HackTheBox

This blog details my full CPTS preparation path, note-taking workflow, exam experience, and top tips for success — offering practical insights for anyone planning to take on the CPTS challenge.

Busqueda is an easy Linux machine involving command injection in a Python module for initial access. Privilege escalation is achieved by abusing a root-executable system checkup script with a relative path vulnerability, discovered via Gitea creds and repo analysis.

Blurry is a medium-difficulty Linux machine exploiting recent ClearML CVEs (CVE-2024-24590 to CVE-2024-24595) for RCE via its web, API, and file services. Privilege escalation involves crafting a malicious PyTorch model to bypass insecure deserialization checks using runpy.

Freelancer is a hard Windows machine emphasizing real-world pentesting with IDOR, auth bypass, SQL impersonation, and RCE via SQL features. It culminates in advanced AD attacks using the Recycle Bin and Backup Operators group, plus memory forensics and AV evasion.

BoardLight is an easy Linux machine exploiting Dolibarr CVE-2023-30253 to gain www-data, then SSH access via plaintext creds. Privilege escalation is achieved through a vulnerable SUID Enlightenment binary (CVE-2022-37706) for root access.

Editorial is an easy Linux machine using an SSRF vulnerability to access an internal API and retrieve SSH credentials. Further Git enumeration reveals more creds, with root access gained via CVE-2022-24439 and misconfigured sudo permissions.

MagicGardens is an insane Linux box starting with SSRF and XSS in a QR code to access the Django admin panel and gain SSH. Lateral movement involves reversing a traffic analyzer, with root achieved by exploiting insecure deserialization in Docker and escaping via a custom kernel module.

SolarLab is a medium Windows machine leveraging guest SMB access to extract creds, then exploiting ReportLab CVE-2023-33733 for RCE as blake. Local Openfire is then exploited via CVE-2023-32315 for code execution, with log analysis revealing reused Administrator credentials for full access.

Intuition is a hard Linux machine that starts with a CSRF attack and Python urllib CVE-2023-24329 to access server files and source code. Foothold leads to FTP access via LFI, with root gained by reversing a custom binary and exploiting Ansible CVE-2023-5115 for path traversal.

Mailing is an easy Windows machine using path traversal to access hMailServer configs and crack the admin email password. Access to user maya is gained via CVE-2024-21413 to capture and crack NTLM, with root obtained by exploiting LibreOffice CVE-2023-2255.