HackTheBox Season 10 Writeups
HTB Season 10 Ranking
Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge. The full writeup will be released after the box is retired.
HackTheBox Season 10 PingPong writeup: cross-forest Active Directory compromise from a low-privileged user to Domain Admin via ADCS ESC4, gMSA credential reading, RBCD, SeImpersonatePrivilege/GodPotato, DCSync, and JEA constrained-language bypass.
HackTheBox Season 10 Logging writeup: unauthenticated AD enumeration, shadow-credential abuse to reset msa_health for the initial foothold, DLL hijacking on UpdateMonitor for lateral movement, and ADCS ESC1 + WSUS abuse for Domain Admin.
HackTheBox Season 10 Silentium writeup: unauthorized account takeover into FlowiseAI RCE (CVE-2025-59528), reused/insecure password storage in Gogs (CVE-2025-58434), and arbitrary write via symlinks and HTTP PUT (CVE-2025-64111).
HackTheBox Season 10 Garfield writeup: initial access via a batch script, lateral movement through ForceChangePassword, Ligolo pivot to a Read-Only Domain Controller, and full domain compromise through RODC KeyList abuse.
HackTheBox Season 10 DevArea writeup: leak credentials through an Apache CXF SSRF + file wrapper, replay them into Hoverfly to gain RCE, and escalate to root via a world-writable bash binary triggered by the syswatch script.
HackTheBox Season 10 Kobold writeup: initial foothold through MCPJam RCE (CVE-2026-23744), LFI-to-RCE in PrivateBin (CVE-2025-64714) to harvest stored credentials, and root via the Arcane container orchestration platform.
HackTheBox Season 10 VariaType writeup: LFI-to-RCE for initial access through fonttools, lateral movement through a writable cron job, and privilege escalation via a vulnerable FontForge/setuptools-driven binary.
HackTheBox Season 10 CCTV writeup: ZoneMinder authenticated SQLi to leak credentials for the initial foothold, then escalate to root via MotionEye command injection running as a superuser.
HackTheBox Season 10 Pirate writeup: assumed-breach Active Directory chain through Pre2k machine accounts, gMSA password reads, NTLM relay, authentication coercion, SPN jacking, and constrained delegation.
HackTheBox Season 10 Interpreter writeup: foothold through Mirth Connect unauthenticated RCE (CVE-2023-43208 / CVE-2023-37679), lateral movement by cracking a user hash from the database, and XXE-driven privilege escalation.
HackTheBox Season 10 WingData writeup: WingFTP unauthenticated RCE for the foothold, password cracking against a database hash for lateral movement, and root via tarslip with soft/hard links and filter bypass.
HackTheBox Season 10 Pterodactyl writeup: unauthenticated RCE on a SUSE host via PHP PearCMD, lateral movement through PAM misconfiguration, and root via the udisks2/libblockdev race-condition chain (CVE-2025-6018 / CVE-2025-6019).
HackTheBox Season 10 Facts writeup: mass assignment (CWE-915) on a Chameleon CMS endpoint to elevate to admin, SSH-key exfiltration from a misconfigured S3 bucket, and root via a SUID misconfiguration.