HackTheBox machine writeups by J0stif.
Full walkthroughs with methodology, commands, and techniques.
Writeups are published only after machine retirement per HTB policy.
Windows — Active Directory
Machine
Difficulty
Techniques
User
Root
Writeup
Eighteen 🟢 Easy
CVE-2025-8110 (Gogs RCE), BadSuccessor, dMSA abuse
✓
✓
→
Blackfield 🔴 Hard
AS-REP Roasting, ForceChangePassword, lsass dump, SeBackupPrivilege, NTDS.dit
✓
✓
→
TombWatcher 🟡 Medium
Kerberoasting, gMSA, AddSelf, ForceChangePassword, WriteOwner, Deleted Object Restore, ESC15, Enrollment Agent
✓
✓
→
Cicada 🟢 Easy
SMB guest, Password Spray, Backup Operators, SeBackupPrivilege, secretsdump
✓
✓
→
Sauna 🟢 Easy
OSINT, Username Generation, AS-REP Roasting, AutoLogon creds, DCSync
✓
✓
→
EscapeTwo 🟢 Easy
ADCS ESC4→ESC1, MSSQL
✓
✓
→
Support 🟢 Easy
SMB, LDAP, Reverse Engineering, RBCD
✓
✓
→
Overwatch 🟡 Medium
SMB, WCF/SOAP Injection, DNS Poisoning, AD
✓
✓
→
Escape 🟡 Medium
MSSQL xp_dirtree, NTLM coercion, ERRORLOG cred leak, ADCS ESC1
✓
✓
→
Machine
Difficulty
Techniques
User
Root
Writeup
Unika 🟢 Easy
LFI, NTLMv2, Hashcat
✓
✓
→
Timelapse 🟢 Easy
SMB, PFX, LAPS
✓
✓
→
ServMon 🟢 Easy
Anonymous FTP, CVE-2019-20085 (NVMS traversal), NSClient++ API abuse
✓
✓
→
Machine
Difficulty
Techniques
User
Root
Writeup
Browsed 🟡 Medium
Chrome Extension, Bash Arithmetic Injection, SSRF, pyc Hijack
✓
✓
→
Sea 🟢 Easy
CVE-2023-41425 (WonderCMS XSS→RCE), bcrypt crack, command injection, SUID bash
✓
✓
→
Coming soon (pending retirement)
Machine
Difficulty
Techniques
Logging
🟡 Medium
Shadow Credentials, ADCS ESC1, DLL Hijack, WSUS
Garfield
🔴 Hard
WriteDacl, RBCD, KeyList (RODC), SYSVOL
Interpreter
🟡 Medium
CVE-2023-43208, Deserialization, PBKDF2, eval() Injection
Technique
Machines
ADCS / ESC1
EscapeTwo
ADCS / ESC4
EscapeTwo
ADCS / ESC15 (CVE-2024-49019)
TombWatcher
Enrollment Agent abuse (ESC3)
TombWatcher
BadSuccessor / dMSA
Eighteen
CVE exploitation
Eighteen (CVE-2025-8110), TombWatcher (CVE-2024-49019), Sea (CVE-2023-41425)
WonderCMS XSS → RCE
Sea
bcrypt cracking
Sea
Command injection (newline)
Sea
SUID bash
Sea
Internal service port forward
Sea
Gogs RCE
Eighteen
Kerberoasting
TombWatcher
AS-REP Roasting
TombWatcher, Sauna, Blackfield
ForceChangePassword
TombWatcher, Blackfield
lsass memory dump (pypykatz)
Blackfield
diskshadow + NTDS.dit extraction
Blackfield
Anonymous FTP credential leak
ServMon
Path traversal CVE
ServMon (CVE-2019-20085), Sea (CVE-2023-41425)
NSClient++ API abuse
ServMon
SSH port forwarding (privesc)
ServMon
DCSync (GetChangesAll)
Sauna
OSINT / username generation
Sauna
AutoLogon registry credentials
Sauna
gMSA password dump
TombWatcher
AddSelf ACE abuse
TombWatcher
ForceChangePassword
TombWatcher
WriteOwner
TombWatcher
Deleted object restore
TombWatcher
SMB enumeration
Support, Timelapse, Overwatch, Cicada
Password spray
Cicada
Backup Operators / SeBackupPrivilege
Cicada
secretsdump (offline hives)
Cicada
LDAP enumeration
Support
Reverse engineering (.NET)
Support
RBCD
Support
LAPS
Timelapse
PFX cracking
Timelapse
LFI
Unika
MSSQL xp_dirtree NTLM coercion
Escape
NTLM capture (Responder)
Unika, Overwatch, Escape
ADCS / ESC1
EscapeTwo, Escape
Password in log files
Escape
WCF / SOAP injection
Overwatch
DNS poisoning
Overwatch
Chrome extension abuse
Browsed
SSRF
Browsed
Bash arithmetic injection
Browsed
Python pyc hijack
Browsed
Every writeup follows the same structure:
1. Enumeration — nmap, service fingerprinting, web/SMB recon
2. Foothold — initial access vector
3. User flag — lateral movement or privilege escalation to user
4. Root/System — privilege escalation to root/SYSTEM
5. Key takeaways — what the machine teaches
Category
Tools
Recon
nmap, gobuster, feroxbuster, enum4linux-ng, smbclient
AD attacks
impacket, certipy, bloodyAD, pywhisker, PKINITtools
BloodHound
bloodhound-python, custom queries
Web
burpsuite, nuclei
Cracking
hashcat, john, zip2john, pfx2john
Post-exploit
evil-winrm, netexec, secretsdump
J0stif — penetration tester, bug bounty hunter
PNPT · PWPA · CEH | OSCP (in progress) · HTB CPTS (in progress) · HTB CWES (in progress)
HTB Profile · Site & Writeups · Twitter/X