Skip to content
Home » impacket

impacket

Hack The Box: Mirage Machine Walkthrough – Hard Difficulity

Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

#CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation

Hack The Box: RustyKey Machine Walkthrough – Hard Difficulity

Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

#CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD

Hack The Box: Voleur Machinen Walkthrough – Medium Difficulty

Cracked a password-protected Excel on an SMB share to recover service-account credentials, used Kerberos to access a user account and capture user.txt, then leveraged AD write permissions to restore a deleted admin, decrypt DPAPI artefacts for high‑priv creds, and access the DC to grab root.txt.

#HackTheBox #ADSecurity #Kerberos #DPAPI #RedTeam #CTF

Hack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

Finished the Insane-level DarkCorp box on Hack The Box. Initial foothold came from registering on a webmail portal and abusing a contact form to deliver a payload that resulted in a reverse shell. From there I enumerated the app and DB, identified SQL injection and extracted hashes (cracked one to thePlague61780), recovered DPAPI master key material and additional credentials (Pack_beneath_Solid9!), and used those artifacts to escalate to root and retrieve root.txt. Valuable practice in web vectors, SQLi exploitation, credential harvesting, DPAPI analysis, and Windows privilege escalation. Happy to share high-level notes or mitigations.

#HackTheBox #Infosec #RedTeam #Pentesting #WindowsSecurity #CredentialHunting #CTF

Hack The Box: Puppy Machine Walkthrough – Medium Difficulty

Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

#Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation

Hack The Box: TheFrizz Machine Walkthrough – Medium Difficulity

I successfully captured both user and root flags by exploiting a file upload vulnerability to gain a web shell, extracting database credentials from config.php, and cracking the user hash to reveal the password Jenni_Luvs_Magic23. Using these credentials, I accessed the web application, discovered an SSH migration hint, and leveraged a Kerberos ticket (f.frizzle.ccache) to gain SSH access and retrieve the user flag with type user.txt. For the root flag, I escalated privileges using M.SchoolBus and SharpGPOAbuse to manipulate SleepGPO, applied changes with gpupdate.exe /force, extracted credentials with secretdump, and used wmiexec to secure a root-level shell, ultimately reading the root flag with type root.txt.

#Cybersecurity #CTF #EthicalHacking #PenetrationTesting

Hack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF

Hack The Box: Vintage Machine Walkthrough – Hard Difficulty

Recently completed an Active Directory penetration test where I obtained both the user and root flags through a series of Kerberos and privilege escalation attacks. I first exploited a weak password on a legacy computer account (fs01$) to retrieve a Kerberos TGT and extract the gMSA password. After reactivating a disabled service account (svc_sql), making it ASREPRoastable, and cracking its hash, I gained credentials for another domain user and authenticated via Evil-WinRM to capture the user flag. For the root flag, I decrypted DPAPI-protected secrets to access a higher-privileged account (c.neri_adm), added a compromised service account to a privileged group, assigned an SPN, and performed a Kerberos delegation attack to impersonate a domain admin, ultimately achieving SYSTEM-level access and capturing the root flag. Great experience applying Kerberos exploitation techniques and privilege escalation strategies in a real-world scenario!

hashtag#ActiveDirectory hashtag#PenetrationTesting hashtag#Kerberos hashtag#OffensiveSecurity hashtag#RedTeam hashtag#CyberSecurity hashtag#ASREPRoasting hashtag#DPAPI hashtag#PrivilegeEscalation hashtag#HackTheBox hashtag#Infosec hashtag#HacktheBox