HTB Retired — Interpreter
Walkthrough of Interpreter — bypassing XStream deserialization hardening in Mirth Connect 4.4.0, then escaping a character-filtered …
32 HTB writeups — AI-pair-pentested, honest log
HTB writeups
AI-pair-pentested, honest log
Real exploits — Starting Point to Release Arena. Every AI mistake documented: what Claude got wrong, what I fixed by hand.
Starting Point Tier 0–2HTB Retired — WingData
Walkthrough of WingData — Wing FTP Server 7.4.3 unauthenticated RCE via Lua session injection, SHA-256 password hash cracking, then Python …
HTB Retired — Silentium
Walkthrough of Silentium — Flowise unauthenticated account takeover via CVE-2025-58434, RCE confirmation via JavaScript injection, then Gogs …
HTB Starting Point — Oopsie
IDOR in a cookie flips guest to super-admin, a SUID binary with system() calls cat via $PATH — two rookie mistakes that cascade to root.
HTB Starting Point — Tactics
Administrator with an empty password on a Windows box — SMB signing disabled, psexec drops SYSTEM in 15 minutes flat. The most honest …
HTB Starting Point — Ignition
Virtual host discovery finds the Magento admin panel on a non-default hostname; qwerty123 completes the chain — two recon steps, one flag.
HTB Starting Point — Funnel
Anonymous FTP leaks credentials; SSH login reveals a PostgreSQL container reachable via local port forwarding — the flag is a database row.
HTB Starting Point — Responder
PHP LFI forces the server to issue a NetNTLMv2 request to a rogue Responder listener; the captured hash cracks to Administrator in seconds.
HTB Starting Point — Kobold
SVG with embedded JavaScript uploads to a ticketing system. When the admin previews the attachment, XSS fires in their browser and …