The Starting Point series covers Hack The Box’s free Tier 0–2 machines with explicit methodology, dead-end documentation, and an AI-assist log on every writeup. Use it as a calibration baseline for higher-difficulty writeups in this blog.
Every box in this series gets full coverage: every command, every failed approach, every lesson extracted — including exactly where Claude helped and where it didn’t.
HTB STARTING POINT · Tier 0
RDP and WinRM both accept a blank Administrator password — attack surface is two services wide when credential assumptions fail at the front door.…
HTB STARTING POINT · Tier 2
XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into the watched directory.…
HTB STARTING POINT · Tier 0
MongoDB 3.6.8 without bind authentication exposes a sensitive_information database; the real lesson is why auth-on-by-default matters.…
HTB STARTING POINT · Tier 0
Unauthenticated Redis on port 6379 leaks a flag key directly; includes a bonus RCE path via rogue-server module load for the curious.…
HTB STARTING POINT · Tier 0
Anonymous FTP on vsftpd 3.0.3 — the misconfiguration is intentional, the lesson is recognising anonymous bind and scripting retrieval.…
HTB STARTING POINT · Tier 2
Anonymous FTP yields a ZIP cracked with john. The PHP login is SQL-injectable. pg_dump in a sudo rule lets vi escape to root — classic sudo abuse.…
HTB STARTING POINT · Tier 0
SMB null session on Windows delivers a flag from an exposed WorkShares share; the takeaway is unauthenticated SMB enumeration without Metasploit.…
HTB STARTING POINT · Tier 2
Log4Shell in UniFi Network Application 6.4.54 — JNDI in the remember field hands over shell as root. MongoDB's default no-auth exposes admin password hash, cracked in seconds.…
HTB STARTING POINT · Tier 2
Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.…
