This repository is made to upload some custom interesting scripts in different programming languages that are useful to exploit certain vulnerabilities in Hack The Box retired machines/challenges.
Detailed write-ups are posted on my personal blog: https://7rocky.github.io/en/htb and https://7rocky.github.io/en/ctf/htb-challenges.
For every machine/challenge, there is a README.md file that explains how the script is built, giving some reasons why and doing some troubleshooting if necessary.
The aim of this repository is to provide useful scripts that can be adapted to other circumstances and show how some techniques can be performed using a certain programming language.
Hope it is useful! 😄
| Machine | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Altered | bf_pin.rb | Ruby | Brute Force attack on a 4-digit PIN |
| Antique | decode.py | Python | Decoding a password from SNMP |
| Awkward | readFile.js | Node.js | Read files from the server sending a malicious JWT payload |
| Backdoor | dpt.py pwn_gdbserver.py |
Python Python |
Read files using Diretory Path Traversal Obtain a reverse shell via GNU gdbserver |
| Bizness | ofbiz_exploit.sh | Bash | Authentication bypass. Automate the process to exploit a deserialization attack in Java |
| BountyHunter | xxe.sh | Bash | Read files using an XXE attack |
| Forge | ssrf.py | Python | Automate a SSRF explotation through an URL |
| GoodGames | autopwn.py | Python | Compromise the machine from scratch to root |
| Hancliffe | decrypt.sh encrypt1.c encrypt2.c exploit.py |
Bash C C Python |
Decrypt password using brute force ROT47 cipher Atbash cipher Stack-based Buffer Overflow exploit using Socket Reuse |
| Health | ssrf.py crack.go |
Python Go |
Perform a SSRF attack using a redirection with Flask Crack Gogs hash |
| Horizontall | rce_strapi.py | Python | Chain two exploits for Strapi to obtain a reverse shell |
| Intelligence | reqPdf.go | Go | Fuzz for PDF files with a guessable filename |
| Intentions | get_file.c | C | Extract file with MD5 hash oracle |
| Monitors | deserialization.sh | Bash | Automate the process to exploit a deserialization attack in Java |
| NodeBlog | nosqli.sh xxe.py unserialize_rce.js |
Bash Python Node.js |
Extract password using RegEx in a NoSQL injection Read files using an XXE attack Obtain a reverse shell exploiting an insecure deserialization vulnerability |
| OverGraph | get_admin_token.py extract_id_rsa.py bf_token.py exploit_rce.py exploit_write.py |
Python Python Python Python Python |
Obtain adminToken chaining CSRF through Open Redirect and AngularJS XSS to access localStorageRead id_rsa exploiting ffmpeg SSRFBrute force attack to obtain a valid token Binary exploit to obtain RCE as rootBinary exploit to obtain write permissions as root |
| Pikaboo | autopwn.py | Python | Compromise the machine from scratch to root |
| Precious | autopwn.rb | Ruby | Compromise the machine from scratch to root |
| Previse | foothold.go | Go | Register a new account and obtain a reverse shell exploiting a command injection |
| RainyDay | extract_file.py extract_pepper.py crack.py |
Python Python Python |
Extract file byte by byte using RegEx Abuse bcrypt limitations to extract secret pepper using emojiCrack bcrypt hash with secret pepper |
| Retired | first_exploit.py second_exploit.py third_exploit.py |
Python Python Python |
Buffer Overflow. PIE and ASLR bypass. NX bypass (ROP). ret2libc with custom command. Brute force Buffer Overflow. PIE and ASLR bypass. NX bypass (ROP). ret2libc with custom command. Write-what-where primitive Buffer Overflow. PIE and ASLR bypass. NX bypass ( mprotect + shellcode) |
| Rope | fmtstr_exploit.py root_exploit.py |
Python Python |
Format String exploitation Buffer Overflow. PIE and Canary bypass (brute force). NX bypass (ROP). ASLR bypass (leaks). ret2libc through socket |
| Scanned | exploit.sh crack.go |
Bash Go |
Read files and list directories by uploading a custom binary that escapes from a sandbox environment Crack Django salted MD5 hash |
| Shared | sqli.js | Node.js | Union-based SQLi exploitation inside a cookie |
| Soccer | websocket_sqli.py | Python | Dump database contents using a Boolean-based SQLi from a WebSocket server |
| Spider | ssti.py xxe.sh |
Python Bash |
Performing an SSTI on Jinja2 Read files as root using an XXE attack |
| Static | get_vpn.rb xdebug_shell.py exploit.py |
Ruby Python Python |
Downloading a VPN handling a TOTP and a Gzip file patch Obtain a reverse shell for xdebug in a PHP server Binary exploitation using a Format Strings vulnerability |
| Stocker | nosqli_regex.py | Python | Extract fields from a NoSQL database using NoSQLi and RegEx |
| Timing | upload.py | Python | Manage to upload a PHP web shell and provide the URL to access it |
| Unicode | dpt-jwks.py | Python | Interactive prompt to read files from the server via Directory Path Traversal and serve a JWKS to interact with the website as admin |
| Union | UnionSQLi.java | Java | Interactive prompt to make SQL queries using a Union-based SQLi |
| UpDown | php_execute.py | Python | Execute PHP code abusing a file upload |
| Writer | sqli.py foothold.py |
Python Python |
Dump database contents and read files using a Boolean-based SQLi Obtain a reverse shell using a command injection via file upload |
| Crypto | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| 400curves | solve.py | Python / SageMath | ECC. Invalid Curve Attack |
| AbraCryptabra | solve.py | Python / SageMath | Truncated LCG. AES. Knapsack. LLL lattice reduction |
| AESWCM | solve.py | Python | Custom encryption using AES and XOR |
| AHS512 | solve.py | Python | Custom hash function. Bit operations |
| Android-in-the-Middle | solve.py | Python | Diffie-Hellman. MITM |
| baby quick maffs | solve.py | Python | Related messages attack. Modular arithmetic |
| Bank-er-smith | solve.py | Python / SageMath | RSA. Known bits. Coppersmith method |
| BBGun06 | solve.py | Python | RSA. Forge signature. Regular Expression bypass |
| BFD56 | solve.c | C | CBC Bifid cipher |
| Biased Heritage | solve.py | Python / SageMath | Schnorr signature. Hidden Number Problem. LLL lattice reduction |
| Blessed | solve.py | Python / SageMath | BLS12-381. BLS signatures. Rogue key attack. Zero-knowledge proof. EC-LCG. LLL lattice reduction |
| Colliding Heritage | solve.py | Python | Schnorr signature. MD5 collision |
| Composition | solve.py | Python / SageMath | Close primes. RSA and ECC. Finding curve parameters. Elliptic curve over composite modulus |
| Converging Visions | solve.py | Python / SageMath | ECC. Binary search. Finding curve parameters. Smart's attack. PRNG |
| CryptoConundrum | solve.py | Python | AES cipher. Frequency analysis. Depth-first search |
| Down the Rabinhole | solve.py | Python | GCD. Modular arithmetic. Padding |
| Elliptic Labyrinth | solve.py | Python / SageMath | ECC. Finding curve parameters |
| Fibopadcci | solve.py | Python | Padding Oracle Attack. Custom cipher and padding |
| Find Marher's Secret | solve.py | Python | RC4. FMS attack |
| Hash the Filesystem | solve.py | Python | AES CTR. Inverse function of the Python built-in hash function |
| Homomurphy's Law | solve.py | Python | Homomorphic encryption. XOR cipher. AES cipher. Brute force |
| How The Columns Have Turned | solve.py | Python | Reverse encryption algorithm |
| I know Mag1k | solve.py | Python | DES. Padding Oracle Attack. |
| Infinite Descent | solve.py | Python | RSA. Close primes. PRNG |
| Infinite Knapsack | solve_bf.py solve_lll.py |
Python Python / SageMath |
Knapsack. Brute force. Unshuffling Knapsack. LLL lattice reduction. Unshuffling |
| Interception | solve.py | Python / SageMath | RSA. GCD. Coppersmith method. Euler's Theorem |
| Jenny From The Block | solve.py | Python | Block cipher. SHA256 |
| Living with Elegance | solve.go | Go | Learning With Errors. Probabilistic oracle |
| LunaCrypt | solve.py | Python | Reverse encryption algorithm based on binary operations |
| MSS | solve.py | Python | Mignotte Secret Sharing. Modular arithmetic. Chinese Remainder Theorem |
| Not that random | solve.go | Go | HMAC. Hash functions |
| One Step Closer | solve.sage | SageMath | RSA. Franklin-Reiter related-message attack |
| Optimus Prime | solve.py | Python | RSA. Greatest Common Divisor |
| Oracle Leaks | solve.go | Go | RSA. Manger's attack |
| Partial Tenacity | solve.py | Python | RSA. Partially-known private information. Modular arithmetic |
| Quadratic Points | solve.py | Python / SageMath | Integer linear relations. LLL lattice reduction. ECDLP. CRT |
| RLotto | solve.py | Python | PRNG. Time-based seed |
| Roulette | solve.py | Python / SageMath | PRNG. Custom Mersenne Twister. System of equations with binary variables |
| signup | solve.py | Python | DSA. Nonce reuse. Modular arithmetic |
| Space Pirates | solve.py | Python | Shamir Secret Sharing. PRNG seed |
| SPG | solve.py | Python | Boolean oracle |
| The Three-Eyed Oracle | solve.py | Python | AES ECB oracle |
| Tsayaki | solve.py | Python | TEA. Equivalent keys. CBC mode |
| TurboCipher | solve.py | Python | Recurrence relation. Telescoping series. LCG |
| TwoForOne | solve.py | Python | RSA. Common modulus attack |
| Waiting List | solve.py | Python / SageMath | ECDSA. Nonces with known bits. Hidden Number Problem. LLL lattice reduction |
| Zombie Rolled | solve.py | Python / SageMath | Fractions. Diophantine equation solution with elliptic curve. RSA signature. LLL lattice reduction. Groebner basis |
| Forensics | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Deadly Arthropod | solve.py | Python | USB HID key strokes parser |
| Halloween Invitation | solve.py | Python | Microsoft Office VBA macros deobfuscation |
| Hardware | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| HM74 | solve.py | Python | Noisy channel. Hamming codes. Statistically find correct message blocks |
| VHDLock | solve.py | Python | Print possible inputs for XOR encryption |
| Misc | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Branching Tactics | solve.go | Go | Path-finding. Breadth-first Search |
| Emdee five for life | solve.py solve.sh |
Python Bash |
Compute and send MD5 hash of a string as quickly as possible |
| Eternal Loop | solve.go | Go | Uncompress ZIP archives indefinitely |
| ExploitedStream | solve.js | Node.js | Brute force package name to decrypt AES |
| Fentastic Moves | solve.py | Python | Chess. FEN string. Stockfish |
| Insane Bolt | solve.py | Python | Depth First Search (DFS) |
| M0rsarchive | solve.py | Python | Morse code. Computer vision. ZIP files. Automation |
| Path of Survival | solve.py | Python | Path-finding. Breadth-first Search. Dijkstra's algorithm |
| Type Exception | solve.py | Python | Python jail. Oracle |
| OSINT | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Monstrosity | analyze.py | Python | Use Twitter's API to extract coordinates from tweets and plot them with matplotlib |
| Pwn | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Antidote | solve.py | Python | ARM 32-bit. Buffer Overflow. Ret2csu. ret2libc |
| Auth-or-out | solve.py | Python | Integer Overflow. Heap Overflow. ret2libc |
| Bat Computer | solve.py | Python | Buffer Overflow. Shellcode |
| Blacksmith | solve.py | Python | seccomp rules. open-read-write shellcode |
| Bon-nie-appetit | solve.py | Python | Heap exploitation. Off-by-one. Overlapping chunks. Tcache poisoning |
| Control Room | solve.py | Python | OOB write. GOT overwrite |
| CRSid | solve.py | Python | Heap exploitation. Safe-linking. Out-of-bounds write. Tcache poisoning. Exit handlers |
| Dragon Army | solve.py | Python | Heap exploitation. Fast Bin dup. Messing with main_arena |
| Dream Diary: Chapter 1 | solve.py | Python | Heap exploitation. Off-by-one. Fast Bin attack. Unsafe Unlink |
| Dream Diary: Chapter 2 | solve.py | Python | Heap exploitation. Null byte poisoning. Overlapping chunks |
| Dream Diary: Chapter 3 | solve.py | Python | Heap exploitation. Null byte poisoning. Overlapping chunks. Tcache poisoning. ROP chain. seccomp rules |
| echoland | dump.py solve.py |
Python | Dump binary instructions using a Format String vulnerability Blind Format String. Buffer Overflow. ret2libc |
| Entity | solve.py | Python | Union structure. Type confusion |
| FileStorage | solve.py | Python | Buffer Overflow. Format String vulnerability. FILE structure attack. GOT overwrite |
| Finale | solve.py | Python | open-read-write ROP chain |
| Fleet Management | solve.py | Python | seccomp rules. Custom shellcode |
| Format | solve.py | Python | Format String exploitation |
| Great Old Talisman | solve.py | Python | OOB write. Partial GOT overwrite |
| Hellhound | solve.py | Python | Heap exploitation. House of Spirit |
| HTB Console | solve.py | Python | Buffer Overflow. ret2libc |
| knote | solve.c | C | Kernel exploitation. Heap exploitation. Double free. seq_operations. ret2user |
| Leet Test | solve.py | Python | Format String exploitation |
| Math Door | solve.py | Python | Heap exploitation. Heap feng shui. Tcache poisoning. FILE structure attack |
| Maze of Mist | solve.py | Python | 32-bit binary. Buffer Overflow. vDSO ROP. sys_execve |
| Nightmare | solve.py | Python | Format String exploitation. GOT overwrite |
| No Return | solve.py | Python | JOP. sys_rt_sigreturn and sys_execve |
| Nowhere to go | dump.py solve.py |
Python | Buffer Overflow. Dump vDSO Buffer Overflow. vDSO ROP. sys_execve. seccomp rules |
| Old Bridge | solve.py | Python | Buffer Overflow. Brute force. Stack Pivot. ret2libc |
| Optimistic | solve.py | Python | Buffer Overflow. Integer Overflow. Alphanumeric shellcode |
| Oxidized ROP | solve.py | Python | Rust binary. Unicode characters. Local variable modificacion |
| PwnShop | solve.py | Python | Buffer Overflow. PIE and ASLR bypass. Special ROP chain. ret2libc |
| Regularity | solve.go | Go | Buffer Overflow. ret2reg. Shellcode |
| Robot Factory | solve.py | Python | Buffer Overflow. Threads. Canary bypass. ret2libc |
| Sacred Scrolls: Revenge | solve.py | Python | Buffer Overflow. ret2libc |
| Shooting star | solve.py solve_pwntools.py |
Python | Buffer Overflow. ASLR bypass. ret2libc |
| Space | solve.py | Python | 32-bit binary. Buffer Overflow. Custom shellcode |
| Space pirate: Going Deeper | solve.py | Python | Buffer Overflow. One byte overflow |
| Space pirate: Retribution | solve.py | Python | Buffer Overflow. ret2libc. Bypass PIE and ASLR |
| Spellbook | solve.py | Python | Heap exploitation. Use After Free. Fast Bin attack |
| Spooky Time | solve.py | Python | Format String exploitation. GOT overwrite |
| Trick or Deal | solve.py | Python | Heap exploitation. Use After Free |
| Vault-breaker | solve.py | Python | Bug abuse. XOR cipher |
| Void | solve.py | Python | Buffer Overflow. ret2dlresolve |
| Zombiedote | solve.py | Python | Heap exploitation. OOB read and write. Integer Overflow. Floating-point numbers. TLS-storage dtor_list |
| Zombienator | solve.py | Python | Heap exploitation. Buffer Overflow. Floating-point numbers. Canary bypass. ret2libc. Oracle |
| Reversing | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| Headache | solve.py | Python | Bypass sys_ptrace. Automate flag extraction from GDB |
| Potion Master | solve.py | Python | z3 solution to a set of conditions |
| Rebuilding | solve.py | Python | Automate flag extraction from GDB |
| The Vault | solve.py | Python | Automate flag extraction from GDB |
| Up a Stream | Solve.java | Java | Reverse encryption algorithm using functional programming with Java streams |
| Web | Scripts / Programs | Language | Purpose |
|---|---|---|---|
| 0xBOverchunked | solve.go | Go | Transfer-Encoding chunked. Boolean-based SQLi. Automate flag extraction |
| AbuseHumanDB | solve.py | Python | XSS. SOP bypass |
| baby ninja jinja | ssti.py | Python | SSTI. RCE. Limited interactive shell session |
| BatchCraft Potions | solve.py | Python | GraphQL batching attack. Send XSS and DOM Clobbering payload |
| E.Tree | solve.go | Go | XPATH injection. Automate flag extraction |
| emoji voting | solve.js | Node.js | Boolean-based SQLi in ORDER. Automate flag extraction |
| ExpressionalRebel | redos.go | Go | SSRF. ReDoS. Find the flag back and forth |
| wafwaf | solve.js | Node.js | PHP. Time-based SQL injection. WAF bypass |
| Wild Goose Hunt | solve.go | Go | MongoDB. NoSQLi. Automate flag extraction |