Skip to main content
~/rootea $ whoami

> _ rootea.es

Curated directory of writeups across HackTheBox, PortSwigger Web Security Academy and TryHackMe. Bilingual ES/EN. Validated links.
1454
indexed challenges
1953
validated writeups
1444
skill resources

Why this site exists

HackTheBox has hundreds of retired machines, PortSwigger Web Security Academy publishes 260+ web exploitation labs, and TryHackMe ships nearly a thousand public rooms. The documentation is scattered across blogs, YouTube channels, GitHub repos and ephemeral Medium posts. This site does not clone any of it: it is a directory pointing to the writeups of the original authors across the three platforms. But there’s more: training platforms (HackTheBox, TryHackMe, PortSwigger, OffSec) produce operators. They don’t produce professional auditors. In 2025 we added sections covering professional methodology, tactical glossary with 100+ entries, report template, and advanced specialization (AD CS, Cloud, LLM, Red Team, Bug Bounty). See Level Up and Advanced.
whitelist
Curated authors per platform. HackTheBox: S4vitar, El Pingüino de Mario, 0xdf, IppSec. PortSwigger: official docs, Rana Khalil, z3nsh3ll. TryHackMe: official docs, JohnHammond, stuffy24. Zero SEO filler.
validate
Every URL gets a HEAD before publishing. If the server returns 404 or doesn’t answer, out.
lang
When a Spanish writeup exists, it appears first. English fallback via 0xdf and IppSec.
retired-only
No active HackTheBox machine appears here. We respect each platform’s TOS.

How to navigate

  • Top tabs — HackTheBox, PortSwigger, TryHackMe and Skills.
  • Master table per platform — HackTheBox, PortSwigger, TryHackMe. Single view with charts and visual filters.
  • HackTheBox is also grouped by OS (Linux, Windows, Other) and difficulty (Easy, Medium, Hard, Insane). PortSwigger by topic and level (Apprentice, Practitioner, Expert). TryHackMe by tags and difficulty.
  • SearchCmd+K (or Ctrl+ K). Indexes names, labs, rooms and skills.

What you’ll find on each page

  • HackTheBox — operating system, difficulty, IP, retirement date, and skills/techniques (kerberoasting, RCE, LFI, SQLi…).
  • PortSwigger — topic (XSS, SQLi, JWT, Race Conditions…), level Apprentice/Practitioner/Expert and CWE mapping.
  • TryHackMe — tags, difficulty, and the room author.
  • Table of validated writeups, sorted by language and author.

Tactical glossary — 100+ entries

The tactical glossary covers 100+ pentest terms with a fixed format: 🎯 Trench · 🔗 Kill chain · 📡 Defensive footprint · ⚠️ False friend · 🛡️ Remediation. Indexed by block: Active Directory (Kerberos, Pass-the-Hash, Kerberoasting, AS-REP, RBCD, DCSync, Golden/Silver/Diamond Ticket, NoPac, ZeroLogon, PetitPotam, PrintNightmare, Shadow Credentials, LAPS), Web (LFI, SQLi, IDOR, SSRF, XXE, SSTI, Prototype Pollution, JWT, Race Conditions, HTTP Smuggling, CORS, OAuth, GraphQL), Linux privesc (SUID, sudo, capabilities, kernel exploits, Docker socket), Cloud (IMDS, Pacu, Entra ID device code, Managed Identity, ConfusedFunction), Container/K8s, Red Team (AMSI, ETW, BYOVD, Cobalt/Sliver/Mythic), Phishing (Evilginx2, BiTB, consent phishing), and Frameworks (CVSS, EPSS, KEV, NIS2, DORA).

Level Up

Solving machines doesn’t make you a professional pentester. It makes you an operator. These resources cover the 80% of real work platforms don’t teach: methodology, reporting, corporate language and defensive footprint.

Tactical glossary

Operational dictionary: trench, kill chain, defensive footprint, false friend, remediation. No Wikipedia copies.

Professional methodology

PTES phases, SMB/AD/Web decision trees, the stopwatch rule, exploit chaining, MITRE ATT&CK.

Learning resources

Hierarchy PortSwigger → TryHackMe → TCM PEH → OWASP. Order matters.

Report template

The 4 pages that pay the consultant: executive, technical, escalation, remediation. With copy-paste blocks.

Professional web recon

How to enumerate without firing the WAF: passive, fingerprint, type confusion, JA3 and Client Hints.

OSCP Roadmap

30 curated machines in 4 blocks. With professional checklist per machine and OSCP+ 2024 changes.

Advanced specialization

When OSCP no longer scares you and the base methodology is automatic muscle, this is what comes next. Five specialization fronts that separate the pentester from a senior consultant in 2026.

AD CS · Certipy ESC1-ESC16

Full catalog of Active Directory Certificate Services abuse with certipy-ad commands. Dominant vector in 2024-2026 incidents.

Cloud Pentest

AWS · Azure · GCP. Top 10 exploitable vectors, IAM privesc, Entra ID device code, tooling (Pacu, CloudFox, ROADtools, AzureHound).

LLM Security

OWASP Top 10 LLM 2025, prompt injection, RAG poisoning, EchoLeak, EU AI Act. Category with +540% growth in HackerOne 2025.

Modern Red Team

EDR landscape, AMSI/ETW evasion, C2 frameworks (Mythic, Sliver, Havoc), top LOLBAS and Sigma/MITRE defensive mapping.

Bug Bounty + CVE

12-month roadmap, top 10 paid vulns 2025, ProjectDiscovery recon, first CVE in open-source and report disqualifiers.

What you won’t find

  • Flags or hashes. Period.
  • Spoilers written by the hub team: we are an aggregator, not a blog.
  • Active machines, labs or rooms that would breach a platform’s TOS. If you search and don’t find it, it’s probably still scoring points or still behind a paywall.

Frequently asked questions

Which platforms does rootea.es index? Three: HackTheBox (retired machines), PortSwigger Web Security Academy (public web exploitation labs) and TryHackMe (public rooms). Each has its own catalog, filters and curated author set. What is a retired machine on HackTheBox? A HackTheBox machine is considered “retired” once it stops granting ranking points. From that moment on, the terms of service allow publishing writeups openly. This hub only indexes retired HackTheBox machines; PortSwigger labs and TryHackMe public rooms can be indexed without that restriction. Where does the catalog come from? HackTheBox is built from htbmachines.github.io (run by S4vitar’s team), a local seed of classic machines, and the official HTB API when a token is provided. PortSwigger is synced with their official lab listing. TryHackMe pulls from their public catalog of free rooms. Who maintains the linked writeups? The writeups are produced by their respective authors. For HackTheBox: S4vitar, El Pingüino de Mario, 0xdf and IppSec. For PortSwigger: the official documentation, Rana Khalil and z3nsh3ll. For TryHackMe: the official documentation, JohnHammond and stuffy24. This hub only indexes the links; it does not host or modify the original content. How is link validity verified? Every URL gets a HEAD request before being published. Links returning 4xx or 5xx are silently discarded. Validation runs weekly via a GitHub Action across all three platforms. Can I suggest a new author or resource? Yes. The skills glossary lives at data/skills_glossary.json and the author whitelist at scripts/config.py. Open a Pull Request at github.com/FFuson/HTB_Writeups.