In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.

I have just owned machine NanoCorp from Hack The Box

I have just owned machine NanoCorp from Hack The Box

RustyKey HTB walkthrough: Timeroasting to crack computer passwords, ForceChangePassword abuse, CLSID hijacking via registry, and RBCD for domain compromise.

Introduction: In the competitive world of cybersecurity, theoretical knowledge is insufficient; practical, hands-on experience is the true differentiator. Platforms like HackTheBox (HTB) provide a controlled, gamified environment where aspiring security professionals can legally test their skills against real-world vulnerabilities. Achieving a 1000-reputation milestone, as highlighted in a recent social media post, signifies a critical transition from novice to a competent practitioner capable of identifying and exploiting security flaws.

Getting Familiar with MongoDB

Rsync is a Pretty Important Tool

Introduction: The traditional method of learning penetration testing through HackTheBox writeups is being transformed by artificial intelligence. Cybersecurity professionals are now using AI tutors to deeply understand exploitation techniques without being handed the solution, creating a more effective learning experience that builds genuine expertise rather than dependency on walkthroughs. Learning Objectives: Master prompt engineering techniques for creating effective AI hacking tutors…

I have just owned machine Giveback from Hack The Box

Generative AI has many applications. An amazing one is to give it a writeup to a challenge you're trying to solve but stuck on and getting it to coach you th...

Dump has a website that collects packets on a specific port. It can also handle PCAP uploads and download all the current PCAP files in a zip archive. I’ll abuse wildcard injection in the zip command with some carefully crafted filenames to get RCE and a shell. I’ll pivot to the next user with a password from the database. I’ll then abuse how www-data can run sudo to run tcpdump to get root.

I have just owned machine Giveback from Hack The Box

Introduction: The HackTheBox machine "Voleur" represents a sophisticated assumed-breach Active Directory scenario that tests multiple advanced attack vectors. This complex engagement demonstrates how attackers can chain together vulnerabilities in password management, DPAPI exploitation, and Kerberos attacks to compromise entire Windows domains. Learning Objectives: Master techniques for recovering deleted user accounts and associated credentials Understand DPAPI exploitation for credential extraction from registry hives…

Introduction: The compromise of an Active Directory domain remains a primary objective for cyber adversaries, and the HackTheBox "Voleur" machine provides a masterclass in chaining together common misconfigurations to achieve full domain dominance. This attack path, from initial access to Domain Admin, leverages vulnerabilities in Kerberos, user permissions, and the Data Protection API (DPAPI) to demonstrate a realistic enterprise network intrusion.

I have just owned challenge Phase Madness from Hack The Box

Voleur is an active directory box that starts with assume breach credentials. I’ll find an Excel notebook with credentials and get a shell. I’ll find a deleted user and switch to a service account to recover it. That user can access an SMB share with a user’s home directory backup, where I’ll find DPAPI encrypted credentials. I’ll recover those, getting access to an SSH key that provides access to a WSL instance. There I’ll find registry hive backups where I can dump the administrator hash.

HTB Store walkthrough: exploiting XOR encryption for arbitrary file read, SFTP tunneling to Node.js debugger, and Chrome webdriver RCE for root access.