// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 71
Hack The Box — Nocturnal (Linux)
Insecure file access in view.php leaks internal document credentials, admin backup functionality exposes source and DB hashes, then ISPConfig CVE-2023-46818 leads to root.
Hack The Box — Outbound (Linux)
Roundcube RCE (CVE-2025-49113) gives container access, decrypted IMAP credentials lead to SSH as jacob, and below log-file symlink abuse (CVE-2025-27591) enables root by modifying /etc/passwd.
Hack The Box — Planning (Linux)
Grafana CVE-2024-9264 exploitation for container foothold, credential recovery from Grafana and cron artifacts, and root compromise via exposed cron management interface.
Hack The Box — Previous (Linux)
Next.js middleware authorization bypass and path traversal lead to credential disclosure, then Terraform provider override abuse yields root via malicious plugin execution.
Hack The Box — Soulmate (Linux)
CrushFTP authentication bypass gives admin panel control, uploaded PHP web shell yields www-data, local credential discovery gives ben, and Erlang SSH CVE-2025-32433 leads to root.
Hack The Box — Titanic (Linux)
LFI in ticket download leaks Gitea data, password recovery gives SSH as developer, and ImageMagick delegate injection in a root-run script yields root shell.
Hack The Box — UnderPass (Linux)
SNMP enumeration exposes a daloRADIUS deployment, default/operator credentials lead to svcMosh, and mosh-server sudo rights are abused to get root.
Hack The Box — WhiteRabbit (Linux)
Uptime Kuma and exposed workflow intelligence lead to signed webhook SQLi, credential extraction from restic artifacts, SSH pivots through bob and morpheus, and deterministic password generation abuse to root via neo.
Hack The Box — Administrator (Windows)
AD privilege chain from Olivia through delegated password resets, Password Safe credential recovery from FTP backup, targeted kerberoasting of ethan, and DCSync to administrator hash for final access.
Hack The Box — Certificate (Windows)
Bypass file-upload filtering with concatenated ZIP polyglot to gain PHP RCE, extract webapp credentials and crack domain user hashes, then abuse ADCS ESC3 to impersonate DC01$ and compromise Administrator.
Hack The Box — DarkCorp (Windows)
Roundcube XSS and dashboard SQL injection expose internal secrets, PostgreSQL command execution provides container foothold and AD pivoting, relay and AD CS abuse compromise WEB-01, and GPO abuse from delegated admin rights leads to domain administrator access.
Hack The Box — EscapeTwo (Windows)
Starting with provided low-priv credentials, SMB and MSSQL enumeration yields credential reuse, WriteOwner over a CA account enables AD object abuse, and ESC4 template abuse leads to Administrator certificate authentication.