# hectortoral.com > A minimal portfolio, component registry, and blog to showcase my work as a Design Engineer. - [About](https://hectortoral.com/about.md): A quick intro to me, my tech stack, and how to connect. - [Experience](https://hectortoral.com/experience.md): Highlights from my career and key roles I've taken on. - [Projects](https://hectortoral.com/projects.md): Selected projects that show my skills and creativity. - [Awards](https://hectortoral.com/awards.md): My key awards and honors. - [Certifications](https://hectortoral.com/certifications.md): Certifications and credentials I've earned. ## Blog - [Logging - Walkthrough](https://hectortoral.com/blog/logging.mdx): TODO - [Silentium - Walkthrough](https://hectortoral.com/blog/silentium.mdx): Silentium is a easy-difficulty Linux machine centered around web API exploitation and container credential leakage. The foothold is achieved by abusing an information disclosure vulnerability in a Flowise AI platform's password reset flow — the forgot-password endpoint returns the user's tempToken in plaintext, enabling a password reset and subsequent RCE via a known Flowise exploit. Once inside a Docker container as root, environment variables expose SSH credentials for the host user. Privilege escalation exploits CVE-2025-8110, a Git symlink RCE in a Gogs instance running as root on localhost, granting a root shell on the host. - [Attacking Wi-Fi Protected Setup (WPS)](https://hectortoral.com/blog/attacking-wi-fi-protected-setup-wps.mdx): undefined - [Wi-Fi Password Cracking Techniques](https://hectortoral.com/blog/wi-fi-password-cracking-techniques.mdx): undefined - [Wi-Fi Penetration Testing Basics](https://hectortoral.com/blog/wi-fi-penetration-testing-basics.mdx): undefined - [Wired Equivalent Privacy (WEP) Attacks](https://hectortoral.com/blog/wired-equivalent-privacy-wep-attacks.mdx): undefined - [Breaking into Syntex Dynamics](https://hectortoral.com/blog/ejpt.mdx): A full penetration test walkthrough against the Syntex Dynamics practice lab - six DMZ hosts, a dual-homed pivot, and an internal network. The structure closely mirrors what you will encounter in the eJPT certification. - [Garfield - Walkthrough](https://hectortoral.com/blog/garfield.mdx): TODO - [DevArea - Walkthrough](https://hectortoral.com/blog/dev-area.mdx): DevArea is a medium-difficulty Linux machine featuring an Apache CXF SOAP service vulnerable to XOP Include arbitrary file read (CVE-2022-46364), which leaks admin credentials from a systemd unit file. These credentials are used to abuse the Hoverfly admin API middleware execution feature to obtain a reverse shell. Post-exploitation reveals a custom monitoring script runnable as root via sudo, whose shebang-based interpreter resolution is exploited by overwriting a world-writable /bin/bash with a malicious script that creates a SUID root shell. - [Kobold - Walkthrough](https://hectortoral.com/blog/kobold.mdx): Kobold is a Linux machine that features a vulnerable MCP Inspector instance (CVE-2026-23744) allowing unauthenticated RCE, leading to an initial shell. Post-exploitation reveals a PrivateBin instance vulnerable to path traversal (CVE-2024-46613), which is chained with a PHP code injection to leak database credentials and pivot to a higher-privileged user. - [VariaType - Walkthrough](https://hectortoral.com/blog/varia-type.mdx): VariaType is a medium-difficulty Linux machine centred around a font design portal. An exposed .git repository leaks hard-coded credentials that grant access to the portal. The portal is then exploited via a malicious DesignSpace file that injects a PHP webshell (GHSA-768j-98cg-p3fv), yielding a shell as www-data. Lateral movement to the steve user is achieved by abusing a cron-driven FontForge pipeline through filename injection inside a crafted ZIP archive. Finally, a sudo-permitted Python script that calls setuptools' PackageIndex.download() is abused to plant an SSH public key in root's authorized keys via URL path traversal. - [CCTV - Walkthrough](https://hectortoral.com/blog/cctv.mdx): CCTV is a easy-difficulty Linux machine featuring a ZoneMinder surveillance web application vulnerable to time-based blind SQL injection. The vulnerability is exploited to extract database credentials and gain SSH access as the mark user. Post-exploitation reveals a locally running motionEye instance whose admin credentials are recovered from configuration files. The CVE-2025-60787 remote code execution vulnerability in motionEye is then exploited via SSH tunnelling to gain a root shell. - [Secure Services with Nginx Proxy Manager](https://hectortoral.com/blog/nginx-proxy-homelab.mdx): Set up Nginx Proxy Manager as a reverse proxy to route traffic, enable HTTPS, and manage multiple services easily. - [Secure Services with Traefik Proxy](https://hectortoral.com/blog/traefik-proxy-homelab.mdx): Set up Traefik as a reverse proxy to route traffic, enable HTTPS, and manage multiple services easily. - [How to Install Docker on Ubuntu – Step-by-Step Guide](https://hectortoral.com/blog/docker-install-guide.mdx): Discover how to set up Docker on Raspberry Pi and start deploying apps in containers quickly. - [Build Your Own Raspberry Pi Homelab](https://hectortoral.com/blog/raspberrypi-homelab.mdx): Learn what a homelab is, why Raspberry Pi is perfect for it, and how to set up the OS for future projects. - [Editorial - Walkthrough](https://hectortoral.com/blog/editorial.mdx): Editorial is an easy difficulty Linux machine that features a publishing web application vulnerable to Server-Side Request Forgery (SSRF). This vulnerability is leveraged to gain access to an internal running API, which is then leveraged to obtain credentials that lead to SSH access to the machine. Enumerating the system further reveals a Git repository that is leveraged to reveal credentials for a new user. The root user can be obtained by exploiting CVE-2022-24439 and the sudo configuration. - [Blurry - Walkthrough](https://hectortoral.com/blog/blurry.mdx): Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities CVE-2024-24590 - CVE-2024-24595 that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with sudo is discovered. The program loads arbitrary PyTorch models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, fickling is used to scan the dataset for insecure pickle files , prior to loading the model. Malicious code can be injected into a model, using runpy to bypass the fickling checks. - [Forest - Walkthrough](https://hectortoral.com/blog/forest.mdx): Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system. - [Board Light - Walkthrough](https://hectortoral.com/blog/board-light.mdx): BoardLight is an easy difficulty Linux machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data. After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell. - [Mailing - Walkthrough](https://hectortoral.com/blog/mailing.mdx): Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice. - [Solar Lab - Walkthrough](https://hectortoral.com/blog/solar-lab.mdx): SolarLab is a medium Windows machine that starts with a webpage featuring a business site. Moreover, an SMB share is accessible using a guest session that holds files with sensitive information for users on the remote machine. An attacker can extract valid credentials from this file and log in to a page allowing employees to fill out forms for company purposes. These forms are turned into PDFs using the ReportLab library, which is vulnerable to CVE-2023-33733. After some exploit development/modification, the attacker can get code execution as the user blake on the remote machine. Further enumeration of the remote machine, reveals that Openfire is installed and running locally. By using a SOCKS tunnel, the attacker can access the Administrator Console for Openfire. It turns out, that the version installed, is vulnerable to CVE-2023-32315 which allows the attacker to bypass the authentication screen, upload a malicious plugin, and get code execution as the openfire user. The openfire user can read the logs from when the server was installed and extract all the necessary information to crack the Administrator's password and it turns out that this password is re-used for the local Administrator account. - [Runner - Walkthrough](https://hectortoral.com/blog/runner.mdx): Runner is a medium difficulty Linux box that contains a vulnerability CVE-2023-42793 in TeamCity. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a TeamCity docker container and compressing the HSQLDB database files, we can extract credentials for the user matthew and find an SSH key for john. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the /etc/hosts file, we discover a running Portainer instance. Using matthew's credentials, we access the subdomain externally. While authenticated, we find that we can create images, but our privileges are limited. After checking the version of runc on the host, we exploit a vulnerability CVE-2024-21626 through the image build function of Portainer, which allows us to create a SUID bash file on the host. - [Surveillance - Walkthrough](https://hectortoral.com/blog/surveillance.mdx): Surveillance is a medium-difficulty Linux machine that showcases a vulnerability CVE-2023-41892 in Craft CMS, which abuses PHP object injection to inject PHP content into the Craft CMS web log files to gain Remote Code Execution (RCE). The privilege escalation abuses ZoneMinder with an authenticated remote code injection in the HostController.php API endpoint to gain a shell as the zoneminder user. As this user, a sudo entry is abused by adding a configuration environment variable LD_PRELOAD via the admin panel and loading the malicious library file through zmdc.dl on the target, compromising the system. - [Monitored - Walkthrough](https://hectortoral.com/blog/monitored.mdx): Monitored is a medium-difficulty Linux machine that features a Nagios instance. Credentials for the service are obtained via the SNMP protocol, which reveals a username and password combination provided as command-line parameters. Using the Nagios API, an authentication token for a disabled account is obtained, which leads to access to the application's dashboard. From there, a SQL injection CVE-2023-40931 is abused to obtain an administrator API key, with which a new admin account is created and used to run arbitrary commands on the instance, leading to a reverse shell. Finally, sudo access to a bash script is abused to read the root user's SSH key and authenticate as root. - [Wifinetic Two - Walkthrough](https://hectortoral.com/blog/wifinetic-two.mdx): WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of CVE-2021-31630. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running OpenWRT and gain a root shell via its web interface. - [Headless - Walkthrough](https://hectortoral.com/blog/headless.mdx): Headless is an easy-difficulty Linux machine that features a Python Werkzeug server hosting a website. The website has a customer support form, which is found to be vulnerable to blind Cross-Site Scripting (XSS) via the User-Agent header. This vulnerability is leveraged to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to command injection, leading to a reverse shell on the box. Enumerating the user's mail reveals a script that does not use absolute paths, which is leveraged to get a shell as root. - [Analytics - Walkthrough](https://hectortoral.com/blog/analytics.mdx): Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a Metabase instance, which is vulnerable to Pre-Authentication Remote Code Execution CVE-2023-38646, which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to GameOverlay, which is leveraged to obtain root privileges. - [Perfection - Walkthrough](https://hectortoral.com/blog/perfection.mdx): Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the sudo group. Further enumeration uncovers a database with password hashes, and the user's mail reveals a possible password format. Using a mask attack on the hash, the user's password is obtained, which is leveraged to gain root access. - [Bizness - Walkthrough](https://hectortoral.com/blog/bizness.mdx): Bizness is an easy Linux machine showcasing an Apache OFBiz pre-authentication, remote code execution (RCE) foothold, classified as CVE-2023-49070. The exploit is leveraged to obtain a shell on the box, where enumeration of the OFBiz configuration reveals a hashed password in the service's Derby database. Through research and little code review, the hash is transformed into a more common format that can be cracked by industry-standard tools. The obtained password is used to log into the box as the root user. - [Builder - Walkthrough](https://hectortoral.com/blog/builder.mdx): Builder is a medium-difficulty Linux machine that features a Jenkins instance. The Jenkins instance is found to be vulnerable to the CVE-2024-23897 vulnerability that allows unauthenticated users to read arbitrary files on the Jenkins controller file system. An attacker is able to extract the username and password hash of the Jenkins user jennifer. Using the credentials to login into the remote Jenkins instance, an encrypted SSH key is exploited to obtain root access on the host machine. - [Cozy Hosting - Walkthrough](https://hectortoral.com/blog/cozy-hosting.mdx): CozyHosting is an easy-difficulty Linux machine that features a Spring Boot application. The application has the Actuator endpoint enabled. Enumerating the endpoint leads to the discovery of a user's session cookie, leading to authenticated access to the main dashboard. The application is vulnerable to command injection, which is leveraged to gain a reverse shell on the remote machine. Enumerating the application's JAR file, hardcoded credentials are discovered and used to log into the local database. The database contains a hashed password, which once cracked is used to log into the machine as the user josh. The user is allowed to run ssh as root, which is leveraged to fully escalate privileges. - [Two Million - Walkthrough](https://hectortoral.com/blog/two-million.mdx): TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on HackTheBox. The box features an old version of the HackTheBox platform that includes the old hackable invite code. After hacking the invite code an account can be created on the platform. The account can be used to enumerate various API endpoints, one of which can be used to elevate the user to an Administrator. With administrative access the user can perform a command injection in the admin VPN generation endpoint thus gaining a system shell. An .env file is found to contain database credentials and owed to password re-use the attackers can login as user admin on the box. The system kernel is found to be outdated and CVE-2023-0386 can be used to gain a root shell. - [Codify - Walkthrough](https://hectortoral.com/blog/codify.mdx): Codify is an easy Linux machine that features a web application that allows users to test Node.js code. The application uses a vulnerable vm2 library, which is leveraged to gain remote code execution. Enumerating the target reveals a SQLite database containing a hash which, once cracked, yields SSH access to the box. Finally, a vulnerable Bash script can be run with elevated privileges to reveal the root user's password, leading to privileged access to the machine. - [Active Directory Enumeration & Attacks - Tools](https://hectortoral.com/blog/active-directory-enumeration-attacks-tools.mdx): undefined - [Active Directory Enumeration & Attacks](https://hectortoral.com/blog/active-directory-enumeration-attacks.mdx): undefined - [Introduction To Active Directory](https://hectortoral.com/blog/introduction-to-active-directory.mdx): undefined - [Windows Attacks And Defense](https://hectortoral.com/blog/windows-attacks-and-defense.mdx): undefined - [Intro to Network Traffic Analysis](https://hectortoral.com/blog/intro-to-network-traffic-analysis.mdx): undefined - [Security Monitoring & SIEM Fundamentals](https://hectortoral.com/blog/security-monitoring-siem-fundamentals.mdx): undefined - [Attacking Common Applications](https://hectortoral.com/blog/attacking-common-applications.mdx): undefined - [Attacking Common Services](https://hectortoral.com/blog/attacking-common-services.mdx): undefined - [Cracking Passwords With Hashcat](https://hectortoral.com/blog/cracking-passwords-with-hashcat.mdx): undefined - [Linux Exploitation](https://hectortoral.com/blog/linux-exploitation.mdx): undefined - [Login Brute Forcing](https://hectortoral.com/blog/login-brute-forcing.mdx): undefined - [Password Attacks](https://hectortoral.com/blog/password-attacks.mdx): undefined - [Pivot & Internal Network Access](https://hectortoral.com/blog/pivot-internal-network.mdx): undefined - [Shells & Payloads](https://hectortoral.com/blog/shells-and-payloads.mdx): undefined - [Shells & Payloads](https://hectortoral.com/blog/shells-payloads.mdx): undefined - [Using the Metasploit Framework](https://hectortoral.com/blog/using-the-metasploit-framework.mdx): undefined - [Windows Exploitation](https://hectortoral.com/blog/windows-exploitation.mdx): undefined - [Getting Started](https://hectortoral.com/blog/getting-started.mdx): undefined - [Introduction To Windows Command Line](https://hectortoral.com/blog/introduction-to-windows-command-line.mdx): undefined - [Linux Fundamentals](https://hectortoral.com/blog/linux-fundamentals.mdx): undefined - [Pentest In A Nutshell](https://hectortoral.com/blog/pentest-in-a-nutshell.mdx): undefined - [Web Requests](https://hectortoral.com/blog/web-requests.mdx): undefined - [Windows Fundamentals](https://hectortoral.com/blog/windows-fundamentals.mdx): undefined - [Credential Dumping](https://hectortoral.com/blog/credential-dumping.mdx): undefined - [File Transfers](https://hectortoral.com/blog/file-transfers.mdx): undefined - [Linux Post-Exploitation](https://hectortoral.com/blog/linux-post-exploitation.mdx): undefined - [Linux Privilege Escalation](https://hectortoral.com/blog/linux-privilege-escalation.mdx): undefined - [Pivoting, Tunneling & Port Forwarding](https://hectortoral.com/blog/pivoting-tunneling-port-forwarding.mdx): undefined - [Windows Post-Exploitation](https://hectortoral.com/blog/windows-post-exploitation.mdx): undefined - [Windows Privilege Escalation](https://hectortoral.com/blog/windows-privilege-escalation.mdx): undefined - [Footprinting](https://hectortoral.com/blog/footprinting.mdx): undefined - [Information Gathering - Web Edition](https://hectortoral.com/blog/information-gathering-web-edition.mdx): undefined - [Network Discovery](https://hectortoral.com/blog/network-discovery.mdx): undefined - [Network Enumeration With Nmap](https://hectortoral.com/blog/network-enumeration-with-nmap.mdx): undefined - [Passive Information Gathering](https://hectortoral.com/blog/passive-information-gathering.mdx): undefined - [Service Enumeration](https://hectortoral.com/blog/service-enumeration.mdx): undefined - [Web Enumeration](https://hectortoral.com/blog/web-enumeration.mdx): undefined - [Attacking GraphQL](https://hectortoral.com/blog/attacking-graphql.mdx): undefined - [Attacking Web Applications with FFUF](https://hectortoral.com/blog/attacking-web-applications-with-ffuf.mdx): undefined - [Broken Authentication](https://hectortoral.com/blog/broken-authentication.mdx): undefined - [Command Injections](https://hectortoral.com/blog/command-injections.mdx): undefined - [Cross-Site Scripting (XSS)](https://hectortoral.com/blog/cross-site-scripting-xss.mdx): undefined - [Drupal Attacks](https://hectortoral.com/blog/drupal-attacks.mdx): undefined - [File Inclusion](https://hectortoral.com/blog/file-inclusion.mdx): undefined - [File Upload Attacks](https://hectortoral.com/blog/file-upload-attacks.mdx): undefined - [Hacking WordPress](https://hectortoral.com/blog/hacking-wordpress.mdx): undefined - [JavaScript Deobfuscation](https://hectortoral.com/blog/javascript-deobfuscation.mdx): undefined - [Server Side Attacks](https://hectortoral.com/blog/server-side-attacks.mdx): undefined - [SQL Injection Fundamentals](https://hectortoral.com/blog/sql-injection-fundamentals.mdx): undefined - [SQLMap Essentials](https://hectortoral.com/blog/sqlmap-essentials.mdx): undefined - [Using Web Proxies](https://hectortoral.com/blog/using-web-proxies.mdx): undefined - [Web Attacks](https://hectortoral.com/blog/web-attacks.mdx): undefined - [Web Fuzzing](https://hectortoral.com/blog/web-fuzzing.mdx): undefined - [WordPress Attacks](https://hectortoral.com/blog/wordpress-attacks.mdx): undefined