Medium Machine

Hack The Box: Administrator Walkthrough Medium Difficulty

by darknite
2025-04-19

Chained privilege escalation on an AD environment via misconfigured permissions — no CVEs, just clever abuse of default rights. From Olivia to Emily to Ethan, we pivoted through user relationships using BloodHound, CrackMapExec, Kerberoasting, and WinRM access. Highlighting how overlooked configurations can lead to full domain compromise.

#ActiveDirectory #PrivilegeEscalation #BloodHound #Kerberoasting #HackTheBox #RedTeam #CyberSecurity #WindowsPentest

Hack The Box: Certified Machine Walkthrough – Medium Difficulty

by darknite
2025-03-15

Access is gained using Judith Mader’s credentials, allowing enumeration of network resources. CrackMapExec identifies key accounts like management_svc and ca_operator. Privilege escalation is performed using a Shadow Credentials attack with Certipy, taking control of management_svc. With valid credentials, Evil-WinRM establishes a remote session, leading to the user flag.

For root access, the attack exploits Active Directory Certificate Services by modifying ca_operator’s User Principal Name (UPN) to Administrator, enabling a privileged certificate request. A vulnerable ESC9 certificate is issued without linking back to ca_operator, effectively granting Administrator access. The UPN is restored to avoid detection, and authentication via Kerberos retrieves the NT hash of the Administrator account. Full system control is confirmed by obtaining the root flag.

#HackTheBox #Pentesting #ActiveDirectory #PrivilegeEscalation #CyberSecurity #EthicalHacking