Writeups on crAIzy.dev

Writeups on crAIzy.dev https://craizy.dev/categories/writeups/ Recent content in Writeups on crAIzy.dev https://craizy.dev/img/htb-default.png crAIzy.dev https://craizy.dev/ Hugo en Tue, 28 Apr 2026 20:10:00 +0300 HTB Starting Point — Ignition https://craizy.dev/writeups/ignition/ Tue, 28 Apr 2026 20:10:00 +0300 crAIzy https://craizy.dev/writeups/ignition/ Walkthrough of Ignition — Magento 2.4-dev admin panel with default credentials qwerty123, demonstrating virtual host discovery and admin panel enumeration. HTB Starting Point — Funnel https://craizy.dev/writeups/funnel/ Tue, 28 Apr 2026 19:30:00 +0300 crAIzy https://craizy.dev/writeups/funnel/ Walkthrough of Funnel — anonymous FTP leaks default credentials, SSH pivot reveals a PostgreSQL Docker container accessible via port forwarding, and the flag is a database row. HTB Starting Point — Responder https://craizy.dev/writeups/responder/ Tue, 28 Apr 2026 16:34:00 +0300 crAIzy https://craizy.dev/writeups/responder/ Walkthrough of Responder — LFI in PHP triggers a UNC path that forces Windows to authenticate to Responder, capturing a NetNTLMv2 hash cracked to reveal the Administrator password. HTB Starting Point — Crocodile https://craizy.dev/writeups/crocodile/ Tue, 28 Apr 2026 15:43:00 +0300 crAIzy https://craizy.dev/writeups/crocodile/ Walkthrough of Crocodile — anonymous FTP exposes credential files that unlock a web admin panel on port 80, combining two services into one attack chain. HTB Starting Point — Sequel https://craizy.dev/writeups/sequel/ Tue, 28 Apr 2026 15:20:00 +0300 crAIzy https://craizy.dev/writeups/sequel/ Walkthrough of Sequel — MariaDB 10.3.27 exposed on port 3306 with root user having no password, flag stored as a table row in the htb database. HTB Starting Point — Appointment https://craizy.dev/writeups/appointment/ Tue, 28 Apr 2026 14:30:00 +0300 crAIzy https://craizy.dev/writeups/appointment/ Walkthrough of Appointment — SQL injection in a login form bypasses authentication and exposes the flag, with sqlmap extraction of the underlying database schema. HTB Starting Point — Bike https://craizy.dev/writeups/bike/ Tue, 28 Apr 2026 12:38:00 +0300 crAIzy https://craizy.dev/writeups/bike/ Walkthrough of Bike — Server-Side Template Injection in Handlebars (Node.js) escalates from a reflected error to RCE as root via process.mainModule.require. HTB Starting Point — Three https://craizy.dev/writeups/three/ Mon, 27 Apr 2026 22:00:00 +0300 crAIzy https://craizy.dev/writeups/three/ Walkthrough of Three — S3 subdomain discovery leads to an unauthenticated LocalStack bucket where uploading a PHP webshell achieves RCE as www-data. HTB Starting Point — Synced https://craizy.dev/writeups/synced/ Mon, 27 Apr 2026 19:44:00 +0300 crAIzy https://craizy.dev/writeups/synced/ Walkthrough of Synced — anonymous rsync share exposes flag.txt directly, demonstrating unauthenticated rsync enumeration on a non-standard port. HTB Starting Point — Preignition https://craizy.dev/writeups/preignition/ Mon, 27 Apr 2026 16:27:00 +0300 crAIzy https://craizy.dev/writeups/preignition/ Walkthrough of Preignition — directory fuzzing finds a hidden admin.php login page, default credentials admin:admin grant access and expose the flag. HTB Starting Point — Explosion https://craizy.dev/writeups/explosion/ Mon, 27 Apr 2026 16:00:00 +0300 crAIzy https://craizy.dev/writeups/explosion/ Walkthrough of Explosion — Windows Server 2019 with blank Administrator password on RDP and WinRM, demonstrating credential-guessing methodology. HTB Starting Point — Mongod https://craizy.dev/writeups/mongod/ Mon, 27 Apr 2026 14:30:00 +0300 crAIzy https://craizy.dev/writeups/mongod/ Walkthrough of Mongod — unauthenticated MongoDB 3.6.8 exposes a sensitive_information database containing the flag key, with extensive post-exploitation enumeration. HTB Starting Point — Redeemer https://craizy.dev/writeups/redeemer/ Mon, 27 Apr 2026 14:30:00 +0300 crAIzy https://craizy.dev/writeups/redeemer/ Walkthrough of Redeemer — unauthenticated Redis 5.0.7 exposes a flag key directly, with bonus RCE via a rogue-server module load. HTB Starting Point — Fawn https://craizy.dev/writeups/fawn/ Mon, 27 Apr 2026 14:14:00 +0300 crAIzy https://craizy.dev/writeups/fawn/ Walkthrough of Fawn — anonymous FTP read access exposes a flag file directly, demonstrating the classic anonymous-FTP misconfiguration. HTB Starting Point — Dancing https://craizy.dev/writeups/dancing/ Mon, 27 Apr 2026 13:58:00 +0300 crAIzy https://craizy.dev/writeups/dancing/ Walkthrough of Dancing — SMB null session on Windows exposes a WorkShares share with a flag file, demonstrating unauthenticated SMB enumeration. HTB Starting Point — Meow https://craizy.dev/writeups/meow/ Sun, 26 Apr 2026 15:04:00 +0300 crAIzy https://craizy.dev/writeups/meow/ Walkthrough of Meow — passwordless root over Telnet on HTB Starting Point Tier 0; the lesson is why netcat fails where telnetlib works.