Player2 HacktheBox Writeup

This write-up documents a full technical walkthrough of compromising the Player2 HTB machine: enumerating services (Twirp RPC, web, MQTT), generating and using credentials via a Twirp GenCreds RPC, bypassing TOTP with backup codes and a type-juggling trick, extracting and patching a signed firmware ELF to execute a reverse shell, capturing an SSH private key leaked over MQTT to access a user account, and finally achieving root via a complex heap exploit (poison null byte, UAF and tcache poisoning) with included PoC exploit scripts.