This machine was retired yesterday, so I decided to publish my writeup the day after. CodePartTwo is an easy machine, which runs a Flask web app vulnerable to RCE due to an outdated and vulnerable library it uses. Once exploited we can dump and crack the registered users' passwords hashes (MD5). That gives us a SSH access, along with the User Flag. Retrieving the Root Flag exploits a weakness in a backup utility the user has root access over (via sudo). ...
This was a real tough one, and I eventually got the System Flag in a very roundabout way. I really suspect there had to be easier ways to get that flag, but I could not figure out how to get around the walls I encountered left and right. Anyway, let’s get to it. Starting this machine, we already have basic credentials: As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw! — Machine Information ...
This is my second writeup, after my first one covering the Conversor machine (machine not yet retired, therefore writeup not yet published). I fell into a few rabbit holes trying to pwn this one, I’m sad to say. We’ll get to that part as well, but first: enum. mairon $ nmap -Pn -n -v --open --top 5000 10.129.7.105 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 21:12 +0100 Initiating Connect Scan at 21:12 Scanning 10.129.7.105 [5000 ports] Discovered open port 80/tcp on 10.129.7.105 Discovered open port 22/tcp on 10.129.7.105 Completed Connect Scan at 21:12, 1.28s elapsed (5000 total ports) Nmap scan report for 10.129.7.105 Host is up (0.017s latency). Not shown: 4998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds ...
I haven’t been pentesting for over 5 years now due to moving to new positions / roles. But lately I decided to dust off some of my dormant pentesting skills. Over the past few days I’ve completed the HTB Starting Point machines after work. All but the VIP (paid) ones. I’m rusty, but most basic skills came back pretty quickly. After each machine I quickly regained courage to keep at it and try harder. I even managed to find my old OSCP notes and snippets, rich with one-liners for popping reverse shells, start listeners, upgrading / stabilising shells, etc., etc. ...