https://joaobonin.com/tags/active-directory/ Recent content in Active-Directory on João Vítor Moutinho Bonin Hugo en Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Flight is a Hard Windows Active Directory box from HackTheBox. An LFI on a PHP school subdomain escalates to NTLM hash capture via UNC path. Crack svc_apache's hash, password spray to S.Moon, use ntlm_theft via the Shared share to coerce C.Bum's hash, pivot through a PHP webshell to meterpreter, RunasCs to C.Bum, discover an internal IIS dev site, upload an ASPX webshell, and escalate to SYSTEM via SeImpersonatePrivilege and EfsPotato. https://joaobonin.com/posts/htb-blackfield/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-blackfield/ Blackfield is a Hard Windows Active Directory box from HackTheBox. ASREPRoasting lands the support account, BloodHound reveals a ForceChangePassword path to audit2020, whose forensic SMB share contains an lsass dump. pypykatz extracts svc_backup's hash, and SeBackupPrivilege abuse via wbadmin extracts ntds.dit to dump the domain admin hash. https://joaobonin.com/posts/htb-sauna/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-sauna/ ASREPRoasting a bank employee, cracking their hash, then following a chain of autologon credentials and DCSync rights to own the domain. https://joaobonin.com/posts/htb-monteverde/ Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Monteverde is a Medium Windows Active Directory box from HackTheBox. We enumerate domain users via null session, discover a username-as-password credential for SABatchJobs, find an Azure AD Connect config file containing plaintext credentials in an SMB share, and escalate to Administrator by decrypting the Azure AD Sync service account password from the local MSSQL Express database. https://joaobonin.com/posts/htb-forest/ Sun, 31 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-forest/ Forest is an Easy Windows Active Directory box on HackTheBox. The path goes through AS-REP roasting a service account, then using BloodHound to find a WriteDacl abuse chain through Exchange groups to grant DCSync and dump the domain. https://joaobonin.com/posts/htb-escape/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-escape/ Escape is a Medium Windows Active Directory machine where a publicly readable SMB share leaks SQL Server credentials in a PDF. Those creds lead to MSSQL access, NTLM hash capture via xp_dirtree, and eventually an ESC1 ADCS attack to compromise the domain administrator. https://joaobonin.com/posts/htb-certified/ Thu, 21 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-certified/ Certified is a Medium Windows AD box where you chain WriteOwner and GenericWrite ACL abuses to reach a certificate authority operator, then exploit ESC9 to forge an admin certificate and own the domain. https://joaobonin.com/posts/htb-active/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-active/ Write-up for the HackTheBox machine Active - GPP credentials buried in the Replication share expose SVC_TGS, and Kerberoasting that account cracks the Administrator password. https://joaobonin.com/posts/htb-administrator/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-administrator/ Write-up for the HackTheBox machine Administrator - a pure AD privilege escalation chain driven by BloodHound ACL abuse, a Password Safe cracking detour, targeted Kerberoasting, and a DCSync to finish the job. https://joaobonin.com/posts/htb-cicada/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-cicada/ Write-up for the HackTheBox machine Cicada - a Windows AD box built around SMB enumeration, password spraying, credential leakage, and SeBackupPrivilege abuse. https://joaobonin.com/posts/htb-return/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-return/ Write-up for the HackTheBox machine Return - capturing LDAP credentials via a printer settings page, then abusing Server Operators group membership to get SYSTEM.