HTB Writeup: Editor
XWiki SolrSearchMacros unauth RCE → reverse shell (xwiki) → DB creds in hibernate.cfg.xml → SSH as oliver via reused password → Netdata ndsudo PATH hijack (CVE-2024-32019) → root.
DeepRootMe
HTB Writeup: Outbound
Roundcube Webmail post-auth RCE (CVE-2025-49113) → decrypt stored mailbox credentials → pivot to SSH as jacob → privilege escalation to root via Below (CVE-2025-27591).
HTB Writeup: Mirage
NFS → DNS hijack of NATS → steal Dev creds → NATS auth logs → Kerberoast → WinRM as IT admin → AutoLogon creds → ACL abuse → gMSA → ADCS ESC7-style UPN abuse → RBCD on DC → DCSync → Administrator.
HTB Writeup: Fluffy
SMB/LDAP enumeration → CVE-2025-24071 NTLMv2 capture → crack p.agila → abuse Service Account Managers → shadow credentials on winrm_svc → AD CS ESC16 on ca_svc → certificate auth as administrator.
HTB Writeup: Voleur
LDAP enumeration → Office file password cracking → Kerberoast → recover deleted user → DPAPI masterkey extraction → extract credentials → SSH into DC (WSL) → sudo to root via svc_backup.
HTB Writeup: TombWatcher
WriteSPN → targeted Kerberoast → gMSA read → password reset chain → owner/DACL abuse → soft-deleted ADCS operator → WebServer ESC15 → LDAPS pass-the-cert → EA
HTB Writeup: Checker
Teampass SQLi → hash crack → BookStack LFR → recover reader TOTP → SSH → sudo script + SysV SHM race → root.
HTB Writeup: Escape
SMB → MSSQL coercion → hash crack → WinRM → AD CS ESC1 → Administrator
HTB Writeup: Cat
Exposed .git → XSS → Webapp admin → SQLi → Creds reuse → Gitea XSS → root.
HTB Writeup: Dog
BackdropCMS + exposed .git → DB creds → CMS admin → module upload webshell → SSH via reused creds → sudo bee eval → root.