// SYSTEM_INFO — READ BEFORE PROCEEDING
Welcome to m4rthacks — a personal archive of CTF writeups, hacking notes, tools, and tips & tricks.
You'll find detailed walkthroughs of Capture The Flag challenges across categories like web exploitation, binary exploitation, cryptography, reverse engineering, forensics, and OSINT. Each writeup breaks down the thought process, the tools used, and the steps taken to get the flag.
Feel free to explore, learn, and hack responsibly.
WRITEUPS: 71
Hack The Box — Fluffy (Windows)
Initial domain foothold from provided credentials, credential capture via CVE-2025-24071 lure, Shadow Credentials on service accounts, and final ADCS abuse to authenticate as Administrator.
Hack The Box — Haze (Windows)
A Splunk path traversal leaks secrets and LDAP bind credentials, enabling AD pivoting through reused passwords and gMSA abuse, then shadow credentials and Splunk admin RCE lead to SYSTEM and Administrator compromise.
Hack The Box — Mirage (Windows)
NFS report leakage enables NATS credential theft via DNS spoofing, AD compromise chains through Kerberoasting and delegated rights abuse, ending in ESC10 + RBCD to dump Administrator hash and full domain takeover.
Hack The Box — Puppy (Windows)
AD graph abuse from provided credentials to access DEV share and KeePass secrets, multi-user password control pivots, and DPAPI credential decryption to reach steph.cooper_adm and root.
Hack The Box — RustyKey (Windows)
Timeroast-based machine-account foothold, Helpdesk abuse and COM hijacking to pivot into delegation rights, then RBCD to impersonate backupadmin and reach Administrator.
Hack The Box — Scepter (Windows)
NFS certificate discovery and ADCS abuse chain from d.baker to h.brown, ACL and altSecurityIdentities mapping to compromise p.adams, then DCSync to Administrator.
Hack The Box — Signed (Windows)
MSSQL pivot from low-priv credentials, NTLM hash capture/cracking, Kerberos ticket forging for SQL privilege escalation, and NTLM reflection to WinRMS SYSTEM.
Hack The Box — TheFrizz (Windows)
Gibbon v25.0.00 unauthenticated RCE gives web access, database hash cracking leads to domain credentials, Kerberos SSH access exposes recoverable artifacts, and GPO abuse grants local admin rights for full compromise.
Hack The Box — TombWatcher (Windows)
Kerberoasting and delegated AD abuse to pivot across users, tombstone reanimation to recover cert_admin, then ESC15 certificate abuse to gain Domain Admin and root.
Hack The Box — Vintage (Windows)
Complex AD chain using machine account abuse, gMSA password extraction, group membership abuse, AS-REP roasting, DPAPI credential decryption, constrained delegation abuse, and DCSync to domain compromise.
Hack The Box — Voleur (Windows)
Kerberos-first Active Directory compromise from provided credentials, multi-user pivots with DPAPI credential extraction, Linux backup abuse, and final Administrator access.