Pass-the-Hash on João Vítor Moutinho Bonin

Pass-the-Hash on João Vítor Moutinho Bonin https://joaobonin.com/tags/pass-the-hash/ Recent content in Pass-the-Hash on João Vítor Moutinho Bonin Hugo en Wed, 03 Jun 2026 00:00:00 +0000 HTB: Blackfield https://joaobonin.com/posts/htb-blackfield/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-blackfield/ Blackfield is a Hard Windows Active Directory box from HackTheBox. ASREPRoasting lands the support account, BloodHound reveals a ForceChangePassword path to audit2020, whose forensic SMB share contains an lsass dump. pypykatz extracts svc_backup's hash, and SeBackupPrivilege abuse via wbadmin extracts ntds.dit to dump the domain admin hash. HTB: Sauna https://joaobonin.com/posts/htb-sauna/ Wed, 03 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-sauna/ ASREPRoasting a bank employee, cracking their hash, then following a chain of autologon credentials and DCSync rights to own the domain. HTB: Escape https://joaobonin.com/posts/htb-escape/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-escape/ Escape is a Medium Windows Active Directory machine where a publicly readable SMB share leaks SQL Server credentials in a PDF. Those creds lead to MSSQL access, NTLM hash capture via xp_dirtree, and eventually an ESC1 ADCS attack to compromise the domain administrator. HTB Certified - Active Directory Certificate Services and ESC9 https://joaobonin.com/posts/htb-certified/ Thu, 21 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-certified/ Certified is a Medium Windows AD box where you chain WriteOwner and GenericWrite ACL abuses to reach a certificate authority operator, then exploit ESC9 to forge an admin certificate and own the domain. HTB: Cicada - OSCP Prep Write-up https://joaobonin.com/posts/htb-cicada/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-cicada/ Write-up for the HackTheBox machine Cicada - a Windows AD box built around SMB enumeration, password spraying, credential leakage, and SeBackupPrivilege abuse. HTB: Return - OSCP Prep Write-up https://joaobonin.com/posts/htb-return/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-return/ Write-up for the HackTheBox machine Return - capturing LDAP credentials via a printer settings page, then abusing Server Operators group membership to get SYSTEM.