• Search for:

    Tag Archives: Bloodhound

    1. Home  - 
    2. Posts tagged "Bloodhound"
    4 Apr, 2026
    Hack The Box: Darkzero Machine – Hard Difficulity
    Hard Machine , , , , , , , , , , , , , , , ,

    Just completed the DarkZero machine from HackTheBox (Hard difficulty)!

    After gaining a foothold on DC02 via a misconfigured MSSQL linked server and escalating to local Administrator using SigmaPotato token impersonation + RunasCs, we successfully captured the user flag from the Administrator’s desktop.

    Dumped the domain Administrator NT hash with secretsdump, then used Evil-WinRM to get a full shell as Administrator on DC02 and retrieved the root flag.

    #HackTheBox #HTB #Pentesting #ActiveDirectory #RedTeam #CyberSecurity #PrivilegeEscalation …

    Learn MoreHack The Box: Darkzero Machine – Hard Difficulity

    9 Aug, 2025
    Hack The Box: University Machine Walkthrough – Insane Walkthrough
    Insane Machine , , , , , , , , , , ,

    Compromised university.htb by exploiting ReportLab RCE (CVE-2023-33733) to gain initial access as wao. Forged a professor certificate to impersonate george, then uploaded a malicious lecture to compromise Martin.T.

    Escalated privileges by exploiting a scheduled task with a malicious .url file, used LocalPotato (CVE-2023-21746) for elevation on WS-3, and abused SeBackupPrivilege to extract NTDS.dit, ultimately retrieving Domain Admin credentials.

    🔍 A great hands-on challenge combining web exploitation, privilege escalation, and Active Directory abuse.

    #CyberSecurity #RedTeam #CTF #PrivilegeEscalation #HTB #InfoSec #WindowsExploitation #PenetrationTesting #EthicalHacking #HackTheBox …

    Learn MoreHack The Box: University Machine Walkthrough – Insane Walkthrough

    19 Jul, 2025
    Hack The Box: Scepter Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , , , , ,

    I conquered the “Scepter” machine on Hack The Box, a challenging Active Directory exploit! Initially, I cracked weak .pfx certificate passwords using pfx2john and rockyou.txt. After syncing time, I extracted D.BAKER’s NTLM hash via Certipy and used BloodHound to reveal A.CARTER’s password reset privileges, exploiting ESC9 to capture the user flag. Subsequently, H.BROWN’s access to P.ADAMS’s altSecurityIdentities enabled an ESC14 attack, forging a certificate for passwordless authentication. Consequently, P.ADAMS’s DCSync rights allowed domain hash extraction, securing the root flag via Evil-WinRM.

    #Cybersecurity #HackTheBox #ActiveDirectory #PrivilegeEscalation #CTF #EthicalHacking …

    Learn MoreHack The Box: Scepter Machine Walkthrough – Hard Difficulty

    28 Jun, 2025
    Hack The Box: Haze Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , , , , ,

    New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

    Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

    #HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

    Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

    14 Jun, 2025
    Hack The Box: Inflitrator Machine Walkthrough – Insane Difficulity
    Insane Machine , , , , , , , , , , , , , , , , , ,

    Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

    #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
    Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

    #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF

    Learn MoreHack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

    24 May, 2025
    Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty
    Easy Machine , , , , , , , , , , , , ,

    🔒 My Write-Up for the EscapeTwo Machine on Hack The Box 🔍

    I’m excited to share my detailed write-up for solving the beginner-friendly “EscapeTwo” machine on Hack The Box, showcasing skills in network enumeration and privilege escalation. First, to capture the user flag, I scanned for open ports, accessed SMB shares, uncovered a password, and leveraged the Ryan account’s elevated permissions to retrieve the flag remotely. Next, for the root flag, I escalated privileges by exploiting an Active Directory misconfiguration. Then, using the Ryan account, I employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control, I acquired a certificate, subsequently authenticated as an administrator, and finally captured the root flag. This challenge strengthened my expertise in Active Directory security and penetration testing. Check out the full write-up for a deep dive!

    #Cybersecurity #HackTheBox #EthicalHacking #PenetrationTesting #ActiveDirectory …

    Learn MoreHack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty

    5 Apr, 2025
    Hack The Box: Ghost Machine Walkthrough – Insane Difficulty
    Insane Machine , , , , , , , , , , , , , , , , , , , , , , ,

    The initial foothold was gained by exploiting command injection on intranet.ghost.htb:8008/api-dev/scan/, which provided a reverse shell inside a Docker container. From there, I enumerated the environment and discovered credentials that allowed SSH access as Florence Ramirez. By extracting and converting a Kerberos ticket, I authenticated as a legitimate user, escalating access within the system. With access to the Windows environment, I retrieved NTLM hashes for the adfs_gmsa account and leveraged evil-winrm for lateral movement. A reverse shell was established using JokerShell, and privileges were escalated by enabling xp_cmdshell through a debug interface. After uploading EfsPotato.cs and disabling antivirus, I used Mimikatz and Rubeus.exe to dump credentials, ultimately achieving SYSTEM access. This led to the extraction of domain admin credentials and the retrieval of the root flag. Another Insane box down! 💀💻

    #HackTheBox #RedTeam #CyberSecurity #PenTesting #PrivilegeEscalation #EthicalHacking …

    Learn MoreHack The Box: Ghost Machine Walkthrough – Insane Difficulty

    15 Mar, 2025
    Hack The Box: Certified Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Access is gained using Judith Mader’s credentials, allowing enumeration of network resources. CrackMapExec identifies key accounts like management_svc and ca_operator. Privilege escalation is performed using a Shadow Credentials attack with Certipy, taking control of management_svc. With valid credentials, Evil-WinRM establishes a remote session, leading to the user flag.

    For root access, the attack exploits Active Directory Certificate Services by modifying ca_operator’s User Principal Name (UPN) to Administrator, enabling a privileged certificate request. A vulnerable ESC9 certificate is issued without linking back to ca_operator, effectively granting Administrator access. The UPN is restored to avoid detection, and authentication via Kerberos retrieves the NT hash of the Administrator account. Full system control is confirmed by obtaining the root flag.

    #HackTheBox #Pentesting #ActiveDirectory #PrivilegeEscalation #CyberSecurity #EthicalHacking …

    Learn MoreHack The Box: Certified Machine Walkthrough – Medium Difficulty

    16 Nov, 2024
    Hack The Box: Axlle Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , ,

    Introduction to Axlle: In this write-up, we will explore the “Axlle” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag. Objective: The

    Continue ReadingHack The Box: Axlle Machine Walkthrough – Hard Difficulty

    9 Nov, 2024
    Hack The Box: Blazorized Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , ,

    Introduction to Blazorized: This write-up will explore the “Blazorized” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag. Objective on Blazorized machine:

    Continue ReadingHack The Box: Blazorized Machine Walkthrough – Hard Difficulty