We create a dictionary with the suspect's password pattern, attack a symmetric PGP with a dictionary, and decrypt the Templar encryption to recover the FLAG.

Write-up of Fighter (HackTheBox): medium-level Windows machine exploiting time-based SQLi to extract credentials, gets RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM with Capcom.sys (CVE-2019-7253) + bypass of checks.

Write-up of Celestial (HackTheBox). Low-level Linux machine that exploits an insecure cookie deserialisation in Node.js (CVE-2017-16137) to obtain RCE, then escalates to root by abusing a cron job that executes an editable script.

Rabbit write-up (HackTheBox): Windows machine that exploits time-based SQLi in Complain Management System for RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM by abusing WAMP64 running as SYSTEM.

Quaoar write-up (VulnHub): a simple machine for getting started in pentesting. We exploit WordPress with default credentials and upload a webshell for RCE, then escalate to root with DirtyCow.

Aragog write-up (HackTheBox): initial scan, XXE exploitation to read SSH keys, user access, WordPress modification to steal admin credentials and escalate to root. Intermediate level with a focus on XXE and creative post-exploitation.

Nightmare write-up (HackTheBox): high-level Linux machine that exploits SQLi to extract credentials, obtains RCE via modified 32-bit SFTP exploit, and escalates to root with Decoder binary reversing + disk group abuse with debugfs.

Olympus write-up (HackTheBox): average Linux machine that exploits Xdebug RCE to obtain initial shell, cracks WPA2 handshake for SSH credentials, uses port knocking to access port 2222, and escalates to root by mounting host filesystem from Docker container.

Write-up of Nibbles (HackTheBox): simple Linux machine that exploits Nibbleblog 4.0.3 with leaked credentials and RCE via plugin upload, and escalates to root by abusing sudo in the monitor.sh script.

Poison write-up (HackTheBox): simple FreeBSD machine that exploits LFI in browse.php to poison Apache logs and obtain RCE, extracts credentials from pwdbackup.txt, and escalates to root via VNC with leaked password.

Falafel write-up (HackTheBox): High-level Linux machine that exploits SQL injection + PHP type juggling to bypass login, uploads webshell via wget + path truncation, and escalates to root via debugfs in disk group to read /root.

Chatterbox write-up (HackTheBox): Easy Windows machine that exploits a buffer overflow in AChat (CVE-2015-8295) to gain RCE, then escalates to SYSTEM by abusing the WinLogon registry and psexec.