pass-the-hash

MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

MACHINE Windows

HackTheBox: Jeeves

A standalone Windows box: an open Jenkins instance on a high port runs a Groovy script for a shell as kohsuke, a cracked KeePass database yields an NTLM hash, Pass-the-Hash gives Administrator, and the root flag hides in an NTFS alternate data stream.

MACHINE Windows

HackTheBox: Redelegate

A Windows DC: anonymous FTP exposes a KeePass vault cracked to a season password, MSSQL RID brute-forcing enumerates users, a password spray lands Marie.Curie, ForceChangePassword reaches Helen.Frost, and SeEnableDelegationPrivilege plus GenericAll over FS01$ set up constrained delegation (S4U2Proxy) to impersonate the DC and DCSync the Administrator hash.

MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.