xjr's blog

Overview BuildingMagic is an Easy machine from HackSmarter that starts off with cracking hashes from a leaked database file, then using the newfound credentials to abuse misconfigurations in ActiveDirectory. After some Kerberoasting, a ForceChangePassword, and using the ntlm_theft tool, you’ll end up abusing SeBackupPrivilege for root. Objective & ScopeObjective: As a penetration tester on the Hack Smarter Red Team, your objective is to achieve a full compromise of the Active Directory environment. Initial Access: A prior enumeration phase has yielded a leaked database containing user credentials (usernames and hashed passwords). This information will serve as your starting point for gaining initial access to the network. Execution: Your task is to leverage the compromised credentials to escalate privileges, move laterally through the Active Directory, and ultimately achieve a complete compromise of the domain. Needed /etc/hosts entries: 1ip dc01.buildingmagic.local...

Overview Absolute is an Insane Windows machine from HackTheBox created by Geiseric. This machine starts off with discovering usernames in the Author field of metadata from images on the website. Making a wordlist out of these and using kerbrute reveals valid usernames. I’ll AS-REP roast these users to get one hit, and the hash from the AS-REP Roast cracks. Every user is in the Protected Users group so we have to get a TGT for all users and go through kerberos with every tool. After some LDAP enumeration I find another users password set in their description. Using that user I can grab an exe file which attempts to authenticate to LDAP at dc.absolute.htb, so I point that FQDN to my attacker machine and I capture the creds via Responder. This user has permissions to grant himself GenericAll to a group that has GenericWrite to a user that can WinRM, so I abuse this via bloodyAD and certipy-ad to get the NT hash of winrm_user, then I WinRM to obtain the user flag. For root some basic...

Overview Support is an easy HTB machine created by 0xdf which starts with Reverse Engineering a PE file found in an SMB share to recover encrypted credentials. Then some LDAP enumeration to find a users password in a custom LDAP attribute. For root you exploit RBCD to the DC to impersonate Administrator, then you can dump all of the NT hashes to WinRM for the root flag. Nmap ScanI’ll run nmap on all open TCP ports: 12345678910111213141516171819202122232425262728293031323334353637383940414243💫 ~/htb/Support/enumeration ➜ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV -vvvv 10.10.11.174Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-13 03:41 EDTNSE: Loaded 157 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 03:41Nmap scan report for 10.10.11.174Host is up, received echo-reply ttl 127 (0.100s latency).Scanned at 2025-06-13 03:41:34 EDT for 56sPORT STATE SERVICE REASON VERSION53/tcp open ...

Overview Lo-Fi is an easy TryHackMe machine made by cmnatic. This machine hosts a website on port 80 (http). On this site, we exploit a vulnerable parameter in a PHP page to obtain LFI on the host machine, and we use this to read the flag. Nmap ScanI’ll run nmap on all open TCP ports with NSE script and Service Version enumeration, this finds ports: 80,22. 1234567891011121314151617181920💫 ~/thm/Lo-Fi/enumeration ➜ nmap -sCV -p 80,22 -v 10.10.228.244Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-13 00:25 EDTNSE: Loaded 157 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 00:25Nmap scan report for 10.10.228.244Host is up (0.18s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 84:a3:dc:a8:a4:21:a1:b0:e5:01:77:d8:a9:43:31:39 (RSA)| 256 ee:db:67:aa:b9:3a:4b:fb:a9:ee:d6:fe:24:30:00:72 (ECDSA)|_ 256 a6:f1:97:cf:d4:60:c5:fe:47:f5:da:2b:c3:e9:78:37 (ED25519)80/tcp open http ...