HTB Starting Point — Synced
Anonymous rsync on port 873 delivers flag.txt with zero credentials; the real lesson is scanning beyond the top-1000 TCP ports.
HTB Starting Point — Base
PHP strcmp() fed an array instead of a string returns 0 and bypasses login. A file manager upload gives shell. sudo find reads root.txt …
HTB Starting Point — Preignition
Directory fuzzing surfaces a hidden admin.php that default credentials unlock; demonstrates why wordlist-based discovery precedes credential …
HTB Starting Point — Explosion
RDP and WinRM both accept a blank Administrator password — attack surface is two services wide when credential assumptions fail at the front …
HTB Starting Point — Markup
XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into …
HTB Starting Point — Mongod
MongoDB 3.6.8 without bind authentication exposes a sensitive_information database; the real lesson is why auth-on-by-default matters.
HTB Starting Point — Redeemer
Unauthenticated Redis on port 6379 leaks a flag key directly; includes a bonus RCE path via rogue-server module load for the curious.
HTB Starting Point — Fawn
Anonymous FTP on vsftpd 3.0.3 — the misconfiguration is intentional, the lesson is recognising anonymous bind and scripting retrieval.
HTB Starting Point — Vaccine
Anonymous FTP yields a ZIP cracked with john. The PHP login is SQL-injectable. pg_dump in a sudo rule lets vi escape to root — classic sudo …