https://joaobonin.com/tags/medium/ Recent content in Medium on João Vítor Moutinho Bonin Hugo en Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Monteverde is a Medium Windows Active Directory box from HackTheBox. We enumerate domain users via null session, discover a username-as-password credential for SABatchJobs, find an Azure AD Connect config file containing plaintext credentials in an SMB share, and escalate to Administrator by decrypting the Azure AD Sync service account password from the local MSSQL Express database. https://joaobonin.com/posts/htb-giddy/ Sun, 31 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-giddy/ Giddy is a Medium Windows box on HackTheBox. SQL injection in an ASP.NET app is abused to force NTLM authentication outbound, capturing and cracking a hash for a WinRM shell. Privilege escalation abuses CVE-2016-6914, a local privesc in Ubiquiti UniFi Video that hijacks taskkill.exe. https://joaobonin.com/posts/htb-editorial/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-editorial/ SSRF on a book publishing platform leaks an internal API running on port 5000. The API exposes hardcoded dev credentials, landing us a shell. From there, git history reveals prod credentials, and a sudo-allowed GitPython script is vulnerable to ext:: protocol injection — setting SUID on bash and giving us root. https://joaobonin.com/posts/htb-escape/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-escape/ Escape is a Medium Windows Active Directory machine where a publicly readable SMB share leaks SQL Server credentials in a PDF. Those creds lead to MSSQL access, NTLM hash capture via xp_dirtree, and eventually an ESC1 ADCS attack to compromise the domain administrator. https://joaobonin.com/posts/htb-certified/ Thu, 21 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-certified/ Certified is a Medium Windows AD box where you chain WriteOwner and GenericWrite ACL abuses to reach a certificate authority operator, then exploit ESC9 to forge an admin certificate and own the domain. https://joaobonin.com/posts/htb-chatterbox/ Thu, 21 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-chatterbox/ Chatterbox is a Medium Windows box running the AChat chat server, vulnerable to a classic stack buffer overflow. Foothold comes from a custom Python exploit with a unicode-encoded payload, and privesc is a gift left in the registry - autologon credentials that also work for Administrator. https://joaobonin.com/posts/htb-builder/ Wed, 20 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-builder/ Jenkins 2.441 LFI to credential theft, Groovy shell for foothold, then decrypting an encrypted SSH key stored in Jenkins to reach root.