KagisoSec_
All writeups
HackTheBox: Checkpoint avatar
MACHINE Windows 3/5 Locked

HackTheBox: Checkpoint

2026-06-14 18 min read
windows active-directory badsuccessor dmsa bloodyad ad-recycle-bin vsix supply-chain-attack genericwrite s4u2self kerberos volatility memory-forensics pass-the-hash smb winrm privilege-escalation
Services active-directorysmbwinrmkerberos
Locked

This writeup is locked

It stays hidden until the box retires. Enter the password to read it.

Related writeups

MACHINE Windows

HackTheBox: Support

An Easy Windows AD box, reverse-engineering a custom .NET binary to recover LDAP credentials, looting a plaintext password from an AD info attribute, then chaining GenericAll → RBCD to impersonate Administrator for SYSTEM.

#active-directory#windows#smb
Read
MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

#windows#active-directory#bloodhound
Read
MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.

#windows#active-directory#kerberos
Read