evil-winrm Archives - Threatninja.net

11 Apr, 2026

Hack The Box: Eighteen Machine Walkthrough – Easy Difficulity

Easy Machine BadSuccessor.ps1, Challenges, DMSA, evil-winrm, HackTheBox, impacket-getST, Ligolo-ng, mssqlclient, nxc, Penetration Testing, secretdump, Windows

Just completed the Eighteen machine on Hack The Box — a great example of chaining multiple techniques from initial access to full domain compromise.

Gained initial foothold by cracking WinRM credentials (adam.scott / iloveyou1) and accessing the system via Evil-WinRM. From there, escalated privileges by abusing Delegated Managed Service Accounts (DMSA) using BadSuccessor, allowing impersonation of the Administrator.

Set up a Ligolo-ng tunnel to reach the domain controller, leveraged Kerberos ticket abuse with Impacket, and successfully dumped NTDS secrets. This led to extracting the Administrator NTLM hash and achieving full system compromise via Pass-the-Hash.

A solid walkthrough covering credential abuse, AD misconfigurations, Kerberos attacks, and pivoting techniques.

#HackTheBox #CyberSecurity #RedTeam #PenetrationTesting #ActiveDirectory #Kerberos #PrivilegeEscalation #EthicalHacking #Infosec #OffensiveSecurity …

Learn MoreHack The Box: Eighteen Machine Walkthrough – Easy Difficulity

4 Apr, 2026

Hack The Box: Darkzero Machine – Hard Difficulity

Hard Machine Bloodhound, certif, Certify, Challenges, chisel, evil-winrm, HackTheBox, ligolo, mssqlclient, openssl, Penetration Testing, proxychains, python3, rubeus.exe, secretdump, ticketconverter, Windows

Just completed the DarkZero machine from HackTheBox (Hard difficulty)!

After gaining a foothold on DC02 via a misconfigured MSSQL linked server and escalating to local Administrator using SigmaPotato token impersonation + RunasCs, we successfully captured the user flag from the Administrator’s desktop.

Dumped the domain Administrator NT hash with secretsdump, then used Evil-WinRM to get a full shell as Administrator on DC02 and retrieved the root flag.

#HackTheBox #HTB #Pentesting #ActiveDirectory #RedTeam #CyberSecurity #PrivilegeEscalation …

Learn MoreHack The Box: Darkzero Machine – Hard Difficulity

8 Nov, 2025

Hack The Box: RustyKey Machine Walkthrough – Hard Difficulity

Hard Machine BloodHoundCE, bloodyAD, Challenges, evil-winrm, HackTheBox, hashcat, impacket, kerberos, LDAP, nxc, Penetration Testing, python3, RunasCs, timeroast

Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

#CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD …

Learn MoreHack The Box: RustyKey Machine Walkthrough – Hard Difficulity

18 Oct, 2025

Hack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

Insane Machine BloodHoundCE, bloodyAD, BurpSuite, Challenges, evil-winrm, HackTheBox, hashcat, impacket, NetExec, Penetration Testing, sharpdpapi, ssh, Windows

Finished the Insane-level DarkCorp box on Hack The Box. Initial foothold came from registering on a webmail portal and abusing a contact form to deliver a payload that resulted in a reverse shell. From there I enumerated the app and DB, identified SQL injection and extracted hashes (cracked one to thePlague61780), recovered DPAPI master key material and additional credentials (Pack_beneath_Solid9!), and used those artifacts to escalate to root and retrieve root.txt. Valuable practice in web vectors, SQLi exploitation, credential harvesting, DPAPI analysis, and Windows privilege escalation. Happy to share high-level notes or mitigations.

#HackTheBox #Infosec #RedTeam #Pentesting #WindowsSecurity #CredentialHunting #CTF …

Learn MoreHack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

4 Oct, 2025

Hack The Box: Certificate Machine Walkthrough – Hard Difficulty

Hard Machine BloodHoundCE, Certipy, certutil, Challenges, ESC3, evil-winrm, HackTheBox, hashcat, kerberos, MySQL, Penetration Testing, python3, SeManageVolumePrivilege, Windows, Wireshark, zip slip

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

27 Sep, 2025

Hack The Box: Puppy Machine Walkthrough – Medium Difficulty

Medium Machine BloodHoundCE, bloodyAD, Challenges, evil-winrm, HackTheBox, impacket, KDBX, ldapmodify, ldapsearch, Penetration Testing, rpcclient, smbclient, Windows

Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

#Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation …

Learn MoreHack The Box: Puppy Machine Walkthrough – Medium Difficulty

9 Aug, 2025

Hack The Box: University Machine Walkthrough – Insane Walkthrough

Insane Machine Bloodhound, BurpSuite, Challenges, CVE-2023-33733, evil-winrm, HackTheBox, LocalPotato, Penetration Testing, python3, ssh, SSH key, Windows

Compromised university.htb by exploiting ReportLab RCE (CVE-2023-33733) to gain initial access as wao. Forged a professor certificate to impersonate george, then uploaded a malicious lecture to compromise Martin.T.

Escalated privileges by exploiting a scheduled task with a malicious .url file, used LocalPotato (CVE-2023-21746) for elevation on WS-3, and abused SeBackupPrivilege to extract NTDS.dit, ultimately retrieving Domain Admin credentials.

🔍 A great hands-on challenge combining web exploitation, privilege escalation, and Active Directory abuse.

#CyberSecurity #RedTeam #CTF #PrivilegeEscalation #HTB #InfoSec #WindowsExploitation #PenetrationTesting #EthicalHacking #HackTheBox …

Learn MoreHack The Box: University Machine Walkthrough – Insane Walkthrough

19 Jul, 2025

Hack The Box: Scepter Machine Walkthrough – Hard Difficulty

Hard Machine ADCS, Bloodhound, bloodyAD, Certipy, Challenges, ESC14, ESC9, evil-winrm, HackTheBox, hashcat, ldapsearch, nfs, openssl, Penetration Testing, showmount, Windows

I conquered the “Scepter” machine on Hack The Box, a challenging Active Directory exploit! Initially, I cracked weak .pfx certificate passwords using pfx2john and rockyou.txt. After syncing time, I extracted D.BAKER’s NTLM hash via Certipy and used BloodHound to reveal A.CARTER’s password reset privileges, exploiting ESC9 to capture the user flag. Subsequently, H.BROWN’s access to P.ADAMS’s altSecurityIdentities enabled an ESC14 attack, forging a certificate for passwordless authentication. Consequently, P.ADAMS’s DCSync rights allowed domain hash extraction, securing the root flag via Evil-WinRM.

#Cybersecurity #HackTheBox #ActiveDirectory #PrivilegeEscalation #CTF #EthicalHacking …

Learn MoreHack The Box: Scepter Machine Walkthrough – Hard Difficulty

28 Jun, 2025

Hack The Box: Haze Machine Walkthrough – Hard Difficulty

Hard Machine Active Directory, Bloodhound, bloodyAD, Certipy, Challenges, CVE-2024-36991, evil-winrm, HackTheBox, Linux, Local File Inclusion (LFI), NetExec, Penetration Testing, pywhisker, Splunk, splunksecrets, SweetPotato

New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

#HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

14 Jun, 2025

Hack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

Insane Machine bitlocker, Bloodhound, BloodHoundCE, bloodyAD, BurpSuite, Certipy, Challenges, evil-winrm, HackTheBox, hashcat, impacket, john the ripper, kerbrute, Output Messenger, Penetration Testing, RDP, sqlite3, Windows, Wireshark

Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
…

Learn MoreHack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

Threatninja.net

Threatninja.net

Tag Archives: evil-winrm