// Security Research & HTB Writeups
FIELD NOTES
Technical writeups from HackTheBox machines, bug bounty research, and security engineering. No fluff — just methodology, findings, and lessons.
22
Writeups
2
Platforms
PRO HACKER
HTB Rank
FILTER:
May 15 2026 EASY LINUX
Reset
Abuse of password reset token predictability and file write to gain foothold, service exploitation for root
Password ResetToken AbuseLinux
May 12 2026 EASY LINUX
Expressway
IKEv1 aggressive mode PSK cracking via ike-scan then sudo CVE-2025-32463 for root
CVE-2025-32463
VPNIKEsudo
May 08 2026 EASY LINUX
Editor
XWiki SSTI via CVE-2025-24893 for foothold, ndsudo PATH hijack for privilege escalation
CVE-2025-24893
SSTIXWikiPATH Hijack
May 04 2026 EASY LINUX
Dog
Backdrop CMS unauthenticated code exec via bee eval module, git credential leak for root
CMSRCEGit
Apr 30 2026 EASY LINUX
LinkVortex
Ghost CMS arbitrary file read via CVE-2023-40028, symlink TOCTOU race for credential access
CVE-2023-40028
Ghost CMSTOCTOULFI
Apr 26 2026 EASY LINUX
BoardLight
Dolibarr ERP CVE-2023-30253 PHP injection for foothold, Enlightenment SUID binary for root
CVE-2023-30253
CVESUIDPHP Injection
Apr 06 2026 EASY LINUX
Broker
Apache ActiveMQ CVE-2023-46604 ClassInfo deserialization RCE, sudo nginx GTFO for root
CVE-2023-46604
ActiveMQDeserializationRCE
Apr 02 2026 EASY LINUX
CozyHosting
Spring Boot Actuator exposes active sessions, command injection via SSH username field, postgres credential dump
Spring BootRCECommand Injection
Mar 29 2026 EASY LINUX
TwoMillion
Invite code generation via JS reverse engineering, API v1 admin endpoint abuse, OverlayFS CVE for root
API AbuseJS ReversingKernel CVE
Mar 25 2026 EASY LINUX
Sau
Request Baskets SSRF via CVE-2023-27163 to reach internal Maltrail service with unauthenticated RCE
CVE-2023-27163
SSRFSSRF ChainRCE
Mar 21 2026 EASY LINUX
Keeper
Default credentials on Request Tracker, KeePass memory dump CVE-2023-32784 leaks master password
CVE-2023-32784
Default CredsKeePassMemory Dump
Mar 17 2026 EASY LINUX
Busqueda
Searchor CLI eval() command injection via crafted search query, sudo script git config hijack for root
Command Injectioneval()sudo
Mar 13 2026 EASY LINUX
Soccer
Tiny File Manager default creds for webshell upload, WebSocket-based blind SQLi, doas privesc
SQLiWebSocketFile Upload
Mar 09 2026 EASY LINUX
Cap
IDOR on PCAP download endpoint leaks FTP plaintext credentials, Python cap_setuid privilege escalation
IDORPCAPLinux Capabilities
Mar 05 2026 EASY LINUX
Help
HelpDeskZ unauthenticated file upload via timestamp bypass, Linux kernel dirty cow variant for root
File UploadKernel ExploitHelpDeskZ
Mar 01 2026 EASY LINUX
Bashed
phpbash webshell left exposed on dev server, sudo scriptmanager abuse and cron-based privesc
WebshellsudoCron
Feb 24 2026 EASY LINUX
Shocker
Shellshock CGI bash vulnerability via User-Agent header, sudo perl GTFO for root
ShellshockCGIsudo
Feb 20 2026 EASY LINUX
Lame
Samba CVE-2007-2447 username map script command injection gives direct root shell — classic entry box
CVE-2007-2447
SambaCVERCE
Apr 14 2026 EASY WINDOWS
Support
LDAP credentials hardcoded in .NET binary, Resource-Based Constrained Delegation (RBCD) for Domain Admin
Active DirectoryRBCD.NET Reversing
Apr 10 2026 EASY WINDOWS
Mailing
hMailServer open relay for phishing, Outlook MonikerLink CVE-2024-21413 for NTLM capture and relay
CVE-2024-21413
Mail ServerNTLM RelayOutlook
Apr 18 2026 HARD LINUX
Intentions
API mass assignment to escalate user role, ImageMagick MSL file write RCE, GitHub Actions token abuse for root
Mass AssignmentImageMagickCI/CD Abuse
Apr 22 2026 MEDIUM LINUX
Monitored
SNMP community string leaks service account credentials, Nagios XI authenticated SQLi, npcd binary hijack
SNMPSQLiService Hijack