https://joaobonin.com/tags/evil-winrm/ Recent content in Evil-Winrm on João Vítor Moutinho Bonin Hugo en Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-blackfield/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-blackfield/ Blackfield is a Hard Windows Active Directory box from HackTheBox. ASREPRoasting lands the support account, BloodHound reveals a ForceChangePassword path to audit2020, whose forensic SMB share contains an lsass dump. pypykatz extracts svc_backup's hash, and SeBackupPrivilege abuse via wbadmin extracts ntds.dit to dump the domain admin hash. https://joaobonin.com/posts/htb-sauna/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-sauna/ ASREPRoasting a bank employee, cracking their hash, then following a chain of autologon credentials and DCSync rights to own the domain. https://joaobonin.com/posts/htb-giddy/ Sun, 31 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-giddy/ Giddy is a Medium Windows box on HackTheBox. SQL injection in an ASP.NET app is abused to force NTLM authentication outbound, capturing and cracking a hash for a WinRM shell. Privilege escalation abuses CVE-2016-6914, a local privesc in Ubiquiti UniFi Video that hijacks taskkill.exe. https://joaobonin.com/posts/htb-escape/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-escape/ Escape is a Medium Windows Active Directory machine where a publicly readable SMB share leaks SQL Server credentials in a PDF. Those creds lead to MSSQL access, NTLM hash capture via xp_dirtree, and eventually an ESC1 ADCS attack to compromise the domain administrator. https://joaobonin.com/posts/htb-certified/ Thu, 21 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-certified/ Certified is a Medium Windows AD box where you chain WriteOwner and GenericWrite ACL abuses to reach a certificate authority operator, then exploit ESC9 to forge an admin certificate and own the domain.