https://joaobonin.com/tags/privesc/ Recent content in Privesc on João Vítor Moutinho Bonin Hugo en Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Monteverde is a Medium Windows Active Directory box from HackTheBox. We enumerate domain users via null session, discover a username-as-password credential for SABatchJobs, find an Azure AD Connect config file containing plaintext credentials in an SMB share, and escalate to Administrator by decrypting the Azure AD Sync service account password from the local MSSQL Express database. https://joaobonin.com/posts/htb-giddy/ Sun, 31 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-giddy/ Giddy is a Medium Windows box on HackTheBox. SQL injection in an ASP.NET app is abused to force NTLM authentication outbound, capturing and cracking a hash for a WinRM shell. Privilege escalation abuses CVE-2016-6914, a local privesc in Ubiquiti UniFi Video that hijacks taskkill.exe.