gmsa

MACHINE Windows

HackTheBox: Ghost

An Insane Windows AD box: LDAP injection leaks a Gitea token, source review yields path-traversal and command-injection bugs for a Docker root shell, then Kerberos ticket theft, a fake DNS record for NTLMv2 capture, a gMSA password read, a Golden SAML forge against ADFS, a linked-MSSQL pivot and a cross-domain Golden Ticket with Extra SIDs fully compromise both domains.

MACHINE Windows

HackTheBox: TombWatcher

A Windows DC of pure AD permission abuse: from henry, WriteSPN targets alfred for Kerberoasting, INFRASTRUCTURE membership reads a gMSA password, a ForceChangePassword/WriteOwner/GenericAll chain reaches john over WinRM, then restoring a deleted cert_admin from the AD Recycle Bin and an ESC15 certificate template give Administrator.