Skip to main content
Muqaram Majid

CTF Writeups

HackTheBox and lab walkthroughs with practical exploitation steps.

Focused writeups from boxes and labs I solved, including enumeration flow, exploit path, and privilege escalation notes.

Heist

·540 words·3 mins

PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-04 18:55:23Z) 135/tcp open msrpc …

windows hard oscp

Access

·550 words·3 mins

upoaded .htaccess to bypass filter and got rce and then privesc by kerberoasting and SeManageVolume priv.

windows hard oscp

Medjed

·991 words·5 mins

nmap -p- 192.168.167.127 -Pn -sCV -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-03 09:32 EDT Warning: 192.168.167.127 giving up on port because retransmission cap hit (10). Nmap scan …

windows hard oscp

Slorp

·332 words·2 mins

Initial Access with RFI and privesc with scheduled task.

windows oscp

Shenzi

·1485 words·7 mins

initial access through wordpress and rpivesc with Always install Elevated.

windows hard oscp

Nickel

·348 words·2 mins

exposed api endpoint gave weak creds , privesc with web hosted taking arguments.

windows hard oscp

Hepet

·831 words·4 mins

Initial access with email macro and privesc with PowerUp.

windows hard oscp

DVR4

·557 words·3 mins

PORT STATE SERVICE VERSION 22/tcp open ssh Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use) | ssh-hostkey: | 3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA) |_ 384 …

windows hard oscp

Resourced

·512 words·3 mins

└─$ nmap -p- 192.168.139.175 -Pn -sCV -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-30 08:50 EDT Nmap scan report for 192.168.139.175 Host is up (0.081s latency). Not shown: 65515 …

windows hard oscp

Kevin

·82 words·1 min

Web behavior was the main signal here, so I traced each response change before exploitation.

windows easy oscp

Jacko

·347 words·2 mins

This writeup covers the full attack path for Jacko, including enumeration, exploitation, and privilege escalation.

windows hard oscp

Internal

·53 words·1 min

msfconsole search cve:CVE-2009-3103 use exploit/windows/smb/ms09_050_smb2_negotiate_func_index set RHOSTS set LHOST run

windows easy oscp

Hutch

·445 words·3 mins

initial access thru creds leaked with —users ldap flag and then foothold with webdav cmdshell, privesc with exposed admin creds in laps.

windows hard oscp

Craft

·280 words·2 mins

Initial with macro doc, priesc with lateral movement for better privs.

windows hard oscp

Authby

·384 words·2 mins

21/tcp open ftp zFTPServer 6.0 build 2011-10-17 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 9680 | ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe | …

windows hard oscp

Algernon

·341 words·2 mins

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 10:31PM …

windows easy oscp

vmdak

·461 words·3 mins

Initial access through rce exploit and then privesc thorough exposed creds and exposed jenkins interface on local port.

linux oscp

Snookums

·284 words·2 mins

21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to …

linux oscp