https://joaobonin.com/tags/smb/ Recent content in Smb on João Vítor Moutinho Bonin Hugo en Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Thu, 04 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-flight/ Flight is a Hard Windows Active Directory box from HackTheBox. An LFI on a PHP school subdomain escalates to NTLM hash capture via UNC path. Crack svc_apache's hash, password spray to S.Moon, use ntlm_theft via the Shared share to coerce C.Bum's hash, pivot through a PHP webshell to meterpreter, RunasCs to C.Bum, discover an internal IIS dev site, upload an ASPX webshell, and escalate to SYSTEM via SeImpersonatePrivilege and EfsPotato. https://joaobonin.com/posts/htb-monteverde/ Mon, 01 Jun 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-monteverde/ Monteverde is a Medium Windows Active Directory box from HackTheBox. We enumerate domain users via null session, discover a username-as-password credential for SABatchJobs, find an Azure AD Connect config file containing plaintext credentials in an SMB share, and escalate to Administrator by decrypting the Azure AD Sync service account password from the local MSSQL Express database. https://joaobonin.com/posts/htb-forest/ Sun, 31 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-forest/ Forest is an Easy Windows Active Directory box on HackTheBox. The path goes through AS-REP roasting a service account, then using BloodHound to find a WriteDacl abuse chain through Exchange groups to grant DCSync and dump the domain. https://joaobonin.com/posts/htb-escape/ Fri, 22 May 2026 00:00:00 +0000 https://joaobonin.com/posts/htb-escape/ Escape is a Medium Windows Active Directory machine where a publicly readable SMB share leaks SQL Server credentials in a PDF. Those creds lead to MSSQL access, NTLM hash capture via xp_dirtree, and eventually an ESC1 ADCS attack to compromise the domain administrator. https://joaobonin.com/posts/htb-active/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-active/ Write-up for the HackTheBox machine Active - GPP credentials buried in the Replication share expose SVC_TGS, and Kerberoasting that account cracks the Administrator password. https://joaobonin.com/posts/htb-cicada/ Tue, 19 May 2026 00:00:00 -0300 https://joaobonin.com/posts/htb-cicada/ Write-up for the HackTheBox machine Cicada - a Windows AD box built around SMB enumeration, password spraying, credential leakage, and SeBackupPrivilege abuse.