Windows Archives - Threatninja.net

11 Apr, 2026

Hack The Box: Eighteen Machine Walkthrough – Easy Difficulity

Easy Machine BadSuccessor.ps1, Challenges, DMSA, evil-winrm, HackTheBox, impacket-getST, Ligolo-ng, mssqlclient, nxc, Penetration Testing, secretdump, Windows

Just completed the Eighteen machine on Hack The Box — a great example of chaining multiple techniques from initial access to full domain compromise.

Gained initial foothold by cracking WinRM credentials (adam.scott / iloveyou1) and accessing the system via Evil-WinRM. From there, escalated privileges by abusing Delegated Managed Service Accounts (DMSA) using BadSuccessor, allowing impersonation of the Administrator.

Set up a Ligolo-ng tunnel to reach the domain controller, leveraged Kerberos ticket abuse with Impacket, and successfully dumped NTDS secrets. This led to extracting the Administrator NTLM hash and achieving full system compromise via Pass-the-Hash.

A solid walkthrough covering credential abuse, AD misconfigurations, Kerberos attacks, and pivoting techniques.

#HackTheBox #CyberSecurity #RedTeam #PenetrationTesting #ActiveDirectory #Kerberos #PrivilegeEscalation #EthicalHacking #Infosec #OffensiveSecurity …

Learn MoreHack The Box: Eighteen Machine Walkthrough – Easy Difficulity

4 Apr, 2026

Hack The Box: Darkzero Machine – Hard Difficulity

Hard Machine Bloodhound, certif, Certify, Challenges, chisel, evil-winrm, HackTheBox, ligolo, mssqlclient, openssl, Penetration Testing, proxychains, python3, rubeus.exe, secretdump, ticketconverter, Windows

Just completed the DarkZero machine from HackTheBox (Hard difficulty)!

After gaining a foothold on DC02 via a misconfigured MSSQL linked server and escalating to local Administrator using SigmaPotato token impersonation + RunasCs, we successfully captured the user flag from the Administrator’s desktop.

Dumped the domain Administrator NT hash with secretsdump, then used Evil-WinRM to get a full shell as Administrator on DC02 and retrieved the root flag.

#HackTheBox #HTB #Pentesting #ActiveDirectory #RedTeam #CyberSecurity #PrivilegeEscalation …

Learn MoreHack The Box: Darkzero Machine – Hard Difficulity

7 Feb, 2026

Hack The Box: Signed Machine Walkthrough – Medium Difficulity

Medium Machine Challenges, HackTheBox, hashcat, kerberos, Penetration Testing, responder, SQL, Windows

After escalating to a SYSTEM-level PowerShell reverse shell using xp_cmdshell and a base64-encoded payload that called back to my netcat listener on port 9007, I navigated to the user profile and read the user flag directly with type user.txt.

With full sysadmin rights on the SQL instance as SIGNED\Administrator (thanks to a forged silver ticket with Domain Admins membership), I enabled xp_cmdshell, launched a reverse shell to land SYSTEM access, then grabbed the root flag from

Box fully pwned — domain admin and SYSTEM in the bag!

#HackTheBox #HTBSigned #PenetrationTesting #CyberSecurity #PrivilegeEscalation #ActiveDirectory #RedTeam #CTF #EthicalHacking #OffensiveSecurity …

Learn MoreHack The Box: Signed Machine Walkthrough – Medium Difficulity

22 Nov, 2025

Hack The Box: Mirage Machine Walkthrough – Hard Difficulity

Hard Machine autologon, BloodHoundCE, bloodyAD, Certipy, Challenges, HackTheBox, hashcat, impacket, john the ripper, nats, nfs, nxc, Penetration Testing, Windows, winpeas

Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

#CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation …

Learn MoreHack The Box: Mirage Machine Walkthrough – Hard Difficulity

1 Nov, 2025

Hack The Box: Voleur Machinen Walkthrough – Medium Difficulty

Medium Machine Active Directory, BloodHoundCE, bloodyAD, Challenges, DPAPI, HackTheBox, hashcat, impacket, john the ripper, office2john, Penetration Testing, smbclient, Windows

18 Oct, 2025

Hack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

Insane Machine BloodHoundCE, bloodyAD, BurpSuite, Challenges, evil-winrm, HackTheBox, hashcat, impacket, NetExec, Penetration Testing, sharpdpapi, ssh, Windows

Finished the Insane-level DarkCorp box on Hack The Box. Initial foothold came from registering on a webmail portal and abusing a contact form to deliver a payload that resulted in a reverse shell. From there I enumerated the app and DB, identified SQL injection and extracted hashes (cracked one to thePlague61780), recovered DPAPI master key material and additional credentials (Pack_beneath_Solid9!), and used those artifacts to escalate to root and retrieve root.txt. Valuable practice in web vectors, SQLi exploitation, credential harvesting, DPAPI analysis, and Windows privilege escalation. Happy to share high-level notes or mitigations.

#HackTheBox #Infosec #RedTeam #Pentesting #WindowsSecurity #CredentialHunting #CTF …

Learn MoreHack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

11 Oct, 2025

Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

Medium Machine BloodHoundCE, bloodyAD, Certipy, Challenges, ESC15, HackTheBox, hashcat, Penetration Testing, TargetKerboasting, Windows

I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

#HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation …

Learn MoreHack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

4 Oct, 2025

Hack The Box: Certificate Machine Walkthrough – Hard Difficulty

Hard Machine BloodHoundCE, Certipy, certutil, Challenges, ESC3, evil-winrm, HackTheBox, hashcat, kerberos, MySQL, Penetration Testing, python3, SeManageVolumePrivilege, Windows, Wireshark, zip slip

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

27 Sep, 2025

Hack The Box: Puppy Machine Walkthrough – Medium Difficulty

Medium Machine BloodHoundCE, bloodyAD, Challenges, evil-winrm, HackTheBox, impacket, KDBX, ldapmodify, ldapsearch, Penetration Testing, rpcclient, smbclient, Windows

Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

#Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation …

Learn MoreHack The Box: Puppy Machine Walkthrough – Medium Difficulty

20 Sep, 2025

Hack The Box: Fluffy Machine Walkthrough – Easy Difficulity

Easy Machine BloodHoundCE, bloodyAD, Certify, Challenges, CVE-2025-24071, ESC16, HackTheBox, hashcat, NetExec, Penetration Testing, python3, smbclient, Windows

Threatninja.net

Threatninja.net

Tag Archives: Windows