~/bokkapig_
hack the box machine writeups

ls -la ./machines (15)

DevArea avatar
DevArea [Linux]
Medium 2026-03-28
FTPXXESOAPMTOMApache CXFHoverflyMiddleware RCESUIDWorld-Writable BinarySystemd Timer
▲ pwned // not yet retired
Kobold avatar
Kobold [Linux]
Easy 2026-03-21
MCPDockerPrivateBinPHP-injectionpassword-reuseArcane
▲ pwned // not yet retired
VariaType avatar
VariaType [Linux]
Medium 2026-03-14
fonttoolsCVE-2025-66034path-traversalPHP-injectionLFIgit-exposureFontForgecommand-injectionsetuptoolsarbitrary-file-writecron
▲ pwned // not yet retired
CCTV avatar
CCTV [Linux]
Easy 2026-03-07
ZoneMinderDefault CredentialsDockermotionEyeCredential SniffingRCE
▲ pwned // not yet retired
Interpreter avatar
Interpreter [Linux]
Medium 2026-02-21
XStream DeserializationMirth ConnectCVE-2023-43208HL7/MLLPPython eval() Injection
▲ pwned // not yet retired
WingData avatar
WingData [Linux]
Easy 2026-02-14
Wing FTP ServerCVE-2025-47812Lua injectionpassword crackinghashcattarfile filter bypassCVE-2025-4517PATH_MAXsudo
▲ pwned // not yet retired
Pterodactyl avatar
Pterodactyl [Linux]
Medium 2026-02-07
CVE-2025-49132LFIpearcmdRCECVE-2025-6018CVE-2025-6019PAM bypassXFSudisks2polkitPterodactyl PanelopenSUSE
▲ pwned // not yet retired
Facts avatar
Facts [Linux]
Easy 2026-01-31
CamaleonCMSCVE-2024-46987LFIMinIOSSH Key CrackingFacter Sudo Abuse
▲ pwned // not yet retired
Overwatch avatar
Overwatch [Windows]
Medium 2026-01-24
Active DirectoryMSSQLWCFCommand InjectionDNS PoisoningLinked Server.NET Reversing
▲ pwned // not yet retired
AirTouch avatar
AirTouch [Linux]
Medium 2026-01-17
WiFiSNMPWPA-EnterprisePEAPMSCHAPv2Dockerfile-uploadcookie-manipulationhostapd-wpeevil-twin
▲ pwned // not yet retired
Browsed avatar
Browsed [Linux]
Medium 2026-01-10
Malicious Chrome MV3 extension uploaded to server-side browser achieved RCE via bash arithmetic evaluation in a Flask/bash backend, then escalated to root via .pyc injection into a world-writable __pycache__ directory of a sudo-allowed Python script.
Chrome extensionbash arithmetic evaluationPython pyc injectionsudo abuseGiteaFlask
● pwned
MonitorsFour avatar
MonitorsFour [Windows]
Easy 2025-12-06
IDORCactiSQLiRCEDockerDocker Desktop EscapeCVE-2024-54146CVE-2025-24367CVE-2025-9074
▲ pwned // not yet retired
Expressway avatar
Expressway [Linux]
Unknown 2025-11-20
IKEv1 Aggressive Mode PSK hash capture and offline brute-force reveals SSH credentials; custom sudo 1.9.17 binary is exploited via CVE-2025-32463 NSS library injection to achieve root.
ikeikev1aggressive-modepskipsecsudoCVE-2025-32463nss-injectionprivilege-escalation
● pwned
Baby avatar
Baby [Windows]
Easy 2025-11-18
LDAP anonymous bind leaks an initial password in a user description; the target user (Caroline.Robinson) has STATUS_PASSWORD_MUST_CHANGE set, allowing password reset via SAMR; Backup Operators group membership enables direct flag read via FILE_OPEN_FOR_BACKUP_INTENT over SMB.
active-directoryldappassword-must-changebackup-operatorssebackupprivilegewindows-server-2022
● pwned
Eighteen avatar
Eighteen [Windows]
Easy 2025-11-15
MSSQLSQL ImpersonationPBKDF2dMSABadSuccessorActive DirectoryWinRM
▲ pwned // not yet retired