https://joaobonin.com/tags/password-spray/ Recent content in Password-Spray on João Vítor Moutinho Bonin Hugo en Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Flight is a Hard Windows Active Directory box from HackTheBox. An LFI on a PHP school subdomain escalates to NTLM hash capture via UNC path. Crack svc_apache's hash, password spray to S.Moon, use ntlm_theft via the Shared share to coerce C.Bum's hash, pivot through a PHP webshell to meterpreter, RunasCs to C.Bum, discover an internal IIS dev site, upload an ASPX webshell, and escalate to SYSTEM via SeImpersonatePrivilege and EfsPotato. https://joaobonin.com/posts/htb-monteverde/ Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Monteverde is a Medium Windows Active Directory box from HackTheBox. We enumerate domain users via null session, discover a username-as-password credential for SABatchJobs, find an Azure AD Connect config file containing plaintext credentials in an SMB share, and escalate to Administrator by decrypting the Azure AD Sync service account password from the local MSSQL Express database. https://joaobonin.com/posts/htb-cicada/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-cicada/ Write-up for the HackTheBox machine Cicada - a Windows AD box built around SMB enumeration, password spraying, credential leakage, and SeBackupPrivilege abuse.