// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 87
Hack The Box — Previous (Linux)
Next.js middleware authorization bypass and path traversal lead to credential disclosure, then Terraform provider override abuse yields root via malicious plugin execution.
Hack The Box — WhiteRabbit (Linux)
Uptime Kuma and exposed workflow intelligence lead to signed webhook SQLi, credential extraction from restic artifacts, SSH pivots through bob and morpheus, and deterministic password generation abuse to root via neo.
Hack The Box — Editor (Linux)
XWiki exploitation via CVE-2025-24893 grants initial access, credential reuse gives SSH as oliver, then Netdata ndsudo abuse (CVE-2024-32019) leads to root.
Hack The Box — Era (Linux)
IDOR-based file harvesting exposes backups and credentials, admin account takeover enables PHP ssh2 wrapper RCE, then signed ELF replacement in AV monitor cron path gives root.
Hack The Box — Mirage (Windows)
NFS report leakage enables NATS credential theft via DNS spoofing, AD compromise chains through Kerberoasting and delegated rights abuse, ending in ESC10 + RBCD to dump Administrator hash and full domain takeover.
Hack The Box — Outbound (Linux)
Roundcube RCE (CVE-2025-49113) gives container access, decrypted IMAP credentials lead to SSH as jacob, and below log-file symlink abuse (CVE-2025-27591) enables root by modifying /etc/passwd.
Hack The Box — RustyKey (Windows)
Timeroast-based machine-account foothold, Helpdesk abuse and COM hijacking to pivot into delegation rights, then RBCD to impersonate backupadmin and reach Administrator.
Hack The Box — Voleur (Windows)
Kerberos-first Active Directory compromise from provided credentials, multi-user pivots with DPAPI credential extraction, Linux backup abuse, and final Administrator access.
Hack The Box — Artificial (Linux)
TensorFlow model upload RCE for initial foothold, SQLite credential extraction and cracking to SSH as gael, then Backrest hook command execution to root.
Hack The Box — DarkCorp (Windows)
Roundcube XSS and dashboard SQL injection expose internal secrets, PostgreSQL command execution provides container foothold and AD pivoting, relay and AD CS abuse compromise WEB-01, and GPO abuse from delegated admin rights leads to domain administrator access.
Hack The Box — TombWatcher (Windows)
Kerberoasting and delegated AD abuse to pivot across users, tombstone reanimation to recover cert_admin, then ESC15 certificate abuse to gain Domain Admin and root.
Hack The Box — Certificate (Windows)
Bypass file-upload filtering with concatenated ZIP polyglot to gain PHP RCE, extract webapp credentials and crack domain user hashes, then abuse ADCS ESC3 to impersonate DC01$ and compromise Administrator.