 71
Hack The Box — Sea (Linux)
Contact form browser callback abuse, WonderCMS XSS-to-RCE, credential recovery from config hash, SSH pivot, and command injection in an internal analysis feature to read root flag.
Hack The Box - Sightless (Linux)
SQLPad SSTI leads to container root shell, credential cracking yields michael access, browser automation credential theft for Froxlor admin, and command execution via PHP-FPM restart command to root.
Hack The Box - Trickster (Linux)
Initial foothold through PrestaShop CVE-2024-34716, credential extraction from database, pivot to james user, then container escape path via changedetection.io SSTI and reused root password.
Hack The Box — Yummy (Linux)
LFI in iCalendar export, JWT/RSA weakness for admin access, SQLi in admin dashboard, then Mercurial hook abuse and rsync sudo misconfiguration to retrieve root SSH key.
Hack The Box - Axlle (Windows)
Malicious Excel XLL delivery through internal mail yields foothold, phishing-style HTA/URL pivot gives domain user shell, BloodHound abuse of ForceChangePassword enables lateral movement, and StandaloneRunner writable path abuse escalates to Administrator.
Hack The Box — Blazorized (Windows)
JWT key recovery from client DLL, SQL injection to enable xp_cmdshell for foothold, AD abuse chain with WriteSPN and scripted logon path manipulation, then DCSync to Administrator.
Hack The Box — Certified (Windows)
AD attack chain from initial domain creds, WriteOwner/WriteMembers abuse, shadow credentials, certificate abuse (ESC9), and final Administrator hash authentication.
Hack The Box — Cicada (Windows)
Anonymous SMB share discovery, password reuse across domain users, credential pivot to emily.oscars, then Backup Operators abuse with SeBackupPrivilege to read Administrator flag.
Hack The Box — Compiled (Windows)
Abuse of insecure Git clone automation through submodule hook RCE for initial access, credential extraction from Gitea DB, WinRM access as emily, and local privilege escalation via CVE-2024-20656 to SYSTEM.
Hack The Box - Freelancer (Windows)
Web logic flaw leads to admin access, MSSQL xp_cmdshell gives shell, memory dump forensics leaks credentials, and RBCD path from lorra199 yields domain admin hash and final Administrator access.
Hack The Box — Ghost (Windows)
Multi-stage compromise from LDAP injection and Ghost API file read to container escape pathing, AD trust key extraction, cross-realm golden ticket forging, and final domain admin access.
Hack The Box - Infiltrator (Windows)
AS-REP roasting and AD ACL abuse chain to m.harris access, lateral move to Output Messenger infrastructure, and extraction of Administrator flag via internal MySQL load_file.