mssql

MACHINE Windows

HackTheBox: Redelegate

A Windows DC: anonymous FTP exposes a KeePass vault cracked to a season password, MSSQL RID brute-forcing enumerates users, a password spray lands Marie.Curie, ForceChangePassword reaches Helen.Frost, and SeEnableDelegationPrivilege plus GenericAll over FS01$ set up constrained delegation (S4U2Proxy) to impersonate the DC and DCSync the Administrator hash.

MACHINE Windows

HackTheBox: StreamIO

A Windows box mixing web and AD: a SQL injection on search.php dumps and cracks user hashes, an LFI/RFI chain gives an IIS shell, a backup database cracks nikk37 for WinRM, decrypted Firefox passwords yield JDgodd, and WriteOwner over CORE STAFF reads a LAPS password for Administrator.