A curated collection of automated exploits for Hack The Box (HTB) machines relevant to the Offensive Security Web Expert (OSWE) certification.
This repo helps streamline exploitation of HTB boxes by automating common OSWE-style attack paths — including LFI, RCE, SQLi, auth bypass, deserialization, and more.
Each exploit is organized per machine with:
- Auto-exploit script
- Brief usage instructions
- Notes (if any) on payload behavior or bypass techniques
| ID | Box Name | Tags | Completed |
|---|---|---|---|
| Difficulty: Easy | |||
| 1 | Alert | xss, file-disclosure |
✅ |
| 2 | Vault | ❌ | |
| 3 | Popcorn | ❌ | |
| 4 | Celestial | ❌ | |
| 5 | Blocky | ❌ | |
| Difficulty: Medium | |||
| 6 | Mango | ❌ | |
| 7 | Schooled | ❌ | |
| 8 | Sink | ❌ | |
| 9 | Monitors | ❌ | |
| 10 | Magic | ❌ | |
| 11 | Zipper | ❌ | |
| 12 | Unattended | ❌ | |
| 13 | Help | ❌ | |
| Difficulty: Hard | |||
| 14 | Falafel | ❌ | |
| 15 | Fulcrum | ❌ | |
| 16 | Unobtainium | ❌ | |
| 17 | Crossfit | ❌ | |
| 18 | Crossfit2 | ❌ | |
| 19 | Stacked | ❌ | |
| 20 | Fingerprint | ❌ | |
| 21 | Cereal | ❌ | |
| 22 | JSON | ❌ |
For educational and authorized penetration testing only. Use responsibly.
PRs for other HTB boxes or improved automation are welcome!