Skip to main content
Muqaram Majid

CTF Writeups

HackTheBox and lab walkthroughs with practical exploitation steps.

Focused writeups from boxes and labs I solved, including enumeration flow, exploit path, and privilege escalation notes.

Levram

·185 words·1 min

ORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 …

linux easy oscp

Hub

·275 words·2 mins

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 …

linux easy oscp

Extplorer

·178 words·1 min

easy php shell esc privs with exposed pass in config and disk perm for privesc.

linux oscp

Crane

·118 words·1 min

Web behavior was the main signal here, so I traced each response change before exploitation.

linux oscp

Codo

·100 words·1 min

default creds on web portal —> file upload —> exposed creds.

linux easy oscp

Cockpit

·334 words·2 mins

This writeup covers the full attack path for Cockpit, including enumeration, exploitation, and privilege escalation.

linux oscp

Clue

·543 words·3 mins

This writeup covers the full attack path for Clue, including enumeration, exploitation, and privilege escalation.

linux hard oscp

Boolean

·451 words·3 mins

bypassed acc confirmation + LFi, access with ssh and priv esc with ssh.

linux oscp

BlackGate

·238 words·2 mins

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 37:21:14:3e:23:e5:13:40:20:05:f9:79:e0:82:0b:09 (RSA) | 256 …

linux hard oscp

Astronaut

·523 words·3 mins

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA) | 256 …

linux easy oscp

Twiggy

·261 words·2 mins

Found a exposed api endpoint, which was using an outdated salt version that had an RCE vuln associated w it.

linux easy oscp

Pelican

·550 words·3 mins

Initial access via ui and then priv esc with sudo -l process dump.

linux oscp

Exfiltrated

·224 words·2 mins

Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 …

linux easy oscp

Facts

·814 words·4 mins

└─$ nmap -sCV -A --min-rate=20000 facts.htb Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-10 06:52 EDT Nmap scan report for facts.htb (10.129.4.247) Host is up (0.10s latency). Not shown: …

hackthebox htb linux easy

WingData

·725 words·4 mins

Host is up (0.11s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 …

hackthebox htb linux easy

Pirate

·1017 words·5 mins

As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!&

hackthebox htb windows hard

StreamIO

·872 words·5 mins

This writeup covers the full attack path for StreamIO, including enumeration, exploitation, and privilege escalation.

hackthebox htb windows medium oscp