cve

  • 24th December 2025

LinkVortex writeup

writeupshack-the-boxlinuxsubdomain-enumerationgitcve

LinkVortex is a Linux box that involves subdomain enumeration and source‑code disclosure via a .git directory. We will reuse hardcoded credentials, exploit a Ghost CMS arbitrary file read (CVE‑2023‑40028) to obtain SSH credentials, and escalate privileges through environment variable manipulation in a custom script.

Read more 
  • 21st December 2025

Titanic writeup

writeupshack-the-boxlinuxlfisubdomain-enumerationhash-crackingcve

Titanic is a Linux box that starts with a local file inclusion (LFI) vulnerability in a Flask web application. We will discover a subdomain, extract credentials from a Gitea instance, crack hashes, and escalate privileges via an ImageMagick configuration‑path vulnerability (GHSA‑8rxc‑922v‑phg8).

Read more 
  • 18th December 2025

TheFrizz writeup

writeupshack-the-boxrcehash-crackingkerberosactive-directorycve

TheFrizz is a hybrid box that combines web exploitation, database credential extraction, and Active Directory lateral movement. We will exploit a Gibbon CMS RCE (CVE‑2023‑45878), extract and crack hashes, use Kerberos authentication, and abuse Group Policy Objects (GPO) for privilege escalation.

Read more 
  • 16th December 2025

Fluffy writeup

writeupshack-the-boxwindowsactive-directorysmbresponderhash-crackingcve

Fluffy is a Windows Active Directory box that focuses on SMB share enumeration and NTLM hash capture. We will exploit CVE‑2025‑24071 via Responder, crack the obtained hash, then leverage shadow credentials and the ESC16 vulnerability to gain domain administrator access.

Read more