winrm

MACHINE Windows

HackTheBox: Fluffy

An assumed-breach Windows AD box: steal a second user's NTLM hash with CVE-2025-24071, map ACLs in BloodHound, abuse GenericAll/GenericWrite with bloodyAD + Certipy shadow credentials to reach winrm_svc, then exploit an ADCS ESC16 misconfiguration to impersonate the Administrator.

MACHINE Windows

HackTheBox: Support

An Easy Windows AD box, reverse-engineering a custom .NET binary to recover LDAP credentials, looting a plaintext password from an AD info attribute, then chaining GenericAll → RBCD to impersonate Administrator for SYSTEM.