// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 73
Hack The Box — Cat (Linux)
Stored XSS steals admin session, SQLite injection writes web shell, credential reuse and log leakage pivot to axel, then Gitea XSS-driven repo theft reveals root credentials.
Hack The Box — BigBang (Linux)
BuddyForms insecure deserialization and filter-chain tricks leak WordPress secrets, CNEXT exploitation gives container RCE, credential reuse and Grafana DB cracking lead to developer, and command injection in the satellite API yields root.
Hack The Box — Backfire (Linux)
Exposed Havoc config leaks operator creds, SSRF-to-RCE lands shell as ilya, HardHatC2 auth bypass gives command execution as sergej, and sudo iptables abuse writes root authorized_keys.
Hack The Box — EscapeTwo (Windows)
Starting with provided low-priv credentials, SMB and MSSQL enumeration yields credential reuse, WriteOwner over a CA account enables AD object abuse, and ESC4 template abuse leads to Administrator certificate authentication.
Hack The Box — Heal (Linux)
LFI in resume download exposes internal Rails artifacts and credentials, admin access to LimeSurvey enables plugin-based RCE, and internal Consul exploitation through chisel pivot yields root.
Hack The Box — UnderPass (Linux)
SNMP enumeration exposes a daloRADIUS deployment, default/operator credentials lead to svcMosh, and mosh-server sudo rights are abused to get root.
Hack The Box — LinkVortex (Linux)
Ghost admin credential leak through exposed Git repository, arbitrary file read in Ghost 5.58.0, SSH access as bob, and root via sudo environment variable injection in clean_symlink.sh.
Hack The Box — Vintage (Windows)
Complex AD chain using machine account abuse, gMSA password extraction, group membership abuse, AS-REP roasting, DPAPI credential decryption, constrained delegation abuse, and DCSync to domain compromise.
Hack The Box — Alert (Linux)
Contact form SSRF/XSS chain to exfiltrate internal messages and LFI data, credential recovery from .htpasswd, SSH as albert, and root command execution through writable website-monitor config.
Hack The Box — BlockBlock (Linux)
Admin JWT theft via reported XSS, Ethereum JSON-RPC data extraction for credentials, local escalation from keira to paul through forge misuse, and root via pacman hook abuse.
Hack The Box — Administrator (Windows)
AD privilege chain from Olivia through delegated password resets, Password Safe credential recovery from FTP backup, targeted kerberoasting of ethan, and DCSync to administrator hash for final access.
Hack The Box — Certified (Windows)
AD attack chain from initial domain creds, WriteOwner/WriteMembers abuse, shadow credentials, certificate abuse (ESC9), and final Administrator hash authentication.