Richie Havoc
Security Researcher | Student | Pentester | CTF Player 🎉
Latest Posts
View all →
HTB Checkpoint Complete Writeup - AD Recycle Bin Abuse, Malicious VSIX Supply Chain, BadSuccessor dMSA PrivEsc & NTDS.dit Extraction from VM Backup
Checkpoint is a HackTheBox Medium Windows machine running Windows Server 2025 as a Domain Controller. The attack chain starts with low-privilege credentials for alex.turner, who has WRITE access on the AD Recycle Bin container and CREATE_CHILD on the Employees OU. Restoring the deleted user mark.davies and enabling AS-REP roasting recovers reused credentials, granting WRITE on the DevDrop SMB share. A malicious VS Code extension dropped to that share is auto-installed by a scheduled task running as ryan.brooks, yielding the user flag. Privilege escalation uses ryan.brooks's CreateChild permission on the dMSA-holder OU to perform the BadSuccessor attack against svc_deploy, extracting its NT hash from the KERB-DMSA-KEY-PACKAGE Kerberos structure. svc_deploy is in BackupAccess, which grants READ on a VMBackups share containing a VHDX disk image. Mounting the image and extracting NTDS.dit with the SYSTEM hive produces the Administrator NT hash, completing a Pass-the-Hash takeover of the domain.
HTB Connected Complete Writeup - CVE-2025-57819 FreePBX Pre-Auth RCE, PHP Webshell, Incron Abuse & fwconsole-commands Hook PrivEsc
Connected is a HackTheBox Easy Linux machine (CentOS 7) running FreePBX 16.0.40.7 on ports 80 and 443. The attack chain starts with CVE-2025-57819, a critical pre-authentication vulnerability that chains a PHP namespace-based authentication bypass with SQL injection in the /admin/ajax.php endpoint's brand parameter. The injected SQL plants a cron job that writes a PHP webshell to the web root within 60 seconds, landing a shell as the asterisk service account and revealing the user flag. Privilege escalation abuses incron -- a filesystem event-driven cron daemon -- which monitors /var/spool/asterisk/incron/ as root. The asterisk user can write filenames to that directory, and by crafting a filename following the module.hook.params convention and encoding a command as zlib+base64 to bypass shell metacharacter filtering, the sysadmin_manager script executes our payload as root via the api/fwconsole-commands hook, copying the root flag to the web root for retrieval.
HTB DevHub Complete Writeup - CVE-2026-23744 MCPJam RCE, JupyterLab WebSocket Code Execution & OPSMCP Admin Tool Abuse
DevHub is a HackTheBox Season 11 Medium Linux machine built around a developer tooling stack running entirely on localhost. The attack chain starts with CVE-2026-23744, an unauthenticated RCE in MCPJam Inspector <= 1.4.2 where crafted HTTP requests trigger MCP server installation and arbitrary command execution. From the initial shell, internal enumeration reveals a JupyterLab instance running as analyst with its auth token exposed in process arguments, exploitable via the Jupyter REST API and WebSocket kernel protocol without any browser interaction. Source code of the OPSMCP Flask API running as root contains a hardcoded API key and a hidden admin tool named ops._admin_dump. Calling this tool with the target ssh_keys argument returns root's OpenSSH private key, completing the chain from unauthenticated network access to full root.
Hackthebox Reactor Complete Writeup - CVE-2025-55182 Next.js RCE, SQLite Credential Dump, MD5 Cracking & Node.js Inspector PrivEsc
Reactor is a HackTheBox Medium Linux machine running a Next.js 15.0.3 web application on port 3000. The attack chain starts with CVE-2025-55182, a critical unauthenticated RCE in Next.js that allows arbitrary command execution via a crafted React Flight payload, landing a shell as the node user. Post-exploitation reveals a SQLite database containing MD5-hashed credentials for two users. Hashcat cracks the engineer hash against rockyou.txt in seconds. Direct SSH does not work so lateral movement is achieved via su from the existing shell, recovering the user flag. Privilege escalation abuses a Node.js Inspector debug socket on localhost port 9229, using the node inspect client to execute system commands via child_process.execSync and read the root flag directly.
TJCTF 2026: Minerva's Stopwatch Cryptography Challenge and unfinished-file Forensics Challenge Writeup
A full walkthrough of two TJCTF 2026 challenges across the cryptography and forensics categories. The first challenge, Minerva's Stopwatch, involves exploiting a P-256 ECDSA timing side-channel to set up a Hidden Number Problem instance, then recovering the private key via LLL-based lattice reduction and CVP to decrypt a flag. The second challenge, unfinished-file, involves parsing a partial Chrome download in the crdownload format, locating embedded ZIP data, identifying an obfuscated file entry, and recovering the flag via single-byte XOR. Each writeup includes full solution scripts, beginner-friendly explanations of the underlying techniques, and key takeaways on the cryptographic and forensic weaknesses exploited.
SK-CERT CyberGame 2026: Cryptography Challenges Writeup
A full walkthrough of the SK-CERT CyberGame 2026 cryptography challenges, covering five distinct problems ranging from beginner to advanced. Topics include musical notation substitution ciphers, layered repeating-key XOR with PE reverse engineering, ZipCrypto known-plaintext attacks using bkcrack, an anomalous RSA challenge with an exponent approaching N^4 solved via lattice methods, and a quadratic twist elliptic curve DLP solved with Pohlig-Hellman over smooth-order subgroups. Each writeup includes full solution scripts, beginner-friendly explanations, and key takeaways on the underlying cryptographic weaknesses.