Skip to main content
Muqaram Majid

CTF Writeups

HackTheBox and lab walkthroughs with practical exploitation steps.

Focused writeups from boxes and labs I solved, including enumeration flow, exploit path, and privilege escalation notes.

Sea

·305 words·2 mins

PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.159 | Logged in as ftp | TYPE: ASCII | No session …

linux oscp

Payday

·462 words·3 mins

easy RCE and privesc with same user same pass and sudo all.

linux oscp

Ochima

·228 words·2 mins

tarting Nmap 7.95 ( https://nmap.org ) at 2026-03-26 09:53 EDT Nmap scan report for 192.168.143.32 Host is up (0.083s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION …

linux oscp

CVE-2023-6019

·220 words·2 mins

man this was literally the title and 1 click how is it intermediate.

linux oscp

Jordak

·3369 words·16 mins

simple RCE with public exploit and then privesc with env variable sudo perm.

linux oscp

BitLocker

·282 words·2 mins

Exposed creds updated mysql db pass to work w authenticated rce and then privesc with creds in a process and thensudo perms over .py.

linux hard oscp

SPX

·279 words·2 mins

RCE through SPX version and key leaked in phpinfo, privesc with sudo perms over make.

linux oscp

Plum

·130 words·1 min

22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) …

linux oscp

Workaholic

·327 words·2 mins

initial access with wordpress plugin sqli and then privesc with suid that needed compiling a library with a plugin.

linux oscp

PyLoader

·170 words·1 min

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 …

linux oscp

Flu

·404 words·2 mins

Nmap was my starting point here, and the service/version clues below shaped the next checks.

linux oscp

RubyDome

·246 words·2 mins

nmap 192.168.243.22 -sCV -Pn -p- -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 10:01 EDT Nmap scan report for 192.168.243.22 Host is up (0.079s latency). Not shown: 65533 closed …

linux easy oscp

Scrutiny

·135 words·1 min

Nmap was my starting point here, and the service/version clues below shaped the next checks.

linux oscp

Press

·198 words·1 min

Initial access with default creds and magic byte file upload bypass, privesc with gtfobins.

linux oscp

pc

·267 words·2 mins

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA) | 256 …

linux oscp

LaVita

·99 words·1 min

This writeup covers the full attack path for LaVita, including enumeration, exploitation, and privilege escalation.

linux oscp

Fired

·175 words·1 min

ORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 …

linux oscp

law

·117 words·1 min

Web behavior was the main signal here, so I traced each response change before exploitation.

linux oscp