Back to All Modules

Machine-to-Technique Index

#Active Directory Machines

MachineDifficultyKey Techniques
ActiveEasySMB Enumeration, GPP (Group Policy Preferences) Exploitation, Kerberoasting
BlackfieldHardAnonymous SMB Enumeration, AS-REP Roasting, LSASS Credential Dumping, Backup Operators Group Abuse
CascadeMediumLDAP Anonymous Enumeration, TightVNC Password Decryption, .NET Decompilation, AD Recycle Bin
CicadaEasyActive Directory Enumeration, Password Spraying, SeBackupPrivilege Abuse, Pass-the-Hash
EscapeMediumSMB Guest Access, MSSQL Authentication Relay, Hash Cracking, ESC1 Attack (ADCS)
FlightHardLFI, NTLM Hash Capture, Password Spraying, NTLM Theft via File Shares, DCSync Attack
FluffyEasyBloodHound Enumeration, Certipy Enumeration, ACL/DACL Abuse, ESC16 (CVE-2025-24071)
ForestEasyAS-REP Roasting, BloodHound Enumeration, Account Operators Group Abuse, DCSync
MonteverdeMediumPassword Spraying, Azure AD Connect Password Extraction, sqlcmd Usage
ReturnEasyNetwork Printer Abuse (LDAP Credential Capture), Server Operators Group Abuse
SaunaEasyAS-REP Roasting, Auto-Logon Credential Discovery, DCSync Attack
TheFrizzMediumCVE-2023-45878 (Arbitrary File Write), Password Cracking, GPO Exploitation, Kerberos SSH Authentication
TimelapseEasyPublic SMB Share, PFX Certificate Extraction & Cracking, LAPS Privilege Escalation

#Linux Machines

MachineDifficultyKey Techniques
BoardLightEasyWeb Enumeration, Dolibarr Exploitation (CVE-2023-30253), SUID Exploitation (CVE-2022-37706)
BrokerEasyApache ActiveMQ Unauthenticated RCE, Nginx Sudo Configuration Exploitation
BuilderMediumCVE-2024-23897 (Jenkins Arbitrary File Read), Jenkins Cryptography, SSH Key Decryption
BusquedaEasyCommand Injection, Git Configuration Enumeration, Docker Enumeration, Relative Path RCE
CerberusHardIcinga Web Pre-Auth RCE, Firejail SUID Breakout (CVE-2022-31214), sssd Cached Credential Cracking, ADSelfService Plus (CVE-2022-47966), Network Pivoting
CerealHard.NET Deserialization, XSS Exploitation, SSRF, SeImpersonatePrivilege Abuse
ClickerMediumNFS Share Enumeration, SQL Injection, SUID Binary Path Traversal, XXE via Intercepted cURL, Sudo Environment Variable Abuse
CozyHostingEasySpring Boot Actuator Enumeration, Command Injection, SSH Abuse via Misconfiguration
DogEasyExposed .git Repository, BackdropCMS RCE via File Upload, Sudo Binary Exploitation
EditorialEasyServer-Side Request Forgery (SSRF), Git Repository Enumeration, CVE-2022-24439 Sudo Exploitation
HelpEasyGraphQL Enumeration, Blind SQL Injection, Unauthenticated Arbitrary File Upload, Kernel Exploitation
IntentionsHardSecond-Order SQL Injection, Hash-Based Authentication Bypass, Imagick Arbitrary Object Instantiation, CAP_DAC_READ_SEARCH Capability Abuse
KeeperEasyDefault Credentials, KeePass Database Exploitation, SSH Key Retrieval
LinkVortexEasyExposed .git Directory, CVE-2023-40028 (Ghost CMS Arbitrary File Read via Symlinks), TOCTOU Race Condition (Symlink)
MagicEasySQL Injection Login Bypass, PHP File Upload Whitelist Bypass, Path Hijacking, SUID Abuse
MarkupEasyXML External Entity (XXE) Injection, Weak Credentials on Web Login
MentorMediumSNMP Community String Enumeration, Blind Remote Code Execution, PostgreSQL RCE via Default Credentials, Docker Pivoting & Tunneling, Sudo Exploitation
MonitoredMediumSNMP Enumeration, Nagios API Exploitation, SQL Injection (CVE-2023-40931), Sudo Bash Script Abuse
NetworkedEasyFile Upload Bypass, Command Injection, Crontab Exploitation, Sudo Exploitation via Network Script
PandoraEasySNMP Enumeration, Port Forwarding, SQL Injection, SUID Binary PATH Variable Injection
QuickHardHTTP/3 Protocol, ESI (Edge Side Includes) Injection, Symlink Exploitation, Plaintext Credential Reuse
SauEasySSRF via CVE-2023-27163 (Request Baskets), Command Injection, Sudo Exploitation
SoccerEasyDefault Credentials, Tiny File Manager RCE (CVE-2021-45010), Blind SQL Injection via WebSockets, doas SUID Exploitation
TitanicEasyVirtual Host Fuzzing, Gitea Repository Enumeration, Arbitrary File Read, CVE-2024-41817 (ImageMagick RCE)
UpDownMediumExposed .git Directory, HTTP Header Modification, PHP LFI with phar:// Wrapper, SUID Python Script Injection, easy_install Sudo Exploitation
UsageEasySQL Injection, Laravel Admin Panel Exploitation, File Upload Filter Bypass, Binary Analysis, 7zip Symlink Abuse

#Windows Machines

MachineDifficultyKey Techniques
AbsoluteInsaneAS-REP Roasting, LDAP Enumeration, Shadow Credential Attack, KrbRelay, ACL Abuse
AccessEasyAccess Database (.mdb) Enumeration, Outlook PST File Extraction, DPAPI Credential Extraction
AdministratorMediumBloodHound Enumeration, ACL/DACL Abuse (GenericAll, GenericWrite), Targeted Kerberoasting, DCSync Attack
AeroMediumCVE-2023-38146 (ThemeBleed / Windows Themes), CVE-2023-28252 (CLFS Driver Exploitation), PoC Modification
APTInsaneRPC Interface Enumeration, IPv6 Firewall Bypass, Remote Registry Access, NTLMv1 Exploitation
AtomMediumElectron Builder Signature Validation Exploit, Redis Credential Extraction, PortableKanban Password Decryption
AuthorityMediumAnsible Vault Cracking, AD CS Enumeration & Exploitation, Pass-the-Cert Attack
CertifiedMediumBloodHound Enumeration, Certipy Enumeration, ACL/DACL Abuse (WriteOwner, GenericWrite), Shadow Credential Attack, ESC9
EscapeTwoEasyBloodHound Enumeration, File Header Magic Bytes Manipulation, Password Spraying, MSSQL Access, ADCS Misconfiguration Abuse
IntelligenceMediumPDF Metadata Enumeration, Password Spraying, ADIDNS Abuse, ReadGMSAPassword Abuse, Constrained Delegation Abuse
JeevesMediumJenkins Groovy Script Exploitation, Windows Defender Bypass, Pass-the-Hash, Alternate Data Streams (ADS) Enumeration
MailingEasyPath Traversal, hMailServer Password Hash Cracking, CVE-2024-21413 (MonikerLink NTLM Capture), CVE-2023-2255 (LibreOffice Macro Execution)
ManagerMediumRID Cycling, Password Spraying, MSSQL xp_dirtree File Enumeration, ESC7 Exploitation (ADCS)
MultimasterInsaneSQL Injection, VS Code Debug Functionality Exploitation, DLL Reverse Engineering, GenericWrite Abuse, Server Operators Group Abuse
OutdatedMediumCVE-2022-30190 (Follina), Shadow Credential Attack, Golden Ticket Attack, WSUS Exploitation
ReboundInsaneRID Cycling, AS-REP Roasting, Pre-Authentication Kerberoasting, ACL Abuse, Descendant Object Takeover (DOT), Shadow Credential Attack, Cross-Session NTLM Relay, gMSA Password Read, Resource-Based Constrained Delegation (RBCD), DCSync
ServMonEasyNVMS-1000 LFI, SSH Password Spraying, NSClient++ Exploitation, SSH Tunneling
StreamIOMediumSubdomain Enumeration, SQL Injection, LFI via PHP Wrappers, Remote File Inclusion (RFI), Browser Saved Credential Retrieval, LAPS Password Retrieval via LDAP
SupportEasySMB Anonymous Access, .NET Decompilation, LDAP Querying, Resource-Based Constrained Delegation (RBCD)
VintageHardPre-Created Computer Account Exploitation, NTLM-Disabled Enumeration, gMSA Password Retrieval, Kerberoasting, Credential Manager Extraction, RBCD

#Technique Cross-Reference

#Active Directory Attacks

TechniqueMachines
AS-REP RoastingForest, Sauna, Blackfield, Rebound, Absolute
KerberoastingActive, Rebound, Administrator, Vintage, TombWatcher
Targeted KerberoastingAdministrator, Rebound, Vintage, TombWatcher
DCSync AttackForest, Sauna, Flight, Administrator, Rebound
Password SprayingCicada, Monteverde, Flight, Intelligence, Manager, EscapeTwo, Administrator, ServMon
Pass-the-HashCicada, Jeeves
Pass-the-CertAuthority
Golden TicketOutdated
Kerberos Delegation (Constrained)Intelligence
Kerberos Delegation (RBCD)Rebound, Support, Vintage, Outdated
S4U2Self / S4U2ProxyRebound
ACL/DACL AbuseFluffy, Absolute, Administrator, Certified, Rebound, Multimaster, EscapeTwo
GenericAll / GenericWrite AbuseAdministrator, Certified, Multimaster
ForceChangePasswordAdministrator, TombWatcher
WriteOwner AbuseCertified, EscapeTwo
Shadow Credential AttackAbsolute, Rebound, Outdated, TombWatcher, Certified
Descendant Object Takeover (DOT)Rebound
Account Operators Group AbuseForest
Backup Operators Group AbuseBlackfield
Server Operators Group AbuseReturn, Multimaster
SeBackupPrivilege AbuseCicada
LAPS Password RetrievalTimelapse, StreamIO
ReadGMSAPassword / gMSA AbuseIntelligence, Rebound, Vintage, TombWatcher
GPO ExploitationTheFrizz
AD Recycle BinCascade, TombWatcher
ADIDNS AbuseIntelligence
Pre-Created Computer AccountVintage
KrbRelayAbsolute

#Active Directory Certificate Services (ADCS) Attacks

TechniqueMachines
ESC1 (Enrollee Supplies Subject)Escape
ESC7 (CA Manager)Manager
ESC9 (No Security Extension)Certified
ESC15 (Application Policy Mismatch)TombWatcher
ESC16Fluffy
AD CS Enumeration (Certipy)Fluffy, Certified, Manager, Authority
AD CS Misconfiguration ExploitationEscapeTwo, Authority

#Enumeration & Discovery

TechniqueMachines
SMB Anonymous/Guest AccessBlackfield, Support, Timelapse, Escape, Active
LDAP Anonymous EnumerationCascade, Forest, Absolute
LDAP QueryingSupport
SNMP EnumerationMentor, Monitored, Pandora
RID Cycling / User EnumerationManager, Rebound
RPC EnumerationAPT
Web EnumerationBoardLight, Editorial, Help, Keeper, Quick, CozyHosting, Sau, Soccer, Magic
BloodHound EnumerationForest, Fluffy, Administrator, Certified, EscapeTwo, TombWatcher
Subdomain EnumerationStreamIO, Titanic
Virtual Host FuzzingTitanic, Flight
Exposed .git DirectoryDog, LinkVortex, UpDown, Editorial, Busqueda
DNS EnumerationIntelligence
Port Forwarding / TunnelingPandora, ServMon, Cerberus, Mentor
Network PivotingCerberus, Mentor
HTTP/3 ProtocolQuick
GraphQL EnumerationHelp

#Credential Attacks

TechniqueMachines
Hash Cracking (general)Escape, TheFrizz, Mailing, Atom, StreamIO
AS-REP Hash CrackingForest, Sauna, Blackfield, Rebound, Absolute
Kerberoast Hash CrackingActive, Rebound, Administrator, Vintage, TombWatcher
LSASS Credential DumpingBlackfield
DPAPI Credential ExtractionAccess
Browser Saved Credential RetrievalStreamIO
Credential Manager ExtractionVintage
Auto-Logon Credential DiscoverySauna
KeePass Database ExploitationKeeper
Ansible Vault CrackingAuthority
Azure AD Connect Password ExtractionMonteverde
Default CredentialsKeeper, Quick, Soccer
Plaintext Credential Reuse / StorageMagic, Quick, Cicada, Usage, Busqueda
Password Cracking (ZIP/PFX)Timelapse
GPP (Group Policy Preferences) ExploitationActive
NTLM Hash Capture / TheftFlight, Mailing
NTLMv1 ExploitationAPT
Cross-Session NTLM RelayRebound

#Web Application Attacks

TechniqueMachines
SQL Injection (Basic / Login Bypass)Magic, Help, Clicker, Networked, Usage
SQL Injection (Blind)Soccer, Help
SQL Injection (Second-Order)Intentions
SQL Injection (with xp_dirtree)Manager
Command InjectionBusqueda, CozyHosting, Sau, Networked
Server-Side Request Forgery (SSRF)Cereal, Editorial, Sau
XML External Entity (XXE) InjectionMarkup, Clicker
XSS ExploitationCereal
.NET DeserializationCereal
ESI (Edge Side Includes) InjectionQuick
Local File Inclusion (LFI)Flight, ServMon, StreamIO
PHP Wrapper Exploitation (phar://)UpDown
Remote File Inclusion (RFI)StreamIO
File Upload BypassNetworked, Magic, Help, Usage
Path TraversalMailing
Arbitrary File ReadTitanic, LinkVortex, Builder
HTTP Header ModificationUpDown
WebSocket SQL InjectionSoccer
SSRF via CVE-2023-27163 (Request Baskets)Sau

#CVE / Known Vulnerability Exploitation

TechniqueMachines
CVE-2023-30253 (Dolibarr)BoardLight
CVE-2022-37706 (Enlightenment SUID)BoardLight
CVE-2024-23897 (Jenkins Arbitrary File Read)Builder
CVE-2022-31214 (Firejail Breakout)Cerberus
CVE-2022-47966 (ADSelfService Plus)Cerberus
CVE-2023-45878 (Gibbon CMS File Write)TheFrizz
CVE-2023-40028 (Ghost CMS Arbitrary File Read)LinkVortex
CVE-2023-40931 (Nagios SQL Injection)Monitored
CVE-2023-27163 (Request Baskets SSRF)Sau
CVE-2021-45010 (Tiny File Manager RCE)Soccer
CVE-2022-24439 (GitPython Sudo)Editorial
CVE-2024-41817 (ImageMagick RCE)Titanic
CVE-2023-38146 (ThemeBleed / Windows Themes)Aero
CVE-2023-28252 (CLFS Driver)Aero
CVE-2022-30190 (Follina)Outdated
CVE-2024-21413 (MonikerLink)Mailing
CVE-2023-2255 (LibreOffice Macro)Mailing
CVE-2025-24071Fluffy

#Linux Privilege Escalation

TechniqueMachines
SUID Binary ExploitationBoardLight, Cerberus, Clicker, Magic, Pandora, UpDown, Usage, Soccer
Sudo Exploitation / MisconfigurationBroker, CozyHosting, Mentor, Monitored, Sau, UpDown, Dog, Clicker, Networked, Editorial
Sudo Environment Variable AbuseClicker
Sudo Binary Path HijackingMagic
PATH Variable InjectionPandora
Cron / Scheduled Task AbuseNetworked, Titanic
Kernel ExploitationHelp
CAP_DAC_READ_SEARCH Capability AbuseIntentions
Docker Container Escape / EnumerationCerberus, Mentor, Titanic, Busqueda
SSH Key Theft / MisconfigurationCozyHosting, Keeper, Builder, Monitored, Clicker
Symlink / Race Condition (TOCTOU)LinkVortex, Quick, Usage
7zip Symlink AbuseUsage
doas ExploitationSoccer
easy_install Sudo ExploitationUpDown
Imagick Object InstantiationIntentions
Git Repository AnalysisDog, Editorial, UpDown, Busqueda

#Windows Privilege Escalation

TechniqueMachines
SeImpersonatePrivilege AbuseCereal
SeBackupPrivilege AbuseCicada
Server Operators Group AbuseReturn, Multimaster
Backup Operators Group AbuseBlackfield
Account Operators Group AbuseForest
VS Code Exploitation / Debug AbuseMultimaster
Jenkins Exploitation (Windows)Jeeves
NSClient++ ExploitationServMon
NVMS-1000 LFIServMon
WSUS ExploitationOutdated
GPO Creation / ExploitationTheFrizz
LAPS Password RetrievalTimelapse, StreamIO
Alternate Data Streams (ADS)Jeeves
Windows Defender BypassJeeves
Electron Builder ExploitAtom
KrbRelayAbsolute
NTLMv1 ExploitationAPT
IPv6 TechniquesAPT
Remote RegistryAPT

#Lateral Movement & Pivoting

TechniqueMachines
WinRM Lateral MovementTimelapse, Sauna, Blackfield, Monteverde, Escape, EscapeTwo, Certified, Administrator
SSH Lateral MovementServMon, TheFrizz, Cerberus
RDP Lateral MovementAbsolute
Pass-the-HashCicada, Jeeves
Pass-the-CertAuthority
Credential Reuse / Password SprayingMonteverde, Flight, Manager, EscapeTwo, Administrator, Intelligence
SQL Command Line (sqlcmd) AbuseMonteverde, StreamIO
MSSQL xp_dirtreeManager
Network Pivoting / TunnelingCerberus, Mentor
Cross-Session RelayRebound

#Code Analysis & Reverse Engineering

TechniqueMachines
.NET Decompilation / AnalysisCascade, Support, Cereal
DLL Reverse EngineeringMultimaster
Binary / Executable AnalysisAbsolute, Support, Usage
Source Code ReviewBusqueda, Clicker, StreamIO, UpDown
Git History AnalysisDog, Editorial, UpDown, Busqueda
PowerShell History AnalysisTimelapse
PDF Metadata AnalysisIntelligence, Absolute
Browser Database DecodingStreamIO
Magic Bytes / File Header ManipulationEscapeTwo

#Service-Specific Exploitation

TechniqueMachines
Apache ActiveMQ RCEBroker
Jenkins ExploitationBuilder, Jeeves
Nagios ExploitationMonitored
Dolibarr ExploitationBoardLight
Spring Boot ActuatorCozyHosting
BackdropCMS ExploitationDog
Ghost CMS ExploitationLinkVortex
Gibbon CMS ExploitationTheFrizz
Icinga Web ExploitationCerberus
ADSelfService PlusCerberus
Laravel Module AbuseUsage
Tiny File Manager ExploitationSoccer
KeePass ExploitationKeeper
NSClient++ ExploitationServMon
hMailServer ExploitationMailing
RedisAtom
GiteaTitanic, Busqueda
GraphQLHelp
Request BasketsSau
MaltrailSau
Pandora FMSPandora
PortableKanbanAtom
PostgreSQL RCEMentor
Network Printer AbuseReturn

#Difficulty Summary

DifficultyAD MachinesLinux MachinesWindows Machines
EasyActive, Cicada, Fluffy, Forest, Return, Sauna, TimelapseBoardLight, Broker, CozyHosting, Dog, Editorial, Help, Keeper, LinkVortex, Magic, Markup, Networked, Pandora, Sau, Soccer, Titanic, UsageAccess, EscapeTwo, Jeeves, Mailing, ServMon, Support
MediumCascade, Escape, Monteverde, TheFrizzBuilder, Busqueda, Clicker, Mentor, Monitored, UpDownAdministrator, Aero, Atom, Authority, Certified, Intelligence, Manager, Outdated, StreamIO
HardBlackfield, FlightCerberus, Cereal, Intentions, QuickBlackfield, Vintage
Insane----Absolute, APT, Multimaster, Rebound

Auto-generated from HTB machine walkthroughs. Each entry extracted from the Synopsis and Skills Learned sections.