Valid User (No Password)
Valid User (No Password) techniques and commands for Active Directory security assessment.
Trusts
Trusts techniques and commands for Active Directory security assessment.
SCCM
SCCM techniques and commands for Active Directory security assessment.
Persistence
Persistence techniques and commands for Active Directory security assessment.
Enable AVX/AVX2 Support in Kali VM on VirtualBox
Enable AVX/AVX2 Support in Kali VM on VirtualBox
Conversor - HTB
Easy Linux box abusing XSLT injection to write a cron-executed script, then harvesting local SQLite creds and escalating via needrestart.
WingData - HTB
Easy Linux box exploiting Wing FTP Server RCE and a tarfile filter bypass (CVE-2025-4517) to write root SSH keys via a sudo restore script.
TheFrizz - HTB
TheFrizz is a medium-difficulty Windows machine featuring a web application showcasing Walkerville Elementary School and a Gibbon CMS instance. The Gibbon-LMS instance is susceptible to unauthenticated arbitrary file write (CVE-2023-45878), which is used to write a PHP shell to the web application and gain access to the target. After gaining access to the system, a database settings file containing credentials to access MySQL includes a hash and salt for the user f.frizzle that can be cracked. After cracking the password, we authenticate to the target using SSH with GSSAPI/Kerberos. We request a TGT, which is then used to authenticate via Kerberos authentication. A deleted 7Zip archive is discovered in the fiona user's recycling bin which is extracted revealing a WAPT setup and includes a configuration file with base64-encoded credentials used to authenticate as the M.Schoolbus user. M.Schoolbus is a member of the Group Policy Creator Owners, which allows them to create GPOs within the domain, which is leveraged to escalate privileges to NT Authority\System.