🎯 HTB CPTS Write-ups

Walkthroughs for the Hack The Box machines on the CPTS track. Each write-up runs the full chain from enumeration to the root flag, and ends with a condensed attack chain, a commands cheat sheet, and a diagnostic map.

Machines

• 🐑 Fluffy — NTLM capture (CVE-2025-24071) → ACL abuse → shadow credentials → ADCS ESC16
• 🧑‍💼 Jeeves — Jenkins RCE → KeePass loot → Pass-the-Hash → Alternate Data Streams
• 🎭 Trick — DNS zone transfer → SQLi FILE read → SSH → Fail2Ban hijack
• 📮 Postman — unauthenticated Redis → SSH key recovery → su pivot → OverlayFS LPE
• POV — IIS file read → ASP.NET ViewState RCE → WinRM pivot → SeDebugPrivilege
• TombWatcher — AD object-control chain → deleted-object recovery → ADCS ESC15
• Media — Responder NetNTLMv2 capture → PHP webshell → SeTcbPrivilege PoC
• VulnCicada — NFS leak → Kerberos relay (ADCS ESC8) → DCSync
• StreamIO — MSSQL SQLi → PHP include RCE → Firefox creds → LAPS