Hack The Box Writeups - The Ultimate HTB Resource
The most comprehensive collection of Hack The Box writeups , walkthroughs , and cheatsheets on GitHub. 500+ machines, 400+ challenges, ProLabs, Sherlocks (DFIR), CTF events, penetration testing methodology, and OSCP/CPTS certification prep - all in one place.
___ ___ ___________ __ __ .__ __
/ | \ \__ ___/ / \ / \________|__|/ |_ ____ __ ________ ______
/ ~ \ | | \ \/\/ /\_ __ \| \ __\/ __ \| | \____ \/ ___/
\ Y / | | \ / | | \/| || | \ ___/| | / |_> >___ \
\___|_ / |____| \__/\ / |__| |__||__| \___ >____/| __/____ >
\/ \/ \/ |__| \/
Why this repo? Unlike scattered blog posts and single-author collections, this is a structured, searchable index of the entire HTB ecosystem - machines from 2017 to 2026, every CTF event, every challenge category, every ProLab - cross-referenced by technique, difficulty, OS, and certification relevance. Whether you're preparing for OSCP , CPTS , CRTO , or just sharpening your skills, start here.
Browse the site
Tool
Description
Machine Finder Search & Filter
Find machines by difficulty, OS, technique, CVE, or certification. Table and card views with real-time filtering.
Knowledge Graph Visual Explorer
Interactive D3.js force-directed graph mapping 70+ machines to 40+ techniques and 5 certifications.
Attack Paths Flowcharts
Mermaid diagrams showing complete attack chains for 25+ machines - from recon to root.
Skill Trees Progression Maps
Visual learning paths for AD attacks, web exploitation, Linux/Windows privesc, and cert preparation.
Section
Description
Count
Machines Boot2root walkthroughs (Easy to Insane)
300+
Challenges CTF-style challenges across 12 categories
400+
ProLabs Enterprise-grade lab walkthroughs with network topology diagrams
6
Sherlocks DFIR & Blue Team investigations
70+
CTF Events Official HTB CTF competition writeups
14 events
Endgames Multi-machine scenario walkthroughs
5
Fortresses Multi-flag single-host challenges
6
Resources Tools, cheatsheets, cert prep, methodology
10 guides
Writeups for retired HTB machines organized by difficulty. Each writeup includes enumeration, exploitation, and privilege escalation steps with full command output.
Recently Retired (2025-2026)
Machine
OS
Difficulty
Key Techniques
Date
DarkZero Windows
Hard
Cross-Forest Trust, AD Abuse
Apr 2026
Snapped Linux
Hard
Nginx UI RCE, Static Site Exploitation
Mar 2026
Browsed Linux
Medium
Browser Extension Exploitation, Headless Chrome
Mar 2026
Previous Linux
Medium
NextJS Exploitation, Framework Abuse
Jan 2026
Retire Windows
Hard
Active Directory, Kerberos Abuse
Jan 2026
Fries Linux
Hard
Web Exploitation, Custom Exploitation
Nov 2025
NanoCorp Linux
Hard
Custom Protocol, Binary Analysis
Nov 2025
Hercules Linux
Insane
Multi-Stage Exploitation
Oct 2025
Signed Windows
Medium
Code Signing Bypass, Certificate Abuse
Oct 2025
University Windows
Insane
Multi-Vector Attack, Complex Chain
Aug 2025
Dog Linux
Easy
Backdrop CMS, Web Exploitation
Jul 2025
Mirage Windows
Hard
Active Directory, ADCS
Jul 2025
Voleur Windows
Medium
Data Exfiltration, Custom Exploitation
Jul 2025
RustyKey Windows
Hard
Rust Binary Exploitation
Jun 2025
TombWatcher Windows
Medium
Custom Service Exploitation
Jun 2025
Haze Windows
Hard
Splunk Enterprise Exploitation
Jun 2025
Certificate Windows
Hard
ADCS, Certificate Template Abuse
May 2025
Vintage Windows
Hard
Pure Active Directory, Kerberoasting
Apr 2025
Active Directory - Kerberoasting, AS-REP Roasting, ADCS, DCSync, Pass-the-Hash, BloodHound
Machine
Difficulty
Specific AD Technique
DarkZero
Hard
Cross-Forest Trust Abuse
Vintage
Hard
Kerberoasting, Pure AD
Certificate
Hard
ADCS Certificate Template Abuse
Mirage
Hard
ADCS, Shadow Credentials
Haze
Hard
Splunk + AD Integration
Retire
Hard
Kerberos Delegation Abuse
Web Exploitation - SQLi, XSS, SSRF, SSTI, LFI/RFI, Deserialization
Machine
Difficulty
Specific Web Technique
Dog
Easy
Backdrop CMS RCE
Browsed
Medium
Browser Extension RCE
Previous
Medium
NextJS Framework Exploitation
Snapped
Hard
Nginx UI Admin Panel RCE
Fries
Hard
Custom Web App Exploitation
Binary Exploitation - Buffer Overflow, ROP, Heap Exploitation, Format Strings
Machine
Difficulty
Specific Technique
RustyKey
Hard
Rust Binary Exploitation
NanoCorp
Hard
Custom Protocol Exploitation
Cloud & Infrastructure - AWS, Azure, GCP, Docker, Kubernetes
Machine
Difficulty
Specific Technique
Hercules
Insane
Container Escape, Cloud Metadata
CTF-style challenges organized by category. Each writeup includes the challenge description, approach, solution, and lessons learned.
Category
Path
Count
Key Skills
Web
challenges/web/75+
XSS, SQLi, SSTI, SSRF, Deserialization, JWT, GraphQL
Crypto
challenges/crypto/93+
RSA, AES, ECC, Padding Oracle, PRNG, Lattice Attacks
Forensics
challenges/forensics/33+
Memory Analysis, Disk Forensics, Network PCAP, Malware
Reversing
challenges/reversing/44+
x86/x64, .NET, Python, Angr, Anti-Debug, VM
Pwn
challenges/pwn/61+
Stack/Heap Overflow, ROP, SROP, Kernel, tcache
Mobile
challenges/mobile/10+
Android APK, Frida, Smali, Certificate Pinning
Hardware
challenges/hardware/11+
UART, SPI, Firmware, VHDL, RF Analysis
OSINT
challenges/osint/12+
Geolocation, Social Media, DNS, Metadata
Misc
challenges/misc/35+
Scripting, Logic, Encoding, Pickle, Pyjail
Stego
challenges/stego/12+
Image, Audio, LSB, Steghide, ImageMagick
Blockchain
challenges/blockchain/10+
Solidity, Smart Contracts, ERC-721, ECDSA
AI/ML
challenges/ai-ml/5+
Adversarial ML, Prompt Injection, LLM Bypass
Enterprise-grade lab environments simulating real corporate networks. These writeups cover multi-machine attack paths, lateral movement, and domain dominance.
Lab
Difficulty
Machines
Focus
Dante Beginner
14
Network Pentesting Fundamentals
Offshore Intermediate
21
Active Directory, Multi-Domain
RastaLabs Intermediate
15
Red Team Simulation, Phishing
Zephyr Intermediate
17
ADCS, DPAPI, Constrained Delegation
Cybernetics Advanced
20+
Advanced AD, Cross-Forest Attacks
APTLabs Advanced
20+
APT Simulation, Multi-Vector
DFIR (Digital Forensics & Incident Response) investigation labs. Blue team scenarios where you investigate security incidents and answer forensic questions.
Name
Difficulty
Focus Area
Writeup
Meerkat
Easy
Suricata IDS, Credential Stuffing, CVE-2022-25237
0xdf
Brutus
Easy
SSH Brute Force, auth.log Analysis
0xdf
Noted
Easy
Notepad++ Artifacts, Data Extortion
0xdf
Knock Knock
Easy
PCAP, FTP, Port Knocking, GonnaCry Ransomware
0xdf
Bumblebee
Easy
phpBB SQLite, Access Log Analysis
0xdf
Crown Jewel-1
Medium
NTDS.dit Dump, Volume Shadow Copy Service
CyberWired
Noxious
Medium
LLMNR Poisoning, Rogue Device Detection
0xdf
Subatomic
Medium
Electron Malware, Discord Hijacking
0xdf
Nubilum-1
Medium
AWS CloudTrail, PoshC2, Cloud Forensics
0xdf
MisCloud
Medium
GCP Breach, Gitea Vulnerability
CyberEthical
OpTinselTrace (1-5)
Hard
Full APT Campaign Investigation (Christmas 2023)
GitHub
APTNightmare
Hard
Advanced Persistent Threat Investigation
GitHub
See the full Sherlocks index for 70+ Sherlocks with writeup links.
Writeups from official Hack The Box competitive CTF events.
Multi-machine, multi-stage scenarios that simulate real penetration testing engagements. See endgames/README.md
Multi-flag single-host challenges created by partner companies. Like machines on steroids. See fortresses/README.md
Fortress
Creator
Flags
Focus
Jet Jet
11
Multi-service exploitation
Akerva Akerva
8
WordPress, SNMP, web chains
Context Context/Accenture
7
Web + infrastructure
Synacktiv Synacktiv
Multiple
Symfony, AppSec, infrastructure
AWS Amazon Web Services
Multiple
Cloud security, IAM, Lambda, S3
Faraday Faraday
7
General offensive security
Enumeration & Reconnaissance
Tool
Purpose
Link
Nmap
Port scanning & service detection
nmap.org
RustScan
Fast port scanner
GitHub
Gobuster
Directory/DNS/vhost brute-forcing
GitHub
Feroxbuster
Recursive content discovery
GitHub
ffuf
Fast web fuzzer
GitHub
enum4linux-ng
SMB/Samba enumeration
GitHub
Web Exploitation
Tool
Purpose
Link
Burp Suite
Web proxy & scanner
portswigger.net
SQLMap
SQL injection automation
GitHub
Nuclei
Template-based vuln scanner
GitHub
Caido
Modern web proxy
caido.io
PayloadsAllTheThings
Payload repository
GitHub
Active Directory
Tool
Purpose
Link
BloodHound
AD relationship mapping
GitHub
Impacket
Network protocol toolkit
GitHub
Rubeus
Kerberos abuse
GitHub
Certipy
ADCS exploitation
GitHub
NetExec (nxc)
Network execution toolkit
GitHub
Ligolo-ng
Tunneling/pivoting
GitHub
Privilege Escalation
Forensics & DFIR
Tool
Purpose
Link
Volatility 3
Memory forensics
GitHub
Autopsy
Disk forensics
autopsy.com
Wireshark
Network capture analysis
wireshark.org
CyberChef
Data transformation
GitHub
Chainsaw
Windows event log analysis
GitHub
Reverse Engineering
Binary Exploitation
Tool
Purpose
Link
pwntools
CTF exploit framework
GitHub
ROPgadget
ROP chain builder
GitHub
GEF
GDB enhanced features
GitHub
one_gadget
libc one-shot gadget
GitHub
checksec
Binary security checks
GitHub
Map your HTB journey to professional certifications.
OSCP (Offensive Security Certified Professional) Recommended HTB Machines for OSCP Prep:
Machine
Difficulty
Key Skills
Lame
Easy
Samba RCE, Basic Exploitation
Legacy
Easy
MS08-067, Windows Exploitation
Blue
Easy
EternalBlue (MS17-010)
Optimum
Easy
HFS RCE, Windows Privesc
Shocker
Easy
Shellshock, Linux Basics
Nibbles
Easy
CMS Exploitation, File Upload
Bashed
Easy
PHP Webshell, Cron Abuse
Arctic
Easy
ColdFusion, Windows Exploitation
Grandpa
Easy
IIS WebDAV, Token Impersonation
Bastard
Medium
Drupal RCE, Windows Privesc
Cronos
Medium
DNS Zone Transfer, SQL Injection
SolidState
Medium
Apache James RCE, Cron Privesc
Node
Medium
API Exploitation, Kernel Exploit
Valentine
Easy
Heartbleed, tmux Hijack
Poison
Medium
LFI, VNC Tunneling
Sunday
Easy
Finger Enumeration, Shadow File
DevOops
Medium
XXE, Git Secrets
Jeeves
Medium
Jenkins RCE, KeePass Cracking
Conceal
Hard
IPSec VPN, SNMP, JuicyPotato
CPTS (Certified Penetration Testing Specialist) Recommended HTB Machines for CPTS Prep:
Machine
Difficulty
Key Skills
Active
Easy
AD Basics, GPP Abuse, Kerberoasting
Forest
Easy
AS-REP Roasting, DCSync
Sauna
Easy
AS-REP Roasting, WinRM
Monteverde
Medium
Azure AD, Password Spraying
Resolute
Medium
DNS Admin DLL Injection
Cascade
Medium
LDAP Enumeration, .NET Reversing
Blackfield
Hard
AS-REP, Backup Operators Privesc
Vintage
Hard
Pure AD Exploitation
Certificate
Hard
ADCS Exploitation
Support
Easy
LDAP, .NET Binary Analysis
CRTO (Certified Red Team Operator) Focus on ProLabs: RastaLabs and Zephyr are directly aligned with CRTO material.
Machine/Lab
Type
Key Skills
RastaLabs
ProLab
Phishing, C2, Lateral Movement
Zephyr
ProLab
ADCS, DPAPI, Constrained Delegation
Offshore
ProLab
Multi-Domain AD
Reel
Hard
Phishing, AppLocker Bypass
Mantis
Hard
AD, Kerberos, MS14-068
htb-writeups/
|-- machines/
| |-- easy/ # Easy difficulty machines
| |-- medium/ # Medium difficulty machines
| |-- hard/ # Hard difficulty machines
| |-- insane/ # Insane difficulty machines
|-- challenges/
| |-- web/ # Web exploitation challenges
| |-- crypto/ # Cryptography challenges
| |-- forensics/ # Digital forensics challenges
| |-- reversing/ # Reverse engineering challenges
| |-- pwn/ # Binary exploitation challenges
| |-- mobile/ # Mobile security challenges
| |-- hardware/ # Hardware hacking challenges
| |-- osint/ # OSINT challenges
| |-- misc/ # Miscellaneous challenges
| |-- stego/ # Steganography challenges
| |-- blockchain/ # Blockchain/smart contract challenges
| |-- ai-ml/ # AI/ML security challenges
|-- prolabs/
| |-- dante/ # Dante ProLab walkthrough
| |-- offshore/ # Offshore ProLab walkthrough
| |-- rastalabs/ # RastaLabs ProLab walkthrough
| |-- zephyr/ # Zephyr ProLab walkthrough
| |-- cybernetics/ # Cybernetics ProLab walkthrough
| |-- aptlabs/ # APTLabs ProLab walkthrough
|-- sherlocks/
| |-- easy/ # Easy DFIR investigations
| |-- medium/ # Medium DFIR investigations
| |-- hard/ # Hard DFIR investigations
|-- ctf-events/ # Official HTB CTF writeups
|-- endgames/ # Multi-machine scenarios
|-- fortresses/ # Fortress challenges
|-- resources/
| |-- cheatsheets/ # Quick reference guides
| |-- tools/ # Tool guides and configs
| |-- methodology/ # Approach guides and templates
| |-- cert-prep/ # Certification preparation guides
|-- templates/ # Writeup templates
How to Use This Repository
Start with Easy machines - they teach fundamentals
Follow the Machine Approach Guide
Use the OSCP Prep
Try the machine yourself FIRST, then check the writeup
Focus on Medium/Hard machines by technique (AD, Web, etc.)
Work through a ProLab (start with Dante)
Attempt Sherlock challenges for blue team skills
Participate in CTF events using past writeups as training
Target Insane machines and Hard challenges
Complete Cybernetics or APTLabs ProLabs
Write and contribute your own writeups
Develop custom tools and methodologies
We welcome contributions! See CONTRIBUTING.md for detailed guidelines.
Quick start:
Fork the repository
Use the appropriate template for your writeup
Place it in the correct category folder
Submit a Pull Request
Writeup Requirements:
Only retired machines/challenges (no active content)
Include all steps: enumeration, exploitation, privilege escalation
Add screenshots or command output for key steps
Use the provided templates for consistency
No spoilers for active content
These writeups are for educational purposes only . All content covers retired machines and challenges that are no longer active on the Hack The Box platform. Sharing solutions for active machines violates HTB's Terms of Service.
Always practice ethical hacking. Only test systems you have explicit authorization to test.
Machine writeups in this repo link to multiple independent authors for diverse perspectives. Here are the primary sources:
This project is licensed under the MIT License - see LICENSE for details.
If this helped you pop a box or pass a cert, drop a star - it helps others find it too.
Keywords: hack the box writeups, HTB walkthrough, hackthebox machines, HTB challenges, OSCP prep machines, CPTS certification, penetration testing writeups, CTF writeups, active directory hacking, privilege escalation, web exploitation, binary exploitation, digital forensics, incident response, red team, blue team, cybersecurity training, ethical hacking, infosec resources, security cheatsheets
