writespn

MACHINE Windows

HackTheBox: TombWatcher

A Windows DC of pure AD permission abuse: from henry, WriteSPN targets alfred for Kerberoasting, INFRASTRUCTURE membership reads a gMSA password, a ForceChangePassword/WriteOwner/GenericAll chain reaches john over WinRM, then restoring a deleted cert_admin from the AD Recycle Bin and an ESC15 certificate template give Administrator.

MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.