The most comprehensive collection of Hack The Box writeups, walkthroughs, and cheatsheets on GitHub. 500+ machines, 400+ challenges, ProLabs, Sherlocks (DFIR), CTF events, penetration testing methodology, and OSCP/CPTS certification prep - all in one place.
___ ___ ___________ __ __ .__ __
/ | \ \__ ___/ / \ / \________|__|/ |_ ____ __ ________ ______
/ ~ \ | | \ \/\/ /\_ __ \| \ __\/ __ \| | \____ \/ ___/
\ Y / | | \ / | | \/| || | \ ___/| | / |_> >___ \
\___|_ / |____| \__/\ / |__| |__||__| \___ >____/| __/____ >
\/ \/ \/ |__| \/
Why this repo? Unlike scattered blog posts and single-author collections, this is a structured, searchable index of the entire HTB ecosystem - machines from 2017 to 2026, every CTF event, every challenge category, every ProLab - cross-referenced by technique, difficulty, OS, and certification relevance. Whether you're preparing for OSCP, CPTS, CRTO, or just sharpening your skills, start here.
Browse the site for the best experience - interactive tools, search, and dark theme.
| Tool | Description |
|---|
| Machine Finder | Search & Filter | Find machines by difficulty, OS, technique, CVE, or certification. Table and card views with real-time filtering. |
| Knowledge Graph | Visual Explorer | Interactive D3.js force-directed graph mapping 70+ machines to 40+ techniques and 5 certifications. |
| Attack Paths | Flowcharts | Mermaid diagrams showing complete attack chains for 25+ machines - from recon to root. |
| Skill Trees | Progression Maps | Visual learning paths for AD attacks, web exploitation, Linux/Windows privesc, and cert preparation. |
| Section | Description | Count |
|---|
| Machines | Boot2root walkthroughs (Easy to Insane) | 300+ |
| Challenges | CTF-style challenges across 12 categories | 400+ |
| ProLabs | Enterprise-grade lab walkthroughs with network topology diagrams | 6 |
| Sherlocks | DFIR & Blue Team investigations | 70+ |
| CTF Events | Official HTB CTF competition writeups | 14 events |
| Endgames | Multi-machine scenario walkthroughs | 5 |
| Fortresses | Multi-flag single-host challenges | 6 |
| Resources | Tools, cheatsheets, cert prep, methodology | 10 guides |
Writeups for retired HTB machines organized by difficulty. Each writeup includes enumeration, exploitation, and privilege escalation steps with full command output.
| Machine | OS | Difficulty | Key Techniques | Date |
|---|
| DarkZero | Windows | Hard | Cross-Forest Trust, AD Abuse | Apr 2026 |
| Snapped | Linux | Hard | Nginx UI RCE, Static Site Exploitation | Mar 2026 |
| Browsed | Linux | Medium | Browser Extension Exploitation, Headless Chrome | Mar 2026 |
| Previous | Linux | Medium | NextJS Exploitation, Framework Abuse | Jan 2026 |
| Retire | Windows | Hard | Active Directory, Kerberos Abuse | Jan 2026 |
| Fries | Linux | Hard | Web Exploitation, Custom Exploitation | Nov 2025 |
| NanoCorp | Linux | Hard | Custom Protocol, Binary Analysis | Nov 2025 |
| Hercules | Linux | Insane | Multi-Stage Exploitation | Oct 2025 |
| Signed | Windows | Medium | Code Signing Bypass, Certificate Abuse | Oct 2025 |
| University | Windows | Insane | Multi-Vector Attack, Complex Chain | Aug 2025 |
| Dog | Linux | Easy | Backdrop CMS, Web Exploitation | Jul 2025 |
| Mirage | Windows | Hard | Active Directory, ADCS | Jul 2025 |
| Voleur | Windows | Medium | Data Exfiltration, Custom Exploitation | Jul 2025 |
| RustyKey | Windows | Hard | Rust Binary Exploitation | Jun 2025 |
| TombWatcher | Windows | Medium | Custom Service Exploitation | Jun 2025 |
| Haze | Windows | Hard | Splunk Enterprise Exploitation | Jun 2025 |
| Certificate | Windows | Hard | ADCS, Certificate Template Abuse | May 2025 |
| Vintage | Windows | Hard | Pure Active Directory, Kerberoasting | Apr 2025 |
Active Directory - Kerberoasting, AS-REP Roasting, ADCS, DCSync, Pass-the-Hash, BloodHound
| Machine | Difficulty | Specific AD Technique |
|---|
| DarkZero | Hard | Cross-Forest Trust Abuse |
| Vintage | Hard | Kerberoasting, Pure AD |
| Certificate | Hard | ADCS Certificate Template Abuse |
| Mirage | Hard | ADCS, Shadow Credentials |
| Haze | Hard | Splunk + AD Integration |
| Retire | Hard | Kerberos Delegation Abuse |
Web Exploitation - SQLi, XSS, SSRF, SSTI, LFI/RFI, Deserialization
| Machine | Difficulty | Specific Web Technique |
|---|
| Dog | Easy | Backdrop CMS RCE |
| Browsed | Medium | Browser Extension RCE |
| Previous | Medium | NextJS Framework Exploitation |
| Snapped | Hard | Nginx UI Admin Panel RCE |
| Fries | Hard | Custom Web App Exploitation |
Binary Exploitation - Buffer Overflow, ROP, Heap Exploitation, Format Strings
| Machine | Difficulty | Specific Technique |
|---|
| RustyKey | Hard | Rust Binary Exploitation |
| NanoCorp | Hard | Custom Protocol Exploitation |
Cloud & Infrastructure - AWS, Azure, GCP, Docker, Kubernetes
| Machine | Difficulty | Specific Technique |
|---|
| Hercules | Insane | Container Escape, Cloud Metadata |
CTF-style challenges organized by category. Each writeup includes the challenge description, approach, solution, and lessons learned.
| Category | Path | Count | Key Skills |
|---|
| Web | challenges/web/ | 75+ | XSS, SQLi, SSTI, SSRF, Deserialization, JWT, GraphQL |
| Crypto | challenges/crypto/ | 93+ | RSA, AES, ECC, Padding Oracle, PRNG, Lattice Attacks |
| Forensics | challenges/forensics/ | 33+ | Memory Analysis, Disk Forensics, Network PCAP, Malware |
| Reversing | challenges/reversing/ | 44+ | x86/x64, .NET, Python, Angr, Anti-Debug, VM |
| Pwn | challenges/pwn/ | 61+ | Stack/Heap Overflow, ROP, SROP, Kernel, tcache |
| Mobile | challenges/mobile/ | 10+ | Android APK, Frida, Smali, Certificate Pinning |
| Hardware | challenges/hardware/ | 11+ | UART, SPI, Firmware, VHDL, RF Analysis |
| OSINT | challenges/osint/ | 12+ | Geolocation, Social Media, DNS, Metadata |
| Misc | challenges/misc/ | 35+ | Scripting, Logic, Encoding, Pickle, Pyjail |
| Stego | challenges/stego/ | 12+ | Image, Audio, LSB, Steghide, ImageMagick |
| Blockchain | challenges/blockchain/ | 10+ | Solidity, Smart Contracts, ERC-721, ECDSA |
| AI/ML | challenges/ai-ml/ | 5+ | Adversarial ML, Prompt Injection, LLM Bypass |
Enterprise-grade lab environments simulating real corporate networks. These writeups cover multi-machine attack paths, lateral movement, and domain dominance.
| Lab | Difficulty | Machines | Focus |
|---|
| Dante | Beginner | 14 | Network Pentesting Fundamentals |
| Offshore | Intermediate | 21 | Active Directory, Multi-Domain |
| RastaLabs | Intermediate | 15 | Red Team Simulation, Phishing |
| Zephyr | Intermediate | 17 | ADCS, DPAPI, Constrained Delegation |
| Cybernetics | Advanced | 20+ | Advanced AD, Cross-Forest Attacks |
| APTLabs | Advanced | 20+ | APT Simulation, Multi-Vector |
DFIR (Digital Forensics & Incident Response) investigation labs. Blue team scenarios where you investigate security incidents and answer forensic questions.
| Name | Difficulty | Focus Area | Writeup |
|---|
| Meerkat | Easy | Suricata IDS, Credential Stuffing, CVE-2022-25237 | 0xdf |
| Brutus | Easy | SSH Brute Force, auth.log Analysis | 0xdf |
| Noted | Easy | Notepad++ Artifacts, Data Extortion | 0xdf |
| Knock Knock | Easy | PCAP, FTP, Port Knocking, GonnaCry Ransomware | 0xdf |
| Bumblebee | Easy | phpBB SQLite, Access Log Analysis | 0xdf |
| Crown Jewel-1 | Medium | NTDS.dit Dump, Volume Shadow Copy Service | CyberWired |
| Noxious | Medium | LLMNR Poisoning, Rogue Device Detection | 0xdf |
| Subatomic | Medium | Electron Malware, Discord Hijacking | 0xdf |
| Nubilum-1 | Medium | AWS CloudTrail, PoshC2, Cloud Forensics | 0xdf |
| MisCloud | Medium | GCP Breach, Gitea Vulnerability | CyberEthical |
| OpTinselTrace (1-5) | Hard | Full APT Campaign Investigation (Christmas 2023) | GitHub |
| APTNightmare | Hard | Advanced Persistent Threat Investigation | GitHub |
See the full Sherlocks index for 70+ Sherlocks with writeup links.
Writeups from official Hack The Box competitive CTF events.
Multi-machine, multi-stage scenarios that simulate real penetration testing engagements. See endgames/README.md for detailed walkthroughs.
Multi-flag single-host challenges created by partner companies. Like machines on steroids. See fortresses/README.md for detailed walkthroughs.
| Fortress | Creator | Flags | Focus |
|---|
| Jet | Jet | 11 | Multi-service exploitation |
| Akerva | Akerva | 8 | WordPress, SNMP, web chains |
| Context | Context/Accenture | 7 | Web + infrastructure |
| Synacktiv | Synacktiv | Multiple | Symfony, AppSec, infrastructure |
| AWS | Amazon Web Services | Multiple | Cloud security, IAM, Lambda, S3 |
| Faraday | Faraday | 7 | General offensive security |
Enumeration & Reconnaissance
| Tool | Purpose | Link |
|---|
| Nmap | Port scanning & service detection | nmap.org |
| RustScan | Fast port scanner | GitHub |
| Gobuster | Directory/DNS/vhost brute-forcing | GitHub |
| Feroxbuster | Recursive content discovery | GitHub |
| ffuf | Fast web fuzzer | GitHub |
| enum4linux-ng | SMB/Samba enumeration | GitHub |
Web Exploitation
| Tool | Purpose | Link |
|---|
| Burp Suite | Web proxy & scanner | portswigger.net |
| SQLMap | SQL injection automation | GitHub |
| Nuclei | Template-based vuln scanner | GitHub |
| Caido | Modern web proxy | caido.io |
| PayloadsAllTheThings | Payload repository | GitHub |
Active Directory
| Tool | Purpose | Link |
|---|
| BloodHound | AD relationship mapping | GitHub |
| Impacket | Network protocol toolkit | GitHub |
| Rubeus | Kerberos abuse | GitHub |
| Certipy | ADCS exploitation | GitHub |
| NetExec (nxc) | Network execution toolkit | GitHub |
| Ligolo-ng | Tunneling/pivoting | GitHub |
Privilege Escalation
Forensics & DFIR
Reverse Engineering
Binary Exploitation
| Tool | Purpose | Link |
|---|
| pwntools | CTF exploit framework | GitHub |
| ROPgadget | ROP chain builder | GitHub |
| GEF | GDB enhanced features | GitHub |
| one_gadget | libc one-shot gadget | GitHub |
| checksec | Binary security checks | GitHub |
Map your HTB journey to professional certifications.
OSCP (Offensive Security Certified Professional)
Recommended HTB Machines for OSCP Prep:
| Machine | Difficulty | Key Skills |
|---|
| Lame | Easy | Samba RCE, Basic Exploitation |
| Legacy | Easy | MS08-067, Windows Exploitation |
| Blue | Easy | EternalBlue (MS17-010) |
| Optimum | Easy | HFS RCE, Windows Privesc |
| Shocker | Easy | Shellshock, Linux Basics |
| Nibbles | Easy | CMS Exploitation, File Upload |
| Bashed | Easy | PHP Webshell, Cron Abuse |
| Arctic | Easy | ColdFusion, Windows Exploitation |
| Grandpa | Easy | IIS WebDAV, Token Impersonation |
| Bastard | Medium | Drupal RCE, Windows Privesc |
| Cronos | Medium | DNS Zone Transfer, SQL Injection |
| SolidState | Medium | Apache James RCE, Cron Privesc |
| Node | Medium | API Exploitation, Kernel Exploit |
| Valentine | Easy | Heartbleed, tmux Hijack |
| Poison | Medium | LFI, VNC Tunneling |
| Sunday | Easy | Finger Enumeration, Shadow File |
| DevOops | Medium | XXE, Git Secrets |
| Jeeves | Medium | Jenkins RCE, KeePass Cracking |
| Conceal | Hard | IPSec VPN, SNMP, JuicyPotato |
CPTS (Certified Penetration Testing Specialist)
Recommended HTB Machines for CPTS Prep:
| Machine | Difficulty | Key Skills |
|---|
| Active | Easy | AD Basics, GPP Abuse, Kerberoasting |
| Forest | Easy | AS-REP Roasting, DCSync |
| Sauna | Easy | AS-REP Roasting, WinRM |
| Monteverde | Medium | Azure AD, Password Spraying |
| Resolute | Medium | DNS Admin DLL Injection |
| Cascade | Medium | LDAP Enumeration, .NET Reversing |
| Blackfield | Hard | AS-REP, Backup Operators Privesc |
| Vintage | Hard | Pure AD Exploitation |
| Certificate | Hard | ADCS Exploitation |
| Support | Easy | LDAP, .NET Binary Analysis |
CRTO (Certified Red Team Operator)
Focus on ProLabs: RastaLabs and Zephyr are directly aligned with CRTO material.
| Machine/Lab | Type | Key Skills |
|---|
| RastaLabs | ProLab | Phishing, C2, Lateral Movement |
| Zephyr | ProLab | ADCS, DPAPI, Constrained Delegation |
| Offshore | ProLab | Multi-Domain AD |
| Reel | Hard | Phishing, AppLocker Bypass |
| Mantis | Hard | AD, Kerberos, MS14-068 |
htb-writeups/
|-- machines/
| |-- easy/ # Easy difficulty machines
| |-- medium/ # Medium difficulty machines
| |-- hard/ # Hard difficulty machines
| |-- insane/ # Insane difficulty machines
|-- challenges/
| |-- web/ # Web exploitation challenges
| |-- crypto/ # Cryptography challenges
| |-- forensics/ # Digital forensics challenges
| |-- reversing/ # Reverse engineering challenges
| |-- pwn/ # Binary exploitation challenges
| |-- mobile/ # Mobile security challenges
| |-- hardware/ # Hardware hacking challenges
| |-- osint/ # OSINT challenges
| |-- misc/ # Miscellaneous challenges
| |-- stego/ # Steganography challenges
| |-- blockchain/ # Blockchain/smart contract challenges
| |-- ai-ml/ # AI/ML security challenges
|-- prolabs/
| |-- dante/ # Dante ProLab walkthrough
| |-- offshore/ # Offshore ProLab walkthrough
| |-- rastalabs/ # RastaLabs ProLab walkthrough
| |-- zephyr/ # Zephyr ProLab walkthrough
| |-- cybernetics/ # Cybernetics ProLab walkthrough
| |-- aptlabs/ # APTLabs ProLab walkthrough
|-- sherlocks/
| |-- easy/ # Easy DFIR investigations
| |-- medium/ # Medium DFIR investigations
| |-- hard/ # Hard DFIR investigations
|-- ctf-events/ # Official HTB CTF writeups
|-- endgames/ # Multi-machine scenarios
|-- fortresses/ # Fortress challenges
|-- resources/
| |-- cheatsheets/ # Quick reference guides
| |-- tools/ # Tool guides and configs
| |-- methodology/ # Approach guides and templates
| |-- cert-prep/ # Certification preparation guides
|-- templates/ # Writeup templates
- Start with Easy machines - they teach fundamentals
- Follow the Machine Approach Guide for a systematic method
- Use the OSCP Prep list if you're studying for certs
- Try the machine yourself FIRST, then check the writeup
- Focus on Medium/Hard machines by technique (AD, Web, etc.)
- Work through a ProLab (start with Dante)
- Attempt Sherlock challenges for blue team skills
- Participate in CTF events using past writeups as training
- Target Insane machines and Hard challenges
- Complete Cybernetics or APTLabs ProLabs
- Write and contribute your own writeups
- Develop custom tools and methodologies
We welcome contributions! See CONTRIBUTING.md for detailed guidelines.
Quick start:
- Fork the repository
- Use the appropriate template for your writeup
- Place it in the correct category folder
- Submit a Pull Request
Writeup Requirements:
- Only retired machines/challenges (no active content)
- Include all steps: enumeration, exploitation, privilege escalation
- Add screenshots or command output for key steps
- Use the provided templates for consistency
- No spoilers for active content
These writeups are for educational purposes only. All content covers retired machines and challenges that are no longer active on the Hack The Box platform. Sharing solutions for active machines violates HTB's Terms of Service.
Always practice ethical hacking. Only test systems you have explicit authorization to test.
Machine writeups in this repo link to multiple independent authors for diverse perspectives. Here are the primary sources:
This project is licensed under the MIT License - see LICENSE for details.
If this helped you pop a box or pass a cert, drop a star - it helps others find it too.
Keywords: hack the box writeups, HTB walkthrough, hackthebox machines, HTB challenges, OSCP prep machines, CPTS certification, penetration testing writeups, CTF writeups, active directory hacking, privilege escalation, web exploitation, binary exploitation, digital forensics, incident response, red team, blue team, cybersecurity training, ethical hacking, infosec resources, security cheatsheets