• Search for:

    Tag Archives: nxc

    1. Home  - 
    2. Posts tagged "nxc"
    11 Apr, 2026
    Hack The Box: Eighteen Machine Walkthrough – Easy Difficulity
    Easy Machine , , , , , , , , , , ,

    Just completed the Eighteen machine on Hack The Box — a great example of chaining multiple techniques from initial access to full domain compromise.

    Gained initial foothold by cracking WinRM credentials (adam.scott / iloveyou1) and accessing the system via Evil-WinRM. From there, escalated privileges by abusing Delegated Managed Service Accounts (DMSA) using BadSuccessor, allowing impersonation of the Administrator.

    Set up a Ligolo-ng tunnel to reach the domain controller, leveraged Kerberos ticket abuse with Impacket, and successfully dumped NTDS secrets. This led to extracting the Administrator NTLM hash and achieving full system compromise via Pass-the-Hash.

    A solid walkthrough covering credential abuse, AD misconfigurations, Kerberos attacks, and pivoting techniques.

    #HackTheBox #CyberSecurity #RedTeam #PenetrationTesting #ActiveDirectory #Kerberos #PrivilegeEscalation #EthicalHacking #Infosec #OffensiveSecurity …

    Learn MoreHack The Box: Eighteen Machine Walkthrough – Easy Difficulity

    22 Nov, 2025
    Hack The Box: Mirage Machine Walkthrough – Hard Difficulity
    Hard Machine , , , , , , , , , , , , , ,

    Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

    From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

    #CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation …

    Learn MoreHack The Box: Mirage Machine Walkthrough – Hard Difficulity

    8 Nov, 2025
    Hack The Box: RustyKey Machine Walkthrough – Hard Difficulity
    Hard Machine , , , , , , , , , , , , ,

    Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
    Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

    #CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD …

    Learn MoreHack The Box: RustyKey Machine Walkthrough – Hard Difficulity