A collection of my personal writeups for retired HackTheBox machines. Each writeup documents the full attack path — from initial reconnaissance through privilege escalation — with detailed explanations of the vulnerabilities exploited and the methodology used.
I'm an aspiring penetration tester actively working through HackTheBox machines to sharpen my offensive security skills. These writeups serve as both personal reference notes and a resource for others in the community learning the same concepts.
Every week a new machine is released as part of HackTheBox Season 11. I solve each machine and publish the writeup here after it has been officially retired.
My general approach follows a structured penetration testing methodology:
- Reconnaissance — Port scanning, service enumeration, version detection
- Vulnerability Research — Identifying CVEs and weaknesses based on discovered services
- Exploitation — Gaining initial foothold
- Post-Exploitation — Enumeration for privilege escalation vectors
- Privilege Escalation — Escalating to root
- Documentation — Writing up the full chain with commands and explanations
All writeups are published only after the machine has been officially retired by HackTheBox.
| Machine | OS | Difficulty | Tags |
|---|---|---|---|
| Connected | Linux | Easy | SQLi FreePBX CVE-2025-57819 incron modprobe |
| Reactor | Linux | Easy | Next.js RSC CVE-2025-55182 Node.js Inspector SSH Tunneling |
| DevHub | Linux | Medium | MCP CVE-2026-23744 Jupyter SSH Pivoting Hardcoded API Key |
- Nmap
- Burp Suite
- Netcat
- Hashcat
- SQLite3
- Python (custom exploit scripts)
- SSH tunneling
- Chrome DevTools (Node.js Inspector)
These writeups are intended purely for educational purposes. All machines are retired HackTheBox machines. I do not condone unauthorized access to systems. Always practice ethical hacking in legal environments.
- GitHub: https://github.com/Revenge8
- Discord: revenge_984