Summary Sorcery is an Insane-rated Linux machine built around a full open-source stack: a Rust/Rocket backend, a Next.js frontend, Neo4j, Kafka, a custom DNS service, FTP, MailHog, Gitea, and a he...

Summary The challenge provides a web application for ordering food (Pizza, Ice Cream, Spaghetti). We are given the source code and a running instance. The goal is to find a vulnerability to read t...

Summary CarnaVown is a collection of diverse challenges ranging from web exploitation and binary pwn to mobile reversing and ransomware decryption. This post details the solutions for the followin...

Summary Era is a web-focused HackTheBox Linux machine with a neat privilege escalation twist on a custom “AV” monitoring binary. The attack chain starts on a web application that uses security que...

Summary Mirage is a HackTheBox Active Directory machine that demonstrates a sophisticated multi-stage attack chain involving NFS share enumeration, DNS dynamic update vulnerabilities, NATS service...

Summary Broken is a HackingClub machine that demonstrates a complex multi-stage attack chain involving subdomain enumeration, JWT exploitation via JKU parameter manipulation, file read vulnerabili...

Summary NorthBridge is a HacksmarterLabs Active Directory machine that demonstrates a sophisticated attack chain involving ACL abuse, Resource-Based Constrained Delegation (RBCD), S4U2Self/S4U2Pro...

Summary RustyKey is a Hard-rated HackTheBox Active Directory machine that demonstrates a sophisticated attack chain involving Timeroasting, ACL abuse, registry hijacking, and Resource-Based Constr...

Summary Squirrel is a HackingClub Active Directory machine that demonstrates a comprehensive attack chain involving null authentication, ASREPRoasting, Kerberoasting, ACL abuse, and Shadow Credent...

Summary Welcome is a HacksmarterLabs Active Directory machine that demonstrates a comprehensive attack chain involving password-protected PDF extraction, password spraying, ACL abuse, and Active D...