Valid User (No Password)
Valid User (No Password) techniques and commands for Active Directory security assessment.
Trusts
Trusts techniques and commands for Active Directory security assessment.
SCCM
SCCM techniques and commands for Active Directory security assessment.
Persistence
Persistence techniques and commands for Active Directory security assessment.
MonitorsFour - HTB
Easy Windows host running Cacti in Docker. Exploit Cacti auth RCE, then escape Docker Desktop via its exposed API to reach the host.
Certificate - HTB
Certificate is a hard Windows Active Directory machine that starts with an E-learning platform. The web application is vulnerable to Null-Byte Injection in its file upload feature, allowing a PHP reverse shell to be executed for initial access as xamppuser. Database credentials are retrieved, enabling lateral movement to the Sara.B user. Further enumeration uncovers a network capture file that leaks Lion.SK’s credentials. Using these, Active Directory Certificate Services (ADCS) is enumerated, and a vulnerable template is exploited to request certificates on behalf of other users. A certificate for the Ryan.K user is then obtained, whose SeManageVolumePrivilege is leveraged to gain a shell as NT AUTHORITY\NETWORK SERVICE. Finally, SeImpersonatePrivilege is used to escalate to NT AUTHORITY\SYSTEM, dump ntds.dit and registry hives, and extract the Administrator’s NTLM hash, ultimately allowing access as the Administrator.
NanoCorp - HTB
Hard Windows AD chain starting with NTLM leakage via a ZIP upload, then AD privilege hops and a Checkmk Agent MSI repair LPE to SYSTEM.
ADCS
ADCS techniques and commands for Active Directory security assessment.