Pentest Blog – Window Link Dashboard

HTB - Broken Decryptor (crypto study)

2026-01-27 / AES-CTR then OTP

Use the missing-value leak caused by a biased OTP (no 0x00) to recover the reused CTR keystream and XOR it with the flag to reveal it.

HTB - Browsed (pentest study)

2026-01-12 / Linux

An uploaded Chrome extension executed by a host-level admin bot enabled localhost SSRF into a vulnerable Flask app, leading to Bash arithmetic injection for a user shell and then root via Pyhon __pycache_ bytecode poisoning.

HTB - NanoCorp (pentest study)

2026-01-08 / Windows (No Root)

Abused server-side ZIP extraction to leak and crack an NTLMv2 hash, then leveraged a BloodHound-identified GenericAll ACL path to reset a service account password and authenticate via Kerberos WinRM to obtain user.txt. -- failed to obtain root privilege.

HTB – Eighteen (pentest study)

2026-01-03 / Windows (No Root)

mssql access with default creds allowed impersonation to extract application database credentials, pivot through ad enumeration and winrm access, and obtain user.txt. -- failed to obtain root privilege.

HTB – Previous (Pentest Study)

2025-12-28 / Linux

bypassing next.js middleware led to lfi, leaked hardcoded auth credentials, an ssh pivot, and a root compromise via terraform provider hijacking.

HTB – Conversor (Pentest Study)

2025-12-16 / Linux

A root-executed needrestart trusted a user-controlled PYTHONPATH, allowing a malicious native Python module to be loaded as root and yielding instant full privilege escalation.

HTB – Imagery (Pentest Study)

2025-12-11 / Linux

A leaked session cookie cascaded into LFI, web RCE, and—through weak credentials and a flawed root cron tool—full root compromise.

HTB – MonitorsFour (Pentest Study)

2025-12-10 / Windows

Misconfigured environment files and weak application logic enabled a chained attack from initial web access to full Windows host compromise through Cacti RCE and Docker API abuse.

HTB – ReactOOPS (Web Study)

2025-12-08

React2Shell turns React Flight’s unsafe deserialization into a clean exploit chain—prototype poisoning → Function constructor → child_process.execSync—allowing full server-side RCE from a single crafted Flight payload.

HTB – ReMeeting The Wheel (Crypto Study)

2025-12-07

By exploiting RSA’s multiplicative homomorphism and the tiny structured key space, a meet-in-the-middle attack reconstructs the AES key without breaking RSA, allowing full decryption of the FLAG.

HTB – Expressway (Pentest Study)

2025-12-04 / Linux

Notes covering IKE enumeration, PSK hash cracking, and sudo CVE-based root escalation.

HTB – Cap (Pentest Study)

2025-12-02 / Linux

Pentest walkthrough including enumeration, PCAP analysis, credential extraction, and cap_setuid priv-esc.