GMSA on z3r0shttps://z3r0s6.github.io/tags/gmsa/Recent content in GMSA on z3r0sHugoenSun, 26 Apr 2026 00:00:00 +0000HTB - Piratehttps://z3r0s6.github.io/machines/pirate/Sun, 26 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pirate/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>OS</td> <td>Windows (Active Directory)</td> </tr> <tr> <td>Domain</td> <td>PIRATE.HTB</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Pirate is a Hard-rated multi-host Windows Active Directory machine simulating a realistic corporate environment with three domain-joined machines. The attack chains <strong>six distinct AD primitives</strong> with no CVEs required - every step exploits misconfigurations:</p> <p><strong>Pre-Windows 2000 Compatible Access</strong> (MS01$ machine account auth) → <strong>gMSA password extraction</strong> via LDAP → <strong>Pass-the-Hash</strong> over WinRM on DC01 → <strong>L3 network pivot</strong> via Ligolo-ng to the internal <code>192.168.100.0/24</code> subnet → <strong>NTLM relay</strong> to LDAPS with RBCD to gain WEB01 Administrator → user flag → <strong>SPN injection</strong> with Constrained Delegation abuse to impersonate Domain Admin on DC01 → root flag.</p>HTB - Logginghttps://z3r0s6.github.io/machines/logging/Sun, 12 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/logging/<h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>OS</td> <td>Windows Server 2019</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>IP</td> <td>10.129.X.X</td> </tr> <tr> <td>Domain</td> <td>logging.htb</td> </tr> <tr> <td>DC</td> <td>dc01.logging.htb</td> </tr> </tbody> </table> <p><strong>Attack Chain:</strong> <code>Anonymous SMB → Credentials in Logs → Shadow Credentials (gMSA) → WinRM → DLL Hijack → Domain User Shell → ESC17 (ADCS + WSUS MitM) → SYSTEM</code></p> <hr> <h2 id="1-reconnaissance"> 1. Reconnaissance <a class="heading-link" href="#1-reconnaissance"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <h3 id="port-scan"> Port Scan <a class="heading-link" href="#port-scan"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rustscan -a 10.129.X.X --ulimit <span style="color:#a5d6ff">5000</span> -- -sV </span></span></code></pre></div><p><strong>Key open ports:</strong></p>