// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 79
Hack The Box — Code (Linux)
Python code execution filter bypass leads to app shell, SQLite user hash cracking gives martin access, and path sanitization bypass in backy.sh reveals root data and SSH key.
Hack The Box — Cypher (Linux)
Neo4j Cypher injection leads to auth bypass and data exfiltration, a vulnerable custom APOC function gives command injection, and privileged BBOT module loading yields root.
Hack The Box — Scepter (Windows)
NFS certificate discovery and ADCS abuse chain from d.baker to h.brown, ACL and altSecurityIdentities mapping to compromise p.adams, then DCSync to Administrator.
Hack The Box — Dog (Linux)
Exposed Backdrop CMS source reveals credentials, module upload abuse gives web RCE, and sudo access to `bee` allows direct PHP command execution to root.
Hack The Box — Cat (Linux)
Stored XSS steals admin session, SQLite injection writes web shell, credential reuse and log leakage pivot to axel, then Gitea XSS-driven repo theft reveals root credentials.
Hack The Box — Haze (Windows)
A Splunk path traversal leaks secrets and LDAP bind credentials, enabling AD pivoting through reused passwords and gMSA abuse, then shadow credentials and Splunk admin RCE lead to SYSTEM and Administrator compromise.
Hack The Box — Titanic (Linux)
LFI in ticket download leaks Gitea data, password recovery gives SSH as developer, and ImageMagick delegate injection in a root-run script yields root shell.
Hack The Box - Infiltrator (Windows)
AS-REP roasting and AD ACL abuse chain to m.harris access, lateral move to Output Messenger infrastructure, and extraction of Administrator flag via internal MySQL load_file.
Hack The Box — Backfire (Linux)
Exposed Havoc config leaks operator creds, SSRF-to-RCE lands shell as ilya, HardHatC2 auth bypass gives command execution as sergej, and sudo iptables abuse writes root authorized_keys.
Hack The Box — Checker (Linux)
TeamPass credential disclosure and BookStack blind SSRF/LFR expose SSH MFA secret, then a vulnerable root sudo binary is reversed and exploited through shared-memory tampering to command injection and root shell.
Hack The Box — EscapeTwo (Windows)
Starting with provided low-priv credentials, SMB and MSSQL enumeration yields credential reuse, WriteOwner over a CA account enables AD object abuse, and ESC4 template abuse leads to Administrator certificate authentication.
Hack The Box — Heal (Linux)
LFI in resume download exposes internal Rails artifacts and credentials, admin access to LimeSurvey enables plugin-based RCE, and internal Consul exploitation through chisel pivot yields root.