HACK THE BOX
Penetration Tester Writeups

Real Hack The Box lab walkthroughs — documenting reconnaissance, exploitation, privilege escalation, and key takeaways. Every writeup is hands-on, methodical, and written to show real offensive security thinking.

VIEW WRITEUPS ↓
WRITEUPS
Labscompleted
01
BEGINNER HTB ACADEMY GETTING STARTED PATH TRAVERSAL PRIVESC
HTB Academy — Getting Started
Full walkthrough covering Nmap full-port scanning, WordPress fingerprinting with WPScan, unauthenticated path traversal via EDB-39883 (Simple Backup Plugin 2.7.10), and privilege escalation through sudo misconfiguration and world-readable SSH private keys.
↓ PDF WRITEUP
May 28, 2026
02
EASY LINUX CMS EXPLOITATION FILE UPLOAD RCE PRIVESC METASPLOIT
HTB — Nibbles
Easy Linux box. Nmap recon revealed Apache on port 80. Page source inspection uncovered a hidden /nibbleblog/ directory running NibbleBlog 4.0.3. Exploited arbitrary file upload via the My Image plugin (default creds: admin:nibbles) to get a reverse shell. Privilege escalation via a NOPASSWD writable sudo script. Alternate method shown using Metasploit.
↓ PDF WRITEUP
May 28, 2026
03
BEGINNER HTB ACADEMY GETSIMPLE CMS CSRF BYPASS THEME EDITOR RCE GTFOBINS
HTB Academy — Knowledge Check (Getting Started Final)
Final challenge of the Getting Started module. GetSimple CMS 3.3.15 identified via whatweb and page source. Default credentials (admin:admin) gave full admin access. Exploited the theme editor to inject a PHP webshell, bypassing CSRF protection via automated nonce extraction. Privilege escalation via GTFOBins PHP technique — www-data could run PHP as ANY user with NOPASSWD.
↓ PDF WRITEUP
May 29, 2026
04
BEGINNER HTB ACADEMY NMAP NSE IDS/IPS EVASION NETWORK ENUMERATION
HTB Academy — Network Enumeration with Nmap
Full Nmap module walkthrough covering host discovery (ARP vs ICMP, TTL-based OS guessing), port scanning techniques (SYN vs Connect, UDP), service enumeration, NSE scripting, and output formats. Lab highlights: banner grabbing a non-standard port for a hidden flag, NSE vuln scan revealing a flag in robots.txt, DNS version query via CHAOS TXT, and source-port 53 firewall evasion with ncat to bypass strict IDS/IPS rules.
↓ PDF WRITEUP
May 30, 2026
4
Labs Completed
10
Flags Captured
4
Privesc Paths Found
12+
Tools Used
RESOURCES
ReferenceMaterials
📋
METHODOLOGY CHECKLIST WEB PENTESTING NMAP v2.0
Web Penetration Testing Methodology Checklist v2.0
Updated checklist built from HTB Academy Getting Started + Nmap modules. New in v2: host discovery, network scanning strategy, TCP/UDP scanning techniques, banner grabbing, NSE vulnerability scanning, and IDS/IPS evasion. 6 phases: Recon & Host Discovery, Port Scanning & Service ID, Web Enumeration, Exploit Discovery, Gaining Foothold, Privilege Escalation.
↓ PDF
Updated May 30, 2026
📋
METHODOLOGY CHECKLIST WEB PENTESTING v1.0
Web Penetration Testing Methodology Checklist v1.0
Original checklist from the Getting Started module — covering WordPress exploitation, NibbleBlog RCE, GetSimple CMS compromise, and Linux privilege escalation. Phases: Reconnaissance, Web Enumeration, Exploit Discovery, Gaining Foothold, Privilege Escalation.
↓ PDF
Compiled by Calm Ay