HTB
QMM — HTB Challenge
Quantum-themed heap UAF via entanglement, FILE structure hijack on stdout for libc/stack leaks, tcache poisoning, and ROP.
retleave·Apr 21, 2026·9 min
HTB
Under the Web — HTB Challenge
Web+binary hybrid: path traversal leaks ASLR bases, EXIF metadata in PNG overwrites PHP extension GOT for RCE.
Apr 21, 20268m
HTB
Runic — HTB Challenge
Null-byte name collision heap overflow with tcache safe-linking bypass, environ leak, and stack ROP chain.
Apr 21, 20268m
HTB
Magic Scrolls — HTB Challenge
Heap overflow via OOB magic number write leading to arbitrary read, environ stack leak, tcache poisoning, and ROP.
Apr 21, 20268m
HTB
Last Resort — HTB Challenge
Fuzzing-based challenge exploiting an integer comparison overflow in a sorting algorithm's comparator function.
Apr 21, 20267m
HTB
Kryptor2 — HTB Challenge
Linux kernel module exploitation via SHA-384 hash overflow, IPC msg_msg spray, arbitrary kernel read, and ROP to root.
Apr 21, 20269m
HTB
Heapify — HTB Challenge
Priority queue heap overflow with binary search pointer leak, tcache poisoning, and ld.so resolver hijack for RCE.
Apr 21, 20268m
HTB
Blinded — HTB Challenge
Blind heap exploitation with single-byte write primitive targeting ld.so dso_find_for_object for code execution under Full RELRO and PIE.
Apr 21, 20269m
HTB
Offlinea — HTB Challenge
Chaining PHP/Flask parameter pollution, Python format string injection for SECRET_KEY leak, JWT forgery, and SSRF to extract the flag.
Apr 21, 20269m
HTB
Secure Notes — HTB Challenge
Mongoose prototype pollution via MongoDB $rename operator, exploiting Node.js _peername.address internal gadget to bypass localhost IP check.
Apr 21, 20267m
HTB
Noisy Vault — HTB Challenge
[Easy] Quantum challenge: recovering a 64-bit secret key through noisy measurements using majority voting across 4096 shots.
Apr 21, 20268m
HTB
The Needle — HTB Challenge
[Very Easy] Firmware analysis: binwalk extraction of squashfs, finding hardcoded telnet credentials in init scripts to access the device.
Apr 21, 20266m
HTB
CubeMadness1 — HTB Challenge
[Very Easy] GamePwn challenge: extracting the flag from Unity IL2CPP game assets using UnityPy to dump textures from the splash screen.
Apr 21, 20266m
HTB
Baby Time Capsule — HTB Challenge
[Easy] Classic Hastad broadcast attack against RSA with e=5. Collect 5 ciphertexts, apply CRT, and take the integer 5th root.
Apr 21, 20266m
HTB
Low Logic — HTB Challenge
[Easy] Hardware challenge: reverse-engineering an RTL circuit from a schematic to determine the logic function (IN0 AND IN1) OR (IN2 AND IN3).
Apr 21, 20265m
HTB
Quantum Flagportation — HTB Challenge
[Easy] Solving the quantum teleportation protocol challenge: applying X/Z corrections based on Bell measurements to recover the flag bit by bit.
Apr 21, 20267m
HTB
Cobblestone — HTB Box Writeup
[Insane] Full writeup of HackTheBox Cobblestone box: SQLi to webshell, rbash escape, and Cobbler CVE-2024-47533 Cheetah template injection for root.
Apr 21, 20267m