> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# rootea.es — Writeups HackTheBox · PortSwigger · TryHackMe

> Bilingual ES/EN directory of verified writeups for HackTheBox, PortSwigger Web Security Academy and TryHackMe + professional learning system: 100+ tactical glossary entries, PTES methodology, report template, AD CS, Cloud Pentest, LLM Security, Modern Red Team, and Bug Bounty.

<div className="rootea-hero">
  <div className="rootea-hero-prompt">\~/rootea \$ whoami</div>

  <h1 className="rootea-hero-title">
    <span>> \_ </span><span className="accent">rootea.es</span><span className="rootea-hero-cursor" />
  </h1>

  <div className="rootea-hero-tagline">
    Curated directory of writeups across HackTheBox, PortSwigger Web
    Security Academy and TryHackMe. Bilingual ES/EN. Validated links.
  </div>

  <div className="rootea-hero-counters">
    <div className="rootea-counter">
      <div className="rootea-counter-num">1454</div>
      <div className="rootea-counter-label">indexed challenges</div>
    </div>

    <div className="rootea-counter">
      <div className="rootea-counter-num">1953</div>
      <div className="rootea-counter-label">validated writeups</div>
    </div>

    <div className="rootea-counter">
      <div className="rootea-counter-num">1444</div>
      <div className="rootea-counter-label">skill resources</div>
    </div>
  </div>

  <div className="rootea-hero-ctas">
    <a className="rootea-hero-cta rootea-hero-cta-primary" href="/en/htb/all">
      HackTheBox →
    </a>

    <a className="rootea-hero-cta rootea-hero-cta-secondary" href="/en/portswigger/all">
      PortSwigger →
    </a>

    <a className="rootea-hero-cta rootea-hero-cta-secondary" href="/en/tryhackme/all">
      TryHackMe →
    </a>

    <a className="rootea-hero-cta rootea-hero-cta-secondary" href="/en/skills/index">
      Cross-platform skills
    </a>
  </div>
</div>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"WebSite","name":"rootea.es · HTB Writeups Hub","alternateName":"rootea.es","url":"https://rootea.es","inLanguage":"en","description":"Curated directory of writeups for retired Hack The Box machines","potentialAction":{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://rootea.es/en/htb/all?q={search_term_string}"},"query-input":"required name=search_term_string"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","name":"Which platforms does rootea.es index?","acceptedAnswer":{"@type":"Answer","text":"Three: HackTheBox (retired machines), PortSwigger Web Security Academy (public web exploitation labs) and TryHackMe (public rooms). Each platform has its own catalog, filters and curated author set."}},{"@type":"Question","name":"What is a retired machine on HackTheBox?","acceptedAnswer":{"@type":"Answer","text":"A HackTheBox machine is considered retired once it stops granting ranking points. From that moment on, the terms of service allow publishing writeups openly. This hub only indexes retired HackTheBox machines; PortSwigger labs and TryHackMe public rooms can be indexed without that restriction."}},{"@type":"Question","name":"Where does the catalog come from?","acceptedAnswer":{"@type":"Answer","text":"HackTheBox is built from htbmachines.github.io, a local seed of classic machines, and the official HTB API when a token is provided. PortSwigger syncs with the official lab listing. TryHackMe pulls from the public catalog of free rooms."}},{"@type":"Question","name":"Who maintains the linked writeups?","acceptedAnswer":{"@type":"Answer","text":"The writeups are produced by their respective authors. HackTheBox: S4vitar, El Pingüino de Mario, 0xdf and IppSec. PortSwigger: official documentation, Rana Khalil and z3nsh3ll. TryHackMe: official documentation, JohnHammond and stuffy24. This hub only indexes the links; it does not host or modify the original content."}},{"@type":"Question","name":"How is link validity verified?","acceptedAnswer":{"@type":"Answer","text":"Every URL gets a HEAD request before being published. Links returning 4xx or 5xx are discarded. Validation runs weekly via a GitHub Action across all three platforms."}}]}`}
</script>

## Why this site exists

HackTheBox has hundreds of retired machines, PortSwigger Web Security
Academy publishes 260+ web exploitation labs, and TryHackMe ships
nearly a thousand public rooms. The documentation is scattered across
blogs, YouTube channels, GitHub repos and ephemeral Medium posts.
This site **does not clone** any of it: it is a directory pointing
to the writeups of the original authors across the three platforms.

**But there's more:** training platforms (HackTheBox, TryHackMe,
PortSwigger, OffSec) produce operators. **They don't produce
professional auditors.** In 2025 we added sections covering
**professional methodology**, **tactical glossary with 100+ entries**,
**report template**, and advanced specialization (AD CS, Cloud, LLM,
Red Team, Bug Bounty). See [Level Up](/en/methodology) and
[Advanced](/en/ad-cs).

<div className="rootea-cards">
  <div className="rootea-card">
    <div className="rootea-card-title">whitelist</div>

    <div className="rootea-card-body">
      Curated authors per platform. <strong>HackTheBox</strong>: S4vitar,
      El Pingüino de Mario, 0xdf, IppSec. <strong>PortSwigger</strong>:
      official docs, Rana Khalil, z3nsh3ll. <strong>TryHackMe</strong>:
      official docs, JohnHammond, stuffy24. Zero SEO filler.
    </div>
  </div>

  <div className="rootea-card">
    <div className="rootea-card-title">validate</div>

    <div className="rootea-card-body">
      Every URL gets a <code>HEAD</code> before publishing. If the
      server returns 404 or doesn't answer, out.
    </div>
  </div>

  <div className="rootea-card">
    <div className="rootea-card-title">lang</div>

    <div className="rootea-card-body">
      When a Spanish writeup exists, it appears first. English
      fallback via 0xdf and IppSec.
    </div>
  </div>

  <div className="rootea-card">
    <div className="rootea-card-title">retired-only</div>

    <div className="rootea-card-body">
      No active HackTheBox machine appears here. We respect each
      platform's TOS.
    </div>
  </div>
</div>

## How to navigate

* **Top tabs** — HackTheBox, PortSwigger, TryHackMe and Skills.
* **Master table** per platform — [HackTheBox](/en/htb/all),
  [PortSwigger](/en/portswigger/all), [TryHackMe](/en/tryhackme/all).
  Single view with charts and visual filters.
* **HackTheBox** is also grouped by OS (Linux, Windows, Other) and
  difficulty (Easy, Medium, Hard, Insane). PortSwigger by topic and
  level (Apprentice, Practitioner, Expert). TryHackMe by tags and
  difficulty.
* **Search** — <kbd>Cmd</kbd>+<kbd>K</kbd> (or <kbd>Ctrl</kbd>+
  <kbd>K</kbd>). Indexes names, labs, rooms and skills.

## What you'll find on each page

* **HackTheBox** — operating system, difficulty, IP, retirement date,
  and skills/techniques (kerberoasting, RCE, LFI, SQLi…).
* **PortSwigger** — topic (XSS, SQLi, JWT, Race Conditions…), level
  Apprentice/Practitioner/Expert and CWE mapping.
* **TryHackMe** — tags, difficulty, and the room author.
* Table of validated writeups, sorted by language and author.

## Tactical glossary — 100+ entries

The [tactical glossary](/en/glossary) covers 100+ pentest terms
with a fixed format: 🎯 Trench · 🔗 Kill chain · 📡 Defensive
footprint · ⚠️ False friend · 🛡️ Remediation. Indexed by block:
Active Directory (Kerberos, Pass-the-Hash, Kerberoasting, AS-REP,
RBCD, DCSync, Golden/Silver/Diamond Ticket, NoPac, ZeroLogon,
PetitPotam, PrintNightmare, Shadow Credentials, LAPS), Web
(LFI, SQLi, IDOR, SSRF, XXE, SSTI, Prototype Pollution, JWT,
Race Conditions, HTTP Smuggling, CORS, OAuth, GraphQL), Linux
privesc (SUID, sudo, capabilities, kernel exploits, Docker socket),
Cloud (IMDS, Pacu, Entra ID device code, Managed Identity,
ConfusedFunction), Container/K8s, Red Team (AMSI, ETW, BYOVD,
Cobalt/Sliver/Mythic), Phishing (Evilginx2, BiTB, consent
phishing), and Frameworks (CVSS, EPSS, KEV, NIS2, DORA).

## Level Up

Solving machines doesn't make you a professional pentester. It
makes you an operator. These resources cover the **80% of real
work** platforms don't teach: methodology, reporting, corporate
language and defensive footprint.

<CardGroup cols={2}>
  <Card title="Tactical glossary" icon="book-open" href="/en/glossary">
    Operational dictionary: trench, kill chain, defensive
    footprint, false friend, remediation. No Wikipedia copies.
  </Card>

  <Card title="Professional methodology" icon="compass" href="/en/methodology">
    PTES phases, SMB/AD/Web decision trees, the stopwatch rule,
    exploit chaining, MITRE ATT\&CK.
  </Card>

  <Card title="Learning resources" icon="graduation-cap" href="/en/resources">
    Hierarchy PortSwigger → TryHackMe → TCM PEH → OWASP. Order
    matters.
  </Card>

  <Card title="Report template" icon="file-lines" href="/en/report-template">
    The 4 pages that pay the consultant: executive, technical,
    escalation, remediation. With copy-paste blocks.
  </Card>

  <Card title="Professional web recon" icon="magnifying-glass" href="/en/web-recon">
    How to enumerate without firing the WAF: passive, fingerprint,
    type confusion, JA3 and Client Hints.
  </Card>

  <Card title="OSCP Roadmap" icon="route" href="/en/htb/oscp-roadmap">
    30 curated machines in 4 blocks. With professional checklist
    per machine and OSCP+ 2024 changes.
  </Card>
</CardGroup>

## Advanced specialization

When OSCP no longer scares you and the base methodology is
automatic muscle, this is what comes next. **Five specialization
fronts** that separate the pentester from a senior consultant in
2026\.

<CardGroup cols={2}>
  <Card title="AD CS · Certipy ESC1-ESC16" icon="key" href="/en/ad-cs">
    Full catalog of Active Directory Certificate Services abuse
    with certipy-ad commands. Dominant vector in 2024-2026
    incidents.
  </Card>

  <Card title="Cloud Pentest" icon="cloud" href="/en/cloud-pentest">
    AWS · Azure · GCP. Top 10 exploitable vectors, IAM privesc,
    Entra ID device code, tooling (Pacu, CloudFox, ROADtools,
    AzureHound).
  </Card>

  <Card title="LLM Security" icon="robot" href="/en/llm-security">
    OWASP Top 10 LLM 2025, prompt injection, RAG poisoning,
    EchoLeak, EU AI Act. Category with +540% growth in HackerOne
    2025\.
  </Card>

  <Card title="Modern Red Team" icon="ghost" href="/en/modern-red-team">
    EDR landscape, AMSI/ETW evasion, C2 frameworks (Mythic,
    Sliver, Havoc), top LOLBAS and Sigma/MITRE defensive mapping.
  </Card>

  <Card title="Bug Bounty + CVE" icon="dollar-sign" href="/en/bug-bounty">
    12-month roadmap, top 10 paid vulns 2025, ProjectDiscovery
    recon, first CVE in open-source and report disqualifiers.
  </Card>
</CardGroup>

## What you **won't** find

* Flags or hashes. Period.
* Spoilers written by the hub team: we are an aggregator, not a blog.
* Active machines, labs or rooms that would breach a platform's TOS.
  If you search and don't find it, it's probably still scoring points
  or still behind a paywall.

## Frequently asked questions

**Which platforms does rootea.es index?**

Three: **HackTheBox** (retired machines), **PortSwigger Web Security
Academy** (public web exploitation labs) and **TryHackMe** (public
rooms). Each has its own catalog, filters and curated author set.

**What is a retired machine on HackTheBox?**

A HackTheBox machine is considered "retired" once it stops granting
ranking points. From that moment on, the terms of service allow
publishing writeups openly. This hub only indexes retired HackTheBox
machines; PortSwigger labs and TryHackMe public rooms can be indexed
without that restriction.

**Where does the catalog come from?**

HackTheBox is built from htbmachines.github.io (run by S4vitar's team),
a local seed of classic machines, and the official HTB API when a
token is provided. PortSwigger is synced with their official lab
listing. TryHackMe pulls from their public catalog of free rooms.

**Who maintains the linked writeups?**

The writeups are produced by their respective authors. For HackTheBox:
S4vitar, El Pingüino de Mario, 0xdf and IppSec. For PortSwigger:
the official documentation, Rana Khalil and z3nsh3ll. For TryHackMe:
the official documentation, JohnHammond and stuffy24. This hub only
indexes the links; it does not host or modify the original content.

**How is link validity verified?**

Every URL gets a `HEAD` request before being published. Links
returning 4xx or 5xx are silently discarded. Validation runs weekly
via a GitHub Action across all three platforms.

**Can I suggest a new author or resource?**

Yes. The skills glossary lives at `data/skills_glossary.json` and
the author whitelist at `scripts/config.py`. Open a Pull Request at
[github.com/FFuson/HTB\_Writeups](https://github.com/FFuson/HTB_Writeups).
