https://z3r0s6.github.io/tags/kerberos/Recent content in Kerberos on z3r0sHugoenSun, 19 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pingpong/Sun, 19 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pingpong/<p><strong>Difficulty:</strong> Insane<br> <strong>OS:</strong> Windows<br> <strong>Points:</strong> 50<br> <strong>Release:</strong> 2026-04-27<br> <strong>Starting Creds:</strong> <code>c.roberts / AssumedBreach123</code></p> <hr> <h2 id="attack-chain"> Attack Chain <a class="heading-link" href="#attack-chain"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <pre tabindex="0"><code>c.roberts (PING.HTB) → ESC13 (TemporaryWinRM) → PKINIT TGT + TempWinRMAccess SID → WinRM on DC1 → Ligolo-ng tunnel → DC2 reachable (192.168.2.2) → WriteDACL on gMSA Managers (PONG) → GenericAll → scope flip (Global→Universal→DomainLocal) → Add cross-forest FSP → ReadGMSAPassword → Pong_gMSA$ NTLM/AES → JEA endpoint on DC1 (restricted) → PSReadLine history → c.carlssen / A()DUJ!@414 → WinRM on DC2 → user.txt → c.carlssen GenericWrite on svc_sql → RBCD (Pong_gMSA$ → svc_sql) → S4U2Proxy impersonate c.adam → MSSQL xp_cmdshell → local admin on DC2 → c.carlssen → Domain Admins (PONG) → DCSync → R.Martinelli → R.Martinelli ∈ CA Managers (PING) → ESC4 on SmartcardAuthentication → ESC1 → cert for Administrator@ping.htb → PKINIT → root.txt on DC1 </code></pre><hr> <h2 id="recon"> Recon <a class="heading-link" href="#recon"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Classic Windows DC port profile: <code>53, 88, 135, 389, 445, 464, 636, 3268, 3269, 5985, 9389</code></p>https://z3r0s6.github.io/machines/garfield/Sun, 22 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/garfield/<blockquote> <p><strong>Difficulty:</strong> Hard | <strong>Platform:</strong> Windows Active Directory | <strong>Category:</strong> Seasonal<br> <strong>Tags:</strong> <code>active-directory</code> <code>smb</code> <code>kerberos</code> <code>rbcd</code> <code>rodc</code> <code>golden-ticket</code> <code>keylist</code> <code>mimikatz</code> <code>rubeus</code></p> </blockquote> <hr> <h2 id="machine-info"> Machine Info <a class="heading-link" href="#machine-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Machine Name</td> <td>Garfield</td> </tr> <tr> <td>IP Address</td> <td>10.129.27.196 (initial) / 10.129.23.120 (reset)</td> </tr> <tr> <td>OS</td> <td>Windows Server 2019 (Domain Controller)</td> </tr> <tr> <td>Domain</td> <td>garfield.htb (GARFIELD.HTB)</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>Starting Creds</td> <td><code>j.arbuckle / Th1sD4mnC4t!@1978</code></td> </tr> </tbody> </table> <hr> <h2 id="1-executive-summary"> 1. Executive Summary <a class="heading-link" href="#1-executive-summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Garfield is a Hard-rated Windows Active Directory machine on Hack The Box's seasonal lineup. It simulates a real-world corporate AD environment with multiple chained vulnerabilities spanning SMB misconfigurations, AD ACL abuse, logon script hijacking, RBCD (Resource-Based Constrained Delegation) attacks, Read-Only Domain Controller (RODC) compromise, and a KeyList attack to retrieve the main DC's Administrator hash - ultimately achieving full domain compromise.</p>