Richie Havoc
Security Researcher | Student | Pentester | CTF Player 🎉
Latest Posts
View all →
HTB Connected Complete Writeup - CVE-2025-57819 FreePBX Pre-Auth RCE, PHP Webshell, Incron Abuse & fwconsole-commands Hook PrivEsc
Connected is a HackTheBox Easy Linux machine (CentOS 7) running FreePBX 16.0.40.7 on ports 80 and 443. The attack chain starts with CVE-2025-57819, a critical pre-authentication vulnerability that chains a PHP namespace-based authentication bypass with SQL injection in the /admin/ajax.php endpoint's brand parameter. The injected SQL plants a cron job that writes a PHP webshell to the web root within 60 seconds, landing a shell as the asterisk service account and revealing the user flag. Privilege escalation abuses incron -- a filesystem event-driven cron daemon -- which monitors /var/spool/asterisk/incron/ as root. The asterisk user can write filenames to that directory, and by crafting a filename following the module.hook.params convention and encoding a command as zlib+base64 to bypass shell metacharacter filtering, the sysadmin_manager script executes our payload as root via the api/fwconsole-commands hook, copying the root flag to the web root for retrieval.
HTB DevHub Complete Writeup - CVE-2026-23744 MCPJam RCE, JupyterLab WebSocket Code Execution & OPSMCP Admin Tool Abuse
DevHub is a HackTheBox Season 11 Medium Linux machine built around a developer tooling stack running entirely on localhost. The attack chain starts with CVE-2026-23744, an unauthenticated RCE in MCPJam Inspector <= 1.4.2 where crafted HTTP requests trigger MCP server installation and arbitrary command execution. From the initial shell, internal enumeration reveals a JupyterLab instance running as analyst with its auth token exposed in process arguments, exploitable via the Jupyter REST API and WebSocket kernel protocol without any browser interaction. Source code of the OPSMCP Flask API running as root contains a hardcoded API key and a hidden admin tool named ops._admin_dump. Calling this tool with the target ssh_keys argument returns root's OpenSSH private key, completing the chain from unauthenticated network access to full root.
Hackthebox Reactor Complete Writeup - CVE-2025-55182 Next.js RCE, SQLite Credential Dump, MD5 Cracking & Node.js Inspector PrivEsc
Reactor is a HackTheBox Medium Linux machine running a Next.js 15.0.3 web application on port 3000. The attack chain starts with CVE-2025-55182, a critical unauthenticated RCE in Next.js that allows arbitrary command execution via a crafted React Flight payload, landing a shell as the node user. Post-exploitation reveals a SQLite database containing MD5-hashed credentials for two users. Hashcat cracks the engineer hash against rockyou.txt in seconds. Direct SSH does not work so lateral movement is achieved via su from the existing shell, recovering the user flag. Privilege escalation abuses a Node.js Inspector debug socket on localhost port 9229, using the node inspect client to execute system commands via child_process.execSync and read the root flag directly.
TJCTF 2026: Minerva's Stopwatch Cryptography Challenge and unfinished-file Forensics Challenge Writeup
A full walkthrough of two TJCTF 2026 challenges across the cryptography and forensics categories. The first challenge, Minerva's Stopwatch, involves exploiting a P-256 ECDSA timing side-channel to set up a Hidden Number Problem instance, then recovering the private key via LLL-based lattice reduction and CVP to decrypt a flag. The second challenge, unfinished-file, involves parsing a partial Chrome download in the crdownload format, locating embedded ZIP data, identifying an obfuscated file entry, and recovering the flag via single-byte XOR. Each writeup includes full solution scripts, beginner-friendly explanations of the underlying techniques, and key takeaways on the cryptographic and forensic weaknesses exploited.
SK-CERT CyberGame 2026: Cryptography Challenges Writeup
A full walkthrough of the SK-CERT CyberGame 2026 cryptography challenges, covering five distinct problems ranging from beginner to advanced. Topics include musical notation substitution ciphers, layered repeating-key XOR with PE reverse engineering, ZipCrypto known-plaintext attacks using bkcrack, an anomalous RSA challenge with an exponent approaching N^4 solved via lattice methods, and a quadratic twist elliptic curve DLP solved with Pohlig-Hellman over smooth-order subgroups. Each writeup includes full solution scripts, beginner-friendly explanations, and key takeaways on the underlying cryptographic weaknesses.
SK-CERT CyberGame 2026: Forensics Challenges Writeup
A complete walkthrough of the SK-CERT CyberGame 2026 forensics category, covering four distinct investigations. The Telemetry challenge decodes a flag geographically encoded in a MAVLink 2.0 drone flight path hidden among honeytoken decoys. The Volatile Incident series tackles a 4.4 GB Linux ELF memory dump - first with a fast strings triage to recover bash history flags, then with a full Volatility 3 setup using a custom dwarf2json symbol table to identify a root-level Python packet sniffer persisted via nohup. The final Windows disk forensics challenge reconstructs a social engineering attack through AD1 image analysis, Chrome and Edge browser history, Outlook OST email parsing, Windows Registry UserAssist, and a password recovered from a public Steam profile - culminating in decryption of an exfiltrated 7zAES-encrypted archive.