https://github.com/jon-brandy/hackthebox
My WriteUps for HackTheBox CTFs, Machines, and Sherlocks.
https://github.com/jon-brandy/hackthebox
binary-exploitation ctf forensics hackthebox-writeups htb-machine htb-sherlocks htb-writeups pwn reverse-engineering
Last synced: 2 days ago
JSON representation
My WriteUps for HackTheBox CTFs, Machines, and Sherlocks.
- Host: GitHub
- URL: https://github.com/jon-brandy/hackthebox
- Owner: jon-brandy
- License: agpl-3.0
- Created: 2022-12-14T09:10:24.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-06-27T17:17:35.000Z (3 days ago)
- Last Synced: 2025-06-27T18:23:07.304Z (3 days ago)
- Topics: binary-exploitation, ctf, forensics, hackthebox-writeups, htb-machine, htb-sherlocks, htb-writeups, pwn, reverse-engineering
- Language: Python
- Homepage:
- Size: 3.2 MB
- Stars: 123
- Watchers: 1
- Forks: 23
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
### NOTES: NO TIMELINE ACTIVITIES TABLE CREATION FOR EVERY CHALLS.
Sherlocks
| No. | Cases | Lessons Learned |
| :-- | ---------------------------------------------------------------------------------------------------------------------------------- | :-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| 1. | [Meerkat](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Meerkat/README.md) | `Credential stuffing detection`, `Bonitasoft CVE exploitation`, `Packet filtering`, `Custom column value analysis` |
| 2. | [Bumblebee](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Bumblebee/README.md) | `SQLite3 file analysis`, `Epoch timestamp conversion`, `NGINX access.log parsing` |
| 3. | [Lockpick](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Lockpick/README.md) | `Static malware analysis with Ghidra`, `Reverse engineering C-based malware`, `Python scripting for reversing encryption logic`, `JSON parsing automation` |
| 4. | [Constellation](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Constellation/README.md) | `Discord URL forensic analysis`, `URL unfurling techniques` |
| 5. | [OpTinselTrace-4](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/OpTinselTrace-4/README.md) | `Threat hunting and attacker IP identification`, `Port scanning detection`, `Printer hacking network forensics` |
| 6. | [Litter](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Litter/README.md) | `PCAP network traffic analysis`, `DNS tunneling identification` |
| 7. | [Logjammer](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Logjammer/README.md) | `Windows Event Log analysis using Event Viewer` |
| 8. | [Heartbreaker-Continuum](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Heartbreaker-Continuum/README.md) | `PEStudio and Ghidra for code size identification`, `VirusTotal for file metadata`, `Hex editor for obfuscated strings offsets`, `MITRE ATT&CK technique identification` |
| 9. | [Hyperfiletable](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Hyperfiletable/README.md) | `Parsing raw MFT data with analyzeMFT`, `Using MFTExplorer for ZoneID and file size analysis` |
| 10. | [Subatomic](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Subatomic/README.md) | `File type identification with Detect It Easy (DIE)`, `Unpacking Nullsoft Installer`, `Malware GUID identification`, `Debugging obfuscated JS in VSCode`, `Code review of Trojan Discord module` |
| 11. | [Tracer](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Tracer/README.md) | `Windows Event Log analysis`, `Prefetch file parsing with PECmd`, `$MFT analysis using MFTECmd`, `USN Journal ($J) analysis`, `Sysmon log investigation` |
| 12. | [Loggy](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Loggy/README.md) | `Using Ghidra, ANY.RUN, DIE for malware language identification`, `PEStudio and API Monitor for malicious function calls`, `FTP domain tracking`, `IDA graph analysis for disk writes` |
| 13. | [RogueOne](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/RogueOne/README.md) | `Memory forensics with volatility3`, `Detection of process spoofing` |
| 14. | [Recollection](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Recollection/README.md) | `Memory forensics with volatility3`, `Detection of alias IEX usage`, `Browser history dumping`, `Malicious filename identification` |
| 15. | [Brutus](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Brutus/README.md) | `Reviewing UNIX auth.log`, `Hunting suspect IP addresses`, `WTMP log analysis` |
| 16. | [Campfire-1](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Campfire-1/README.md) | `DC security logs analysis via EventViewer`, `Kerberoasting attack analysis`, `Prefetch file conversion and timeline exploration with PECmd and Timeline Explorer`, `Identifying common Kerberoasting tools` |
| 17. | [SmartyPants](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/SmartyPants/README.md) | `Windows RDP event log analysis`, `Event log explorer usage`, `Smart screen debug log review` |
| 18. | [Unit42](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Unit42/README.md) | `Sysmon EventID definitions`, `Sysmon log analysis`, `UltraVNC infection investigation` |
| 19. | [BFT](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/BFT/README.md) | `Parsing raw MFT files with MFT Explorer and MFTECmd`, `Malicious file download hunting` |
| 20. | [Jingle Bell](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Jingle%20Bell/README.md) | `Forensic analysis of Slack application SQLite database` |
| 21. | [TickTock](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/TickTock/README.md) | `TeamViewer log analysis for C2 agent and attacker sessions`, `Prefetch log review`, `Sysmon log review for network connections`, `Windows Defender and PowerShell log inspection`, `Drive mounting and C2 hash identification`, `Raw MFT parsing and timeline exploration`, `Timestamp event extraction with Get-WinEvent` |
| 22. | [Jugglin](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Jugglin/README.md) | `Forensic analysis of APMX64 files`, `API Monitor for function call interception`, `PowerShell module identification for data exfiltration` |
| 23. | [Ore](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Ore/README.md) | `Reviewing Grafana and catscale artifacts`, `XMRIG process analysis`, `Hunting threat actor IPs via UNIX logs`, `Shodan threat intelligence use`, `Cronjob timing analysis with crontab.guru` |
| 24. | [Ultimatum](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Ultimatum/README.md) | `Catscale data acquisition review`, `Ultimate-member plugin CVE identification`, `Backdoor user and persistence activity detection` |
| 25. | [Pikaptcha](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Pikaptcha/README.md) | `Registry hive analysis with Registry Explorer`, `Malicious PowerShell downloader analysis`, `Threat actor C2 server hunting`, `Reverse shell session timing`, `Phishing JS function identification`, `Lumma Stealer malware investigation` |
| 26. | [Operation Blackout 2025: Phantom Check](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/Operation%20Blackout%202025:%20Phantom%20Check/README.md)| `Hayabusa`, `Event viewer`, `Identification of virtualization detection activity`, `Timeline explorer`, `Identification of current machine temperature value`, `WMI class abused to retrieve model and manufacturer information` |
| 27. | [APTNightmare](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Sherlocks/APTNightmare/README.md) | `Packet capture analysis with Wireshark`, `Nmap open port identification with Tshark`, `DNS zone transfer detection`, `Compromised subdomain and credential discovery`, `Memory analysis of web server with Volatility and Ubuntu profile`, `MITRE ATT&CK technique correlation`, `Debian package inspection with dpkg`, `Windows registry hive parsing with Regripper`, `Program execution artifact analysis`, `.lnk file examination`, `Registry hive cleaning`, `Disk image review with FTK Imager`, `Email phishing forensic analysis`, `Prefetch file analysis`, `Raw $MFT parsing`, `PowerShell and event log export`, `Timeline review`, `Encoded PowerShell command decoding`, `VirusTotal IOC identification`, `Cobalt Strike beacon analysis`, `Persistence task detection` |
Binary Exploitation (PWN)
| No. | Challenges | Lessons Learned |
| :-- | ------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------: |
| 1. | [racecar](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/racecar) | `Exploiting format string vulnerabilities to leak stack values` |
| 2. | [You know 0xDiablos](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/You%20know%200xDiablos) | `Buffer overflow exploitation`, `Return-to-win techniques` |
| 3. | [Jeeves](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Jeeves) | `Local variable modification techniques` |
| 4. | [Space pirate: Entrypoint](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Space%20pirate%3A%20Entrypoint) | `Format string bugs`, `Local variable modification` |
| 5. | [Reg](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Reg) | `Buffer overflow`, `Redirecting program execution` |
| 6. | [Space pirate: Going Deeper](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Space%20pirate%3A%20Going%20Deeper) | `Buffer overflow`, `Redirecting program execution` |
| 7. | [Bat Computer](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Bat%20Computer) | `Buffer overflow`, `Return-to-shellcode techniques` |
| 8. | [Blacksmith](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Blacksmith) | `Buffer overflow`, `Return-to-libc attacks` |
| 9. | [Shooting star](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Shooting%20star) | `Buffer overflow`, `Return-to-libc attacks` |
| 10. | [HTB Console](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/HTB%20Console) | `Buffer overflow`, `Return-to-libc`, `Using .DATA section to write "/bin/sh\x00"` strings |
| 11. | [Optimistic](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Optimistic) | `Buffer overflow`, `Integer overflow`, `Return-to-shellcode with alphanumeric payloads` |
| 12. | [Restaurant](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Restaurant) | `Buffer overflow`, `Return-to-libc`, `Bypassing MOVAPS protection` |
| 13. | [Entity](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Entity) | `Union structure manipulation`, `Type confusion vulnerabilities` |
| 14. | [Getting Started](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Getting%20Started) | `Buffer overflow basics` |
| 15. | [Questionnaire](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Pwn/Questionnaire) | `Binary exploitation concepts and questions` |
| 16. | [Nightmare](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Pwn/Nightmare/README.md) | `Format string bug exploitation`, `Global Offset Table (GOT) overwrite` |
| 17. | [Void](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Pwn/Void/README.md) | `Buffer overflow`, `Return-to-dl-resolve technique` |
| 18. | [Fleet Management](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Pwn/Fleet%20Management/README.md) | `Bypassing seccomp sandbox`, `Crafting custom shellcode` |
| 19. | [Vault-breaker](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Vault-breaker/README.md) | `Abusing misconfigurations`, `XOR cipher decoding` |
| 20. | [Spooky Time](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Spooky%20Time/README.md) | `Format string bug exploitation`, `GOT overwrite` |
| 21. | [Space pirate: Retribution](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Space%20pirate%3A%20Retribution/README.md) | `Buffer overflow`, `Return-to-libc`, `Bypassing PIE and ASLR` |
| 22. | [Space](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Space/README.md) | `Buffer overflow`, `Small offset after EIP`, `Custom shellcode crafting` |
| 23. | [Leet Test](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Leet%20Test/README.md) | `Format string bug`, `Overwriting local and global variables` |
| 24. | [Trick or Deal](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Trick%20or%20Deal/README.md) | `Heap exploitation`, `Use-After-Free (UAF)` |
| 25. | [PwnShop](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/PwnShop/README.md) | `Buffer overflow`, `Return-to-libc`, `Bypassing PIE and ASLR`, `Stack pivoting` |
| 26. | [Finale](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Finale/README.md) | `Open-Read-Write (ORW) ROP chain exploitation` |
| 27. | [Hellhound](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Hellhound/README.md) | `Heap exploitation`, `House of Spirit technique (glibc 2.23)` |
| 28. | [Sacred Scrolls: Revenge](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Sacred%20Scrolls%3A%20Revenge/README.md) | `Buffer overflow`, `Return-to-libc`, `Base64 encoded payload`, `Bypassing MOVAPS (stack alignment)` |
| 29. | [Sick ROP](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Sick%20ROP/README.md) | `Sigreturn Oriented Programming (SROP)` |
| 30. | [What does the f say?](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/What%20does%20the%20f%20say%3F/README.md) | `Format string bug`, `Bypassing PIE, Canary, and ASLR`, `Return-to-libc`, `Bypassing MOVAPS protection` |
| 31. | [Bon-nie-appetit](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Bon-nie-appetit/README.md) | `Heap exploitation`, `maia_arena address leak`, `Off-by-one (OOB) exploit`, `Tcache poisoning` |
| 32. | [Great Old Talisman](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Great%20Old%20Talisman/README.md) | `Buffer overflow`, `GOT overwrite` |
| 33. | [Spellbook](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Spellbook/README.md) | `Heap exploitation`, `Leaking main_arena address`, `Fastbin dup attack`, `Overwriting __malloc_hook with one_gadget` |
| 34. | [Oxidized ROP](https://github.com/jon-brandy/hackthebox/tree/main/Categories/Pwn/Oxidized%20ROP) | `Rust buffer overflow`, `Local variable overwrite using Unicode characters` |
| 35. | [Regularity](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Regularity/README.md) | `Buffer overflow`, `Return to register` |
| 36. | [Writing on the Wall](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Writing%20on%20the%20Wall/README.md) | `Out-of-bounds write`, `read() vulnerability`, `Local variable overwrite` |
| 37. | [Execute](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Execute/README.md) | `Direct code execution bug`, `Return to shellcode`, `Crafting custom shellcode to bypass bad bytes`, `XOR encoding /bin/sh strings` |
| 38. | [Rocket Blaster XXX](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Rocket%20Blaster%20XXX/README.md) | `Buffer overflow`, `Return-to-win with 3 parameters` |
| 39. | [Sound of Silence](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Sound%20of%20Silence/README.md) | `Return address manipulation with gets()`, `Passing system() as argument`, `Using GDB to trace parent process` |
| 40. | [r0bob1rd](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/r0bob1rd/README.md) | `Libc leak via array index clobbering`, `Format string bug to overwrite GOT entry for __stack_chk_fail()`, `OOB bug triggering __stack_chk_fail()` call\` |
| 41. | [Assemblers Avenge](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Assemblers%20Avenge/README.md) | `Return to shellcode`, `Crafting custom shellcode`, `Using printed /bin/sh strings` |
| 42. | [No Gadgets](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/No%20Gadgets/README.md) | `Bypassing strlen() checks`, `Exploiting GLIBC 2.35 gadgets limitation`, `GOT overwrite using controlled RBP`, `Forging fake RBP with PLT stub` |
| 43. | [Kernel Adventures: Part 1](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Pwn/Kernel%20Adventures%3A%20Part%201/README.md) | `Exploiting race condition vulnerabilities`, `Password hash cracking`, `Double fetch exploitation` |
Machines
| No. | Machine Name | Lessons Learned |
| :-: | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| 1 | [Blue](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Blue/README.md) | `Metasploit`, `smbclient`, `EternalBlue`, `Meterpreter` |
| 2 | [Jerry](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Jerry/README.md) | `Tomcat exploitation`, `Msfvenom reverse shell`, `Metasploit usage` |
| 3 | [Lame](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Lame/README.md) | `FTP`, `CVE exploitation`, `Backdoor`, `SMB`, `Remote Code Execution (RCE)` |
| 4 | [Netmon](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Netmon/README.md) | `FTP enumeration`, `Searchsploit usage` |
| 5 | [Photobomb](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Photobomb/README.md) | `Command injection`, `Pwncat usage`, `PATH hijacking` |
| 6 | [Precious](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Precious/README.md) | `Setting up simple Python server`, `PDFKit CVE exploitation`, `Pwncat`, `Ruby exploit`, `YAML exploit` |
| 7 | [Shoppy](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Shoppy/README.md) | `Gobuster usage`, `NoSQL injection`, `MongoDB exploitation`, `Password hash cracking`, `Ffuf usage`, `Docker privesc via GTFOBins` |
| 8 | [Cap](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Cap/README.md) | `Exploiting Python 3.8 cap_setuid`, `Wireshark usage`, `IDOR vulnerability` |
| 9 | [Busqueda](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Busqueda/README.md) | `Server-side template injection (SSTI)`, `Remote code execution (RCE)`, `Gitea exploitation` |
| 10 | [Knife](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Knife/README.md) | `PHP CVE exploitation`, `Knife binary GTFOBins` |
| 11 | [Bashed](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Bashed/README.md) | `Gobuster usage`, `Webshell deployment`, `Cronjob exploitation` |
| 12 | [Shocker](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Shocker/README.md) | `Gobuster usage`, `Shellshock attack`, `Perl binary exploitation` |
| 13 | [Beep](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Beep/README.md) | `Dirbuster usage`, `Elastix webserver exploitation`, `FreePBX service exploitation` |
| 14 | [Blocky](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Blocky/README.md) | `Dirbuster usage`, `JADX-GUI for reverse engineering` |
| 15 | [Bank](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Bank/README.md) | `Gobuster usage`, `Identifying failed hash or encryption methods`, `Msfvenom reverse shell` |
| 16 | [Nibbles](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Nibbles/README.md) | `Gobuster usage`, `Nibble blog exploit`, `Techmint Linux monitoring script exploit` |
| 17 | [SteamCloud](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/SteamCloud/README.md) | `Kubernetes exploitation`, `Pod forging` |
| 18 | [Keeper](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Keeper/README.md) | `WinDbg usage`, `KeePass key dumper (Keydumper)`, `PuTTY key generation and usage (PuttyGen)` |
| 19 | [Optimum](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Optimum/README.md) | `Rejetto HTTP File Server exploit`, `Metasploit usage` |
| 20 | [Legacy](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Legacy/README.md) | `SMB CVE exploitation`, `Metasploit usage` |
| 21 | [Granny](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Granny/README.md) | `Microsoft IIS 6.0 exploit`, `Metasploit usage` |
| 22 | [Grandpa](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Grandpa/README.md) | `Microsoft IIS 6.0 exploit`, `Metasploit usage` |
| 23 | [Devel](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Devel/README.md) | `ASPX reverse shell`, `Microsoft IIS 7.5 exploit`, `Metasploit usage` |
| 24 | [Horizontall](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Horizontall/README.md) | `Generating SSH keygen`, `Port forwarding`, `Laravel 8.4.2 exploit` |
| 25 | [Validation](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Validation/README.md) | `SQL injection (SQLi)`, `PHP reverse shell` |
| 26 | [Nunchucks](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Nunchucks/README.md) | `Gobuster usage`, `Nunjucks template engine exploit`, `Perl binary exploitation`, `AppArmor Perl bugs` |
| 27 | [Late](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Late/README.md) | `Flask SSTI`, `SSH keygen`, `LinPEAS usage`, `Pspy64` |
| 28 | [BountyHunter](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/BountyHunter/README.md) | `Dirbuster usage`, `XXE exploitation`, `Abusing Python script misconfiguration` |
| 29 | [Mirai](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Mirai/README.md) | `Raspberry Pi server setup`, `Linux file recovery with dcfldd`, `Volume mounting` |
| 30 | [Armageddon](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Armageddon/README.md) | `Drupal 7 service exploit`, `Dirty Sock exploit` |
| 31 | [Paper](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Paper/README.md) | `WordPress exploitation`, `Password reuse`, `LinPEAS usage`, `Sudo exploit` |
| 32 | [MonitorsTwo](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/MonitorsTwo/README.md) | `Cacti login page exploit`, `Hash cracking with John the Ripper`, `Listing SUID binaries`, `capsh GTFOBins` |
| 33 | [Inject](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Inject/README.md) | `Directory traversal`, `Searchsploit usage`, `Spring Framework exploit`, `Pspy64`, `YAML forging` |
| 34 | [Sau](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Sau/README.md) | `Request Baskets v1.2.1 exploit`, `SSRF`, `Maltrail v0.53 exploit` |
| 35 | [Pilgrimage](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Pilgrimage/README.md) | `ImageMagick LFI`, `Git dumper usage`, `Binwalk CVE RCE` |
| 36 | [CozyHosting](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/CozyHosting/README.md) | `Dirsearch usage`, `Base64 encoded bash reverse shell`, `JD-GUI`, `PostgreSQL`, `Hash cracking with John and Hashcat`, `sudo GTFOBins` |
| 37 | [Topology](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Topology/README.md) | `LaTeX injection`, `Ffuf usage`, `Hash cracking with John`, `Pspy64`, `Forging PLT files to exploit Gnuplot binary cronjobs` |
| 38 | [Explore](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Explore/README.md) | `ADB`, `Metasploit usage`, `ES File Explorer exploit`, `oHostKeyAlgorithms`, `Port forwarding` |
| 39 | [Previse](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Previse/README.md) | `Dirbuster usage`, `Command injection`, `Hash cracking with John`, `Forging bash gzip`, `PATH hijacking` |
| 40 | [Broker](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Broker/README.md) | `Apache ActiveMQ exploitation`, `Remote code execution (RCE)` |
| 41 | [Delivery](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Delivery/README.md) | `Email impersonation`, `Hash cracking using Best64 and John the Ripper` |
| 42 | [Codify](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Codify/README.md) | `Virtual Machine 2 (VM2) exploitation`, `Hash identification`, `Hash cracking with John`, `Python bruteforce script creation` |
| 43 | [Analytics](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Analytics/README.md) | `Metabase login page exploit`, `Metasploit usage`, `LinPEAS usage`, `Local privilege escalation on Ubuntu 22.10 / 22.04` |
| 44 | [Soccer](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Soccer/README.md) | `Dirsearch usage`, `H3K Tiny File Manager exploitation`, `WebSocket exploitation`, `SQLmap for blind SQLi`, `Privilege escalation using SUID doas`, `Forging dstat using Python` |
| 45 | [Timelapse](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Timelapse/README.md) | `Enumerating public SMB shares with smbclient`, `Cracking Personal Information Exchange (PFX) files`, `OpenSSL`, `pfx2john`, `evil-winrm`, `Active Directory enumeration` |
| 46 | [Devvortex](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Devvortex/README.md) | `Ffuf usage`, `Dirsearch usage`, `Joomla v4.2 CMS exploitation`, `Password hash cracking with John`, `apport-cli binary exploitation` |
| 47 | [Return](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Return/README.md) | `SMB service enumeration with smbclient and enum4linux`, `Abusing printer's network`, `evil-winrm`, `Group membership enumeration for svc-printer account`, `Msfvenom`, `Active Directory security group abuse`, `Metasploit usage` |
| 48 | [Irked](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Irked/README.md) | `Unreal Engine 3.2.8.1 exploitation`, `Metasploit usage`, `LinPEAS usage` |
| 49 | [Perfection](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Perfection/README.md) | `WEBrick 1.7.0 exploitation`, `ERB and Ruby RCE`, `LinPEAS usage`, `Time-based password hash cracking with John` |
| 50 | [Headless](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Headless/README.md) | `XSS`, `Cookie stealing`, `Command injection`, `Remote code execution (RCE)`, `Abusing syscheck misconfiguration for root` |
| 51 | [Wifinetic](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/Wifinetic/README.md) | `FTP anonymous login`, `WiFi network interface enumeration`, `WiFi network configuration dumping`, `WPS PIN brute forcing using Reaver` |
| 52 | [OpenAdmin](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/OpenAdmin/README.md) | `Dirsearch usage`, `OpenNetAdmin v18.1.1 exploit`, `Bash reverse shell`, `Abusing Apache2 internal misconfiguration`, `Password cracking with John`, `Port forwarding`, `Webshell deployment`, `SSH private key cracking`, `Privilege escalation in nano by resetting stdin/stdout/stderr` |
| 53 | [TraceBack](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Machines/TraceBack/README.md) | `Gobuster usage`, `SSH key generation`, `Forging Lua scripts`, `SSH MOTD manipulation` |
GamePwn
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[CubeMadness1](https://github.com/jon-brandy/hackthebox/blob/main/Categories/GamePwn/CubeMadness1/README.md)|||
Web
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Templated](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Templated/README.md)|[LoveTok](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/LoveTok/README.md)|[Phonebook](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Phonebook/README.md)|
|2. |[Spookifier](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Spookifier/README.md)|[looking glass](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/looking%20glass/README.md)|[sanitize](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/sanitize/README.md)|
|3. |[baby auth](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20auth/README.md)|[baby BonChewerCon](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20BoneChewerCon/README.md)|[Full Stack Conf](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Full%20Stack%20Conf/README.md)|
|4. |[baby interdimensional internet](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20interdimensional%20internet/README.md)|[Juggling facts](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Juggling%20facts/README.md)|[baby nginxatsu](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20nginxatsu/README.md)|
|5. |[baby todo or not todo](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20todo%20or%20not%20todo/README.md)|[baby WAFfles order](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/baby%20WAFfles%20order/README.md)|[BlinkerFluids](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/BlinkerFluids/README.md)|
|6. |[Orbital](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Orbital/README.md)|[Trapped Source](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Web/Trapped%20Source/README.md)|[Passman](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Web/Passman/README.md)|
|7. |[SpookTastic](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Web/SpookTastic/README.md)|[CandyVault](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Web/CandyVault/README.md)|[HauntMart](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Web/HauntMart/README.md)|
Forensics
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Illumination](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Illumination/README.md)|[MarketDump](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/MarketDump/README.md)|[Wrong Spooky Seasaon](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Wrong%20Spooky%20Season/README.md)|
|2. |[Marshal in the Middle](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Marshal%20in%20the%20Middle/README.md)|[Chase](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Chase/README.md)|[Event Horizon](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Event%20Horizon/README.md)|
|3. |[Insider](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Insider/README.md)|[Export](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Export/README.md)|[Persistence](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Persistence/README.md)|
|4. |[No Place To Hide](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/No%20Place%20To%20Hide/README.md)|[Lure](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Lure/README.md)|[Logger](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Logger/README.md)|
|5. |[Halloween Invitation](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Halloween%20Invitation/README.md)|[Peel Back The Layers](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Peel%20Back%20The%20Layers/README.md)|[Reminiscent](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Reminiscent/README.md)|
|6. |[Intergalactic Recovery](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Intergalactic%20Recovery/README.md)|[Downgrade](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Downgrade/README.md)|[Automation](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Automation/README.md)|
|7. |[Perseverance](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Perseverance/README.md)|[Deadly Arthropod](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Deadly%20Arthropod/README.md)|[Keep Tryin'](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Keep%20Tryin'/README.md)|
|8. |[Strike Back](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Strike%20Back/README.md)|[Diagnostic](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Diagnostic/README.md)|[Fake News](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Fake%20News/README.md)|
|9. |[POOF](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/POOF/README.md)|[Alien Cradle](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Alien%20Cradle/README.md)|[Extraterrestrial Persistence](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Extraterrestrial%20Persistence/README.md)|
|10. |[Artifact Of Dangerous Sighting](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Artifact%20Of%20Dangerous%20Sighting/README.md)|[oBfsC4t10n2](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/oBfsC4t10n2/README.md)|[Packet Cyclone](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Forensics/Packet%20Cyclone/README.md)|
|11. |[Scripts and Formulas](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Forensics/Scripts%20and%20Formulas/README.md)|
Cryptography
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[BabyEncryption](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/BabyEncryption/README.md)|[xorxorxor](https://github.com/jon-brandy/hackthebox/tree/main/Categories/Cryptography/xorxorxor)|[Android in the Middle](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Android-in-the-Middle/README.md)|
|2. |[Weak RSA](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Weak%20RSA/README.md)|[Classic, yet complicated!](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Classic%2C%20yet%20complicated!/README.md)|[Brainy's Cipher](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Brainy's%20Cipher/README.md)|
|3. |[Gonna-Lift-Em-All](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Gonna-Lift-Em-All/README.md)|[Ancient Encodings](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Cryptography/Ancient%20Encodings/README.md)|[Nuclear Sale](https://github.com/Bread-Yolk/hackthebox/blob/main/Categories/Cryptography/Nuclear%20Sale/README.md)|
Reversing
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Impossible Password](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Impossible%20Password/README.md)|[Bypass](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Bypass/README.md)|[Behind the Scenes](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Behind%20the%20Scenes/README.md)|
|2. |[WIDE](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/WIDE/README.md)|[Baby RE](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Baby%20RE/README.md)|[You Cant C Me](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/You%20Cant%20C%20Me/README.md)|
|3. |[Find The Easy Pass](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Find%20The%20Easy%20Pass/README.md)|[Baby Crypt](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Baby%20Crypt/README.md)|[Ransom](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Ransom/README.md)|
|4. |[Anti Flag](https://github.com/Bread-Yolk/hackthebox/tree/main/Categories/Reversing/Anti%20Flag)|[Ouija](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Ouija/README.md)|[Tear Or Dear](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Tear%20Or%20Dear/README.md)|
|5. |[Rebuilding](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Rebuilding/README.md)|[Teleport](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Teleport/README.md)|[Hunting License](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Hunting%20License/README.md)|
|6. |[Shattered Tablet](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Reversing/Shattered%20Tablet/README.md)|||
OSINT
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Easy Phish](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/Easy%20Phish/README.md)|[Infiltration](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/Infiltration/README.md)|[Money Flowz](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/Money%20Flowz/README.md)|
|2. |[Missing in Action](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/Missing%20in%20Action/README.md)|[ID Exposed](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/ID%20Exposed/README.md)|[0ld is g0ld](https://github.com/jon-brandy/hackthebox/blob/main/Categories/OSINT/0ld%20is%20g0ld/README.md)|
Mobile
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Cat](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/Cat/README.md)|[Don't Overreact](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/Don't%20Overreact/README.md)|[APKey](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/APKey/README.md)|
|2. |[Pinned](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/Pinned/pinned.md)|[APKrypt](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/APKrypt/README.md)|[Manager](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/Manager/README.md)|
|3. |[Anchored](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Mobile/Anchored/README.md)|[]()|[]()|
Hardware
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Debugging Interface](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Hardware/Debugging%20Interface/README.md)|[Gawk](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Hardware/Gawk/README.md)|[Photon Lockdown](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Hardware/Photon%20Lockdown/README.md)|
Misc
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Canvas](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Canvas/README.md)|[fs0ciety](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/fs0ciety/README.md)|[Milkshake](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Milkshake/README.md)|
|2. |[Hackerman](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Hackerman/README.md)|[Da Vinci](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Da%20Vinci/README.md)|[Art](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Art/README.md)|
|3. |[misDIRection](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/misDIRection/README.md)|[Emdee five for life](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Emdee%20five%20for%20life/README.md)|[The secret of a Queen](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/The%20secret%20of%20%20a%20Queen/README.md)|
|4. |[Eternal Loop](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Misc/Eternal%20Loop/README.md)||
Blockchain
|No.|Column 1|Column 2|Column 3|
|:-:|:-------:|:-------:|:-------:|
|1. |[Survival of the Fittest](https://github.com/jon-brandy/hackthebox/blob/main/Categories/Blockchain/Survival%20of%20the%20Fittest/README.md)|||