Easy

Sauna is an Easy Windows box from HackTheBox built around a classic Active Directory attack chain. From open-source name enumeration to ASREPRoasting, autologon credential exposure, and a DCSync to finish it off - this one hits all the fundamentals. Machine Info Name Sauna Platform HackTheBox OS Windows Difficulty Easy IP 10.129.95.180 TL;DR Scraped employee names off the bank’s “About” page, ran them through username-anarchy to generate AD-style usernames, and ASREPRoasted fsmith whose account had Kerberos pre-auth disabled. Cracked the hash with rockyou.txt and logged in via WinRM. Found autologon credentials for svc_loanmanager stored in plaintext in the registry. BloodHound showed that account has DCSync rights over the domain - used secretsdump to pull the Administrator hash and psexec to get SYSTEM. ...

Forest is one of those boxes that feels like a guided tour through Active Directory attack fundamentals. No CVEs, no fancy exploits - just proper AD enumeration, a misconfigured service account, and a BloodHound-mapped path straight to domain admin. Machine Info Field Details Name Forest Platform HackTheBox OS Windows Difficulty Easy IP 10.129.5.64 TL;DR SMB user enumeration reveals a service account with no Kerberos pre-auth required. AS-REP roasting gives us a crackable hash. Shell as svc-alfresco via WinRM. BloodHound maps a path through Exchange groups giving WriteDacl on the domain. We abuse that to grant DCSync, dump the Administrator hash, and psexec our way to SYSTEM. ...

Windows file uploads always seem innocuous until they’re not. Bounty is an easy Windows box that teaches a classic IIS trick – the kind that shows up in real engagements more often than you’d think. Machine Info Field Value Name Bounty Platform HackTheBox OS Windows Difficulty Easy IP 10.129.35.196 TL;DR Port 80 exposes an IIS 7.5 server with a file upload endpoint. Standard extension filters block .aspx and .asp shells, but IIS processes web.config files as server-side code – uploading a malicious one gives RCE. From there, SeImpersonatePrivilege is enabled and the target is Windows Server 2008 R2, making Juicy Potato the natural escalation path to SYSTEM. ...

Old school. Access is a machine that takes you through a chain of credential pivoting across legacy protocols and file formats you do not see every day - no exploits, no CVEs, just enumeration and following the breadcrumbs wherever they lead. Machine info Name Access Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes backup.mdb (Microsoft Access database) and Access Control.zip (AES-encrypted) backup.mdb contains an auth_user table with credentials - including the password to decrypt the ZIP The ZIP holds a PST file; reading the extracted email reveals the security account password in plaintext Telnet login as security -> user shell cmdkey /list shows saved credentials for ACCESS\Administrator; runas /savecred gives Administrator access Enumeration Port 21 was open and I went straight for it - anonymous FTP is one of those findings you want to verify immediately. ...