~/rootea $ whoami
> _ rootea.es
Curated directory of writeups across HackTheBox, PortSwigger Web
Security Academy and TryHackMe. Bilingual ES/EN. Validated links.
1454
indexed challenges
1953
validated writeups
1444
skill resources
Why this site exists
HackTheBox has hundreds of retired machines, PortSwigger Web Security Academy publishes 260+ web exploitation labs, and TryHackMe ships nearly a thousand public rooms. The documentation is scattered across blogs, YouTube channels, GitHub repos and ephemeral Medium posts. This site does not clone any of it: it is a directory pointing to the writeups of the original authors across the three platforms. But there’s more: training platforms (HackTheBox, TryHackMe, PortSwigger, OffSec) produce operators. They don’t produce professional auditors. In 2025 we added sections covering professional methodology, tactical glossary with 100+ entries, report template, and advanced specialization (AD CS, Cloud, LLM, Red Team, Bug Bounty). See Level Up and Advanced.whitelist
Curated authors per platform. HackTheBox: S4vitar,
El Pingüino de Mario, 0xdf, IppSec. PortSwigger:
official docs, Rana Khalil, z3nsh3ll. TryHackMe:
official docs, JohnHammond, stuffy24. Zero SEO filler.
validate
Every URL gets a
HEAD before publishing. If the
server returns 404 or doesn’t answer, out.lang
When a Spanish writeup exists, it appears first. English
fallback via 0xdf and IppSec.
retired-only
No active HackTheBox machine appears here. We respect each
platform’s TOS.
How to navigate
- Top tabs — HackTheBox, PortSwigger, TryHackMe and Skills.
- Master table per platform — HackTheBox, PortSwigger, TryHackMe. Single view with charts and visual filters.
- HackTheBox is also grouped by OS (Linux, Windows, Other) and difficulty (Easy, Medium, Hard, Insane). PortSwigger by topic and level (Apprentice, Practitioner, Expert). TryHackMe by tags and difficulty.
- Search — Cmd+K (or Ctrl+ K). Indexes names, labs, rooms and skills.
What you’ll find on each page
- HackTheBox — operating system, difficulty, IP, retirement date, and skills/techniques (kerberoasting, RCE, LFI, SQLi…).
- PortSwigger — topic (XSS, SQLi, JWT, Race Conditions…), level Apprentice/Practitioner/Expert and CWE mapping.
- TryHackMe — tags, difficulty, and the room author.
- Table of validated writeups, sorted by language and author.
Tactical glossary — 100+ entries
The tactical glossary covers 100+ pentest terms with a fixed format: 🎯 Trench · 🔗 Kill chain · 📡 Defensive footprint · ⚠️ False friend · 🛡️ Remediation. Indexed by block: Active Directory (Kerberos, Pass-the-Hash, Kerberoasting, AS-REP, RBCD, DCSync, Golden/Silver/Diamond Ticket, NoPac, ZeroLogon, PetitPotam, PrintNightmare, Shadow Credentials, LAPS), Web (LFI, SQLi, IDOR, SSRF, XXE, SSTI, Prototype Pollution, JWT, Race Conditions, HTTP Smuggling, CORS, OAuth, GraphQL), Linux privesc (SUID, sudo, capabilities, kernel exploits, Docker socket), Cloud (IMDS, Pacu, Entra ID device code, Managed Identity, ConfusedFunction), Container/K8s, Red Team (AMSI, ETW, BYOVD, Cobalt/Sliver/Mythic), Phishing (Evilginx2, BiTB, consent phishing), and Frameworks (CVSS, EPSS, KEV, NIS2, DORA).Level Up
Solving machines doesn’t make you a professional pentester. It makes you an operator. These resources cover the 80% of real work platforms don’t teach: methodology, reporting, corporate language and defensive footprint.Tactical glossary
Operational dictionary: trench, kill chain, defensive
footprint, false friend, remediation. No Wikipedia copies.
Professional methodology
PTES phases, SMB/AD/Web decision trees, the stopwatch rule,
exploit chaining, MITRE ATT&CK.
Learning resources
Hierarchy PortSwigger → TryHackMe → TCM PEH → OWASP. Order
matters.
Report template
The 4 pages that pay the consultant: executive, technical,
escalation, remediation. With copy-paste blocks.
Professional web recon
How to enumerate without firing the WAF: passive, fingerprint,
type confusion, JA3 and Client Hints.
OSCP Roadmap
30 curated machines in 4 blocks. With professional checklist
per machine and OSCP+ 2024 changes.
Advanced specialization
When OSCP no longer scares you and the base methodology is automatic muscle, this is what comes next. Five specialization fronts that separate the pentester from a senior consultant in 2026.AD CS · Certipy ESC1-ESC16
Full catalog of Active Directory Certificate Services abuse
with certipy-ad commands. Dominant vector in 2024-2026
incidents.
Cloud Pentest
AWS · Azure · GCP. Top 10 exploitable vectors, IAM privesc,
Entra ID device code, tooling (Pacu, CloudFox, ROADtools,
AzureHound).
LLM Security
OWASP Top 10 LLM 2025, prompt injection, RAG poisoning,
EchoLeak, EU AI Act. Category with +540% growth in HackerOne
2025.
Modern Red Team
EDR landscape, AMSI/ETW evasion, C2 frameworks (Mythic,
Sliver, Havoc), top LOLBAS and Sigma/MITRE defensive mapping.
Bug Bounty + CVE
12-month roadmap, top 10 paid vulns 2025, ProjectDiscovery
recon, first CVE in open-source and report disqualifiers.
What you won’t find
- Flags or hashes. Period.
- Spoilers written by the hub team: we are an aggregator, not a blog.
- Active machines, labs or rooms that would breach a platform’s TOS. If you search and don’t find it, it’s probably still scoring points or still behind a paywall.
Frequently asked questions
Which platforms does rootea.es index? Three: HackTheBox (retired machines), PortSwigger Web Security Academy (public web exploitation labs) and TryHackMe (public rooms). Each has its own catalog, filters and curated author set. What is a retired machine on HackTheBox? A HackTheBox machine is considered “retired” once it stops granting ranking points. From that moment on, the terms of service allow publishing writeups openly. This hub only indexes retired HackTheBox machines; PortSwigger labs and TryHackMe public rooms can be indexed without that restriction. Where does the catalog come from? HackTheBox is built from htbmachines.github.io (run by S4vitar’s team), a local seed of classic machines, and the official HTB API when a token is provided. PortSwigger is synced with their official lab listing. TryHackMe pulls from their public catalog of free rooms. Who maintains the linked writeups? The writeups are produced by their respective authors. For HackTheBox: S4vitar, El Pingüino de Mario, 0xdf and IppSec. For PortSwigger: the official documentation, Rana Khalil and z3nsh3ll. For TryHackMe: the official documentation, JohnHammond and stuffy24. This hub only indexes the links; it does not host or modify the original content. How is link validity verified? Every URL gets aHEAD request before being published. Links
returning 4xx or 5xx are silently discarded. Validation runs weekly
via a GitHub Action across all three platforms.
Can I suggest a new author or resource?
Yes. The skills glossary lives at data/skills_glossary.json and
the author whitelist at scripts/config.py. Open a Pull Request at
github.com/FFuson/HTB_Writeups.