HackTheBox INSANE Difficulty Machines - Complete Reference
Exhaustive list of ALL known retired Insane-rated HTB machines with key techniques and writeup links.
Linux Insane Machines
| # | Machine | OS | Key Techniques | One-Line Summary | Writeup Links |
|---|---|---|---|---|---|
| 1 | Brainfuck | Linux | WordPress plugin exploit, Vigenere cipher, LXD privesc | Chain WP auth bypass with crypto analysis and container group abuse for root | 0xdf, Medium |
| 2 | Ariekei | Linux | Shellshock, ImageTragick, Docker pivoting | Exploit two famous CVEs through Docker container layers for multi-hop access | 0xdf, Medium |
| 3 | Jail | Linux | NFS, custom binary exploit, rvim escape | Escape multiple sandbox environments with buffer overflow and NFS share abuse | HTB |
| 4 | Nightmare | Linux | Second-order SQLi, exploit modification | Register SQLi-laden username then trigger on login for indirect injection | HackingArticles |
| 5 | CTF | Linux | LDAP injection, OTP bypass, token manipulation | Exploit LDAP-based auth with injection to bypass OTP and escalate | HTB |
| 6 | Mischief | Linux | SNMP enumeration, IPv6, command injection | Leverage SNMP to discover IPv6 address, then command injection to root | HTB |
| 7 | Fulcrum | Linux | Multi-pivot (Linux/Windows), PowerShell, XXE | Chain XXE through multiple network pivots across Linux and Windows hosts | HTB, dastinia |
| 8 | Rope | Linux | Format string, BOF, canary bypass, ret2libc | Binary exploitation gauntlet with format strings and return-oriented attacks | Medium |
| 9 | Bankrobber | Windows | XSS, CSRF, SQLi source leak, BOF | Chain XSS to steal admin cookies, SQLi to leak code, BOF for SYSTEM | 0xdf, snowscan |
| 10 | Zetta | Linux | FTP bounce IPv6 leak, rsync brute, PostgreSQL injection | FTP FXP leaks IPv6, rsync password brute on IPv6, syslog SQL injection to postgres | 0xdf |
| 11 | PlayerTwo | Linux | Twirp protobuf API, firmware analysis, heap exploit | Enumerate protobuf API, analyze firmware update mechanism, heap exploitation for root | 0xdf |
| 12 | RE | Windows | Malicious ODS macro, WinRAR CVE, UsoSvc privesc | Upload malicious ODS to SOC malware dropbox, exploit WinRAR zipslip and UsoSvc | Medium |
| 13 | Oouch | Linux | OAuth CSRF chain, SSRF, DBus exploitation, uWSGI RCE | Chain OAuth flaws with SSRF to steal sessions, pivot through Docker via DBus | 0xdf, hg8 |
| 14 | Unbalanced | Linux | Rsync, EncFS cracking, Squid proxy, XPath injection, Pi-hole RCE | Decrypt EncFS backup via rsync, chain XPath injection through Squid to Pi-hole RCE | 0xdf |
| 15 | Travel | Linux | Memcache SSRF poisoning, PHP deserialization, LDAP privesc | Poison memcache via gopher SSRF with serialized PHP payload, escalate through LDAP | snowscan, chr0x6eos |
| 16 | Dyplesher | Linux | Git repo creds, Minecraft plugin RCE, Wireshark sniffing | Discover creds in exposed Git, upload malicious Minecraft plugin, sniff traffic as wireshark group | zweilosec |
| 17 | Laser | Linux | Printer exploitation, gRPC/protobuf, Solr SSRF, pickle deser | Query network printer for encrypted PDF, interact with gRPC to exploit Solr via pickle | 0xdf |
| 18 | CrossFit | Linux | XSS to CORS to CSRF, FTP upload, command injection | Chain XSS through CORS to forge admin account on subdomain, upload webshell via FTP | 0xdf |
| 19 | Fatty | Linux | Java thick client reversing, deserialization, classpath injection | Reverse Java client-server app, exploit insecure deserialization via classpath manipulation | HTB |
| 20 | RopeTwo | Linux | V8 JavaScript engine exploit, heap, kernel module | Exploit patched V8 engine with OOB read/write, craft addrof/fakeobj primitives, kernel exploit | 0xdf |
| 21 | CrossFitTwo | BSD | Unbound DNS poisoning, WebSocket injection, Yubikey | Poison Unbound DNS, exploit WebSocket chat, abuse Yubikey OTP for privilege escalation | HTB |
| 22 | Stacked | Linux | XSS, LocalStack/AWS exploitation, Lambda RCE | Exploit XSS in web form to pivot to internal LocalStack, abuse Lambda for code execution | HTB |
| 23 | Unobtanium | Linux | Electron app reversing, prototype pollution, K8s lateral movement | Reverse Electron app, chain LFI + prototype pollution + command injection, pivot through Kubernetes | 0xdf |
| 24 | Sink | Linux | HTTP request smuggling, AWS Secrets Manager, KMS | Exploit HTTP desync to hijack admin session, enumerate AWS secrets and decrypt with KMS | threatninja |
| 25 | Proper | Windows | SQLi with HMAC bypass, ToC/ToU race, Go binary analysis | Exploit SQL injection past HMAC validation, race condition file write, reverse Go binary | vulndev |
| 26 | Scanned | Linux | Chroot jail escape, setuid abuse, Linux capabilities | Upload binary to escape chroot sandbox, abuse setuid with LD_PRELOAD through jail boundary | 0xdf |
| 27 | Response | Linux | Advanced SSRF, Socket.io exploitation, LDAP | SSRF to internal chat app, extract source code, escalate through LDAP | HTB |
| 28 | Derailed | Linux | Ruby on Rails XSS (username overflow), open() pipe injection | Username buffer overflow triggers XSS, steal admin CSRF token, Ruby open() command injection | 0xdf, threatninja |
| 29 | Corporate | Linux | CSP bypass XSS, cookie theft, Bitwarden PIN brute, Gitea LDAP | Chain XSS past strict CSP to steal auth cookie, brute Bitwarden vault, enumerate Gitea via LDAP | HTB |
Windows Insane Machines
| # | Machine | OS | Key Techniques | One-Line Summary | Writeup Links |
|---|---|---|---|---|---|
| 30 | Minion | Windows | ICMP exfiltration, PowerShell, IIS | Advanced PowerShell exploitation through restrictive firewall with ICMP tunneling | HackingArticles |
| 31 | Fighter | Windows | SQLi blacklist bypass, post-exploitation enumeration | Bypass SQL injection blacklists, chain web and post-exploitation for domain compromise | HTB |
| 32 | Sizzle | Windows | SMB hash theft, ADCS cert abuse, Kerberoasting, DCSync | Steal NTLM hashes via writable SMB share, abuse certs for Kerberoast to DCSync | InfoSecWriteups |
| 33 | Ethereal | Windows | DNS exfiltration, malicious .lnk files, cert-based AppLocker bypass | Exfiltrate data over DNS, lateral movement via shortcut files, bypass AppLocker with certs | HTB |
| 34 | Multimaster | Windows | Unicode SQLi WAF bypass, .NET reversing, AD exploitation | Bypass WAF with Unicode-encoded SQL injection, reverse .NET for creds, chain AD attacks | 0xdf, zweilosec |
| 35 | Hathor | Windows | mojoPortal default creds, ASPX webshell, DLL hijacking 7zip | Upload ASPX webshell through mojoPortal, IIS impersonation, DLL hijack 7zip64.dll | 0xdf, heartburn |
| 36 | Sekhmet | Windows | NodeJS deserialization WAF bypass, ZipCrypto KPA, AppLocker bypass | Deserialize through WAF with unicode, crack ZipCrypto, bypass AppLocker via InstallUtil.exe | 0xdf |
| 37 | Rebound | Windows | RID cycling, AS-REP/Kerberoast, RemotePotato0 relay, RBCD, gMSA | Chain AD attacks: RID cycling to Kerberoast to cross-session relay to gMSA password read | 0xdf, Medium |
| 38 | Anubis | Windows | ADCS writable certificate template, Windows PKI abuse | Exploit writable cert template in Windows PKI to escalate to Domain Admin | HTB |
| 39 | Absolute | Windows | Image metadata username enum, AD Kerberos-only attack chain | Extract usernames from image metadata, pure Kerberos exploitation in hardened AD environment | HTB |
| 40 | Mist | Windows | CMS path traversal, credential cracking, AD misconfigurations | Traverse CMS paths for backup with hashed creds, chain AD misconfigs to domain compromise | 4xura |
| 41 | Ghost | Windows | LDAP injection, Gitea arbitrary file read + RCE, Golden SAML | LDAP injection leaks Gitea creds, chain file read with RCE, craft Golden SAML for domain admin | 0xdf, Medium |
| 42 | Infiltrator | Windows | AS-REP roasting, Output Messenger exploitation, BitLocker + NTDS.dit | Roast user creds, infiltrate internal messenger app, decrypt BitLocker volume for NTDS.dit | HTB |
| 43 | University | Windows | xhtml2pdf RCE (CVE-2023-33733), cert forgery, CVE-2023-36025, unconstrained delegation | Chain PDF export RCE with cert forgery and archive exploit to unconstrained delegation attack | 0xdf, Medium |
| 44 | Hercules | Windows | LDAP injection (double URL-encoded), Kerberos-only DC, shadow credentials | Inject into LDAP via SSO form on NTLM-disabled DC, extract AD descriptions, shadow creds + RBCD | 1337sheets, cyb3rtr0n |
| 45 | DarkCorp | Windows | RoundCube XSS + IDOR (CVE-2024-42009), AD multi-host chain | Exploit RoundCube to phish developer emails, pivot through analytics dashboard to AD domain compromise | Medium, threatninja |
Note on difficulty corrections from user’s original list:
- TheNotebook = Medium (not Insane) - JWT key injection, Docker container escape
- Schooled = Medium (not Insane) - Moodle XSS + CVE chain
- BreadCrumbs = Hard (not Insane) - PHP session manipulation, JWT, SQLi
- Atom = Medium (not Insane) - Electron-Builder exploit
- CarpeDiem = Hard (not Insane) - VoIP, Docker container escape (CVE-2022-0492)
- Cerberus = Hard (not Insane) - Icinga pre-auth RCE, container to Windows pivot
- Zetta = Hard (officially, though insane-level difficulty) - FTP IPv6, rsync, PostgreSQL injection
- DarkZero = Hard (not Insane) - MSSQL linked servers, cross-forest trust abuse
Total confirmed Insane machines: ~45+ (New insane machines are released regularly; this list covers all known retired insane machines through early 2026.)