https://z3r0s6.github.io/tags/windows/Recent content in Windows on z3r0sHugoenSun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/herald/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/herald/<p>Nmap Scan</p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#ff7b72;font-weight:bold">[</span>12ms<span style="color:#ff7b72;font-weight:bold">][</span>127<span style="color:#ff7b72;font-weight:bold">][</span>~/herald<span style="color:#ff7b72;font-weight:bold">]</span>$ nmap -sCV 10.0.12.3 </span></span><span style="display:flex;"><span>Starting Nmap 7.98 <span style="color:#ff7b72;font-weight:bold">(</span> https://nmap.org <span style="color:#ff7b72;font-weight:bold">)</span> at 2026-04-13 17:45 -0400 </span></span><span style="display:flex;"><span>Stats: 0:00:50 elapsed; <span style="color:#a5d6ff">0</span> hosts completed <span style="color:#ff7b72;font-weight:bold">(</span><span style="color:#a5d6ff">1</span> up<span style="color:#ff7b72;font-weight:bold">)</span>, <span style="color:#a5d6ff">1</span> undergoing Script Scan </span></span><span style="display:flex;"><span>NSE Timing: About 99.95% <span style="color:#ff7b72">done</span>; ETC: 17:46 <span style="color:#ff7b72;font-weight:bold">(</span>0:00:00 remaining<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Nmap scan report <span style="color:#ff7b72">for</span> herald.htb <span style="color:#ff7b72;font-weight:bold">(</span>10.0.12.3<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Host is up <span style="color:#ff7b72;font-weight:bold">(</span>0.00091s latency<span style="color:#ff7b72;font-weight:bold">)</span>. </span></span><span style="display:flex;"><span>Not shown: <span style="color:#a5d6ff">986</span> filtered tcp ports <span style="color:#ff7b72;font-weight:bold">(</span>no-response<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>PORT STATE SERVICE VERSION </span></span><span style="display:flex;"><span>53/tcp open domain Simple DNS Plus </span></span><span style="display:flex;"><span>88/tcp open kerberos-sec Microsoft Windows Kerberos <span style="color:#ff7b72;font-weight:bold">(</span>server time: 2026-04-13 21:45:30Z<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>135/tcp open msrpc Microsoft Windows RPC </span></span><span style="display:flex;"><span>139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span style="display:flex;"><span>389/tcp open ldap Microsoft Windows Active Directory LDAP <span style="color:#ff7b72;font-weight:bold">(</span>Domain: herald.htb, Site: Default-First-Site-Name<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>445/tcp open microsoft-ds? </span></span><span style="display:flex;"><span>464/tcp open kpasswd5? </span></span><span style="display:flex;"><span>593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span style="display:flex;"><span>636/tcp open tcpwrapped </span></span><span style="display:flex;"><span>1433/tcp open ms-sql-s Microsoft SQL Server <span style="color:#a5d6ff">2019</span> 15.00.2000.00; RTM </span></span><span style="display:flex;"><span>| ms-sql-info: </span></span><span style="display:flex;"><span>| 10.0.12.3:1433: </span></span><span style="display:flex;"><span>| Version: </span></span><span style="display:flex;"><span>| name: Microsoft SQL Server <span style="color:#a5d6ff">2019</span> RTM </span></span><span style="display:flex;"><span>| number: 15.00.2000.00 </span></span><span style="display:flex;"><span>| Product: Microsoft SQL Server <span style="color:#a5d6ff">2019</span> </span></span><span style="display:flex;"><span>| Service pack level: RTM </span></span><span style="display:flex;"><span>| Post-SP patches applied: false </span></span><span style="display:flex;"><span>|_ TCP port: <span style="color:#a5d6ff">1433</span> </span></span><span style="display:flex;"><span>|_ssl-date: 2026-04-13T21:46:08+00:00; -3s from scanner time. </span></span><span style="display:flex;"><span>| ssl-cert: Subject: <span style="color:#79c0ff">commonName</span><span style="color:#ff7b72;font-weight:bold">=</span>SSL_Self_Signed_Fallback </span></span><span style="display:flex;"><span>| Not valid before: 2026-04-13T21:42:38 </span></span><span style="display:flex;"><span>|_Not valid after: 2056-04-13T21:42:38 </span></span><span style="display:flex;"><span>| ms-sql-ntlm-info: </span></span><span style="display:flex;"><span>| 10.0.12.3:1433: </span></span><span style="display:flex;"><span>| Target_Name: HERALD </span></span><span style="display:flex;"><span>| NetBIOS_Domain_Name: HERALD </span></span><span style="display:flex;"><span>| NetBIOS_Computer_Name: DC01 </span></span><span style="display:flex;"><span>| DNS_Domain_Name: herald.htb </span></span><span style="display:flex;"><span>| DNS_Computer_Name: DC01.herald.htb </span></span><span style="display:flex;"><span>| DNS_Tree_Name: herald.htb </span></span><span style="display:flex;"><span>|_ Product_Version: 10.0.17763 </span></span><span style="display:flex;"><span>3268/tcp open ldap Microsoft Windows Active Directory LDAP <span style="color:#ff7b72;font-weight:bold">(</span>Domain: herald.htb, Site: Default-First-Site-Name<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>3269/tcp open tcpwrapped </span></span><span style="display:flex;"><span>5357/tcp open http Microsoft HTTPAPI httpd 2.0 <span style="color:#ff7b72;font-weight:bold">(</span>SSDP/UPnP<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>|_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span style="display:flex;"><span>|_http-title: Service Unavailable </span></span><span style="display:flex;"><span>5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span style="color:#ff7b72;font-weight:bold">(</span>SSDP/UPnP<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>|_http-title: Not Found </span></span><span style="display:flex;"><span>|_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span style="display:flex;"><span>MAC Address: 08:00:27:0F:D0:78 <span style="color:#ff7b72;font-weight:bold">(</span>Oracle VirtualBox virtual NIC<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Host script results: </span></span><span style="display:flex;"><span>| smb2-security-mode: </span></span><span style="display:flex;"><span>| 3.1.1: </span></span><span style="display:flex;"><span>|_ Message signing enabled and required </span></span><span style="display:flex;"><span>|_clock-skew: mean: 0s, deviation: 3s, median: 1s </span></span><span style="display:flex;"><span>| smb2-time: </span></span><span style="display:flex;"><span>| date: 2026-04-13T21:45:35 </span></span><span style="display:flex;"><span>|_ start_date: N/A </span></span><span style="display:flex;"><span>|_nbstat: NetBIOS name: DC01, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:0f:d0:78 <span style="color:#ff7b72;font-weight:bold">(</span>Oracle VirtualBox virtual NIC<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span style="display:flex;"><span>Nmap <span style="color:#ff7b72">done</span>: <span style="color:#a5d6ff">1</span> IP address <span style="color:#ff7b72;font-weight:bold">(</span><span style="color:#a5d6ff">1</span> host up<span style="color:#ff7b72;font-weight:bold">)</span> scanned in 61.04 seconds </span></span></code></pre></div><p>add in etc/hosts</p>https://z3r0s6.github.io/machines/pirate/Sun, 26 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pirate/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>OS</td> <td>Windows (Active Directory)</td> </tr> <tr> <td>Domain</td> <td>PIRATE.HTB</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Pirate is a Hard-rated multi-host Windows Active Directory machine simulating a realistic corporate environment with three domain-joined machines. The attack chains <strong>six distinct AD primitives</strong> with no CVEs required - every step exploits misconfigurations:</p> <p><strong>Pre-Windows 2000 Compatible Access</strong> (MS01$ machine account auth) → <strong>gMSA password extraction</strong> via LDAP → <strong>Pass-the-Hash</strong> over WinRM on DC01 → <strong>L3 network pivot</strong> via Ligolo-ng to the internal <code>192.168.100.0/24</code> subnet → <strong>NTLM relay</strong> to LDAPS with RBCD to gain WEB01 Administrator → user flag → <strong>SPN injection</strong> with Constrained Delegation abuse to impersonate Domain Admin on DC01 → root flag.</p>https://z3r0s6.github.io/machines/pingpong/Sun, 19 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pingpong/<p><strong>Difficulty:</strong> Insane<br> <strong>OS:</strong> Windows<br> <strong>Points:</strong> 50<br> <strong>Release:</strong> 2026-04-27<br> <strong>Starting Creds:</strong> <code>c.roberts / AssumedBreach123</code></p> <hr> <h2 id="attack-chain"> Attack Chain <a class="heading-link" href="#attack-chain"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <pre tabindex="0"><code>c.roberts (PING.HTB) → ESC13 (TemporaryWinRM) → PKINIT TGT + TempWinRMAccess SID → WinRM on DC1 → Ligolo-ng tunnel → DC2 reachable (192.168.2.2) → WriteDACL on gMSA Managers (PONG) → GenericAll → scope flip (Global→Universal→DomainLocal) → Add cross-forest FSP → ReadGMSAPassword → Pong_gMSA$ NTLM/AES → JEA endpoint on DC1 (restricted) → PSReadLine history → c.carlssen / A()DUJ!@414 → WinRM on DC2 → user.txt → c.carlssen GenericWrite on svc_sql → RBCD (Pong_gMSA$ → svc_sql) → S4U2Proxy impersonate c.adam → MSSQL xp_cmdshell → local admin on DC2 → c.carlssen → Domain Admins (PONG) → DCSync → R.Martinelli → R.Martinelli ∈ CA Managers (PING) → ESC4 on SmartcardAuthentication → ESC1 → cert for Administrator@ping.htb → PKINIT → root.txt on DC1 </code></pre><hr> <h2 id="recon"> Recon <a class="heading-link" href="#recon"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Classic Windows DC port profile: <code>53, 88, 135, 389, 445, 464, 636, 3268, 3269, 5985, 9389</code></p>https://z3r0s6.github.io/machines/logging/Sun, 12 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/logging/<h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>OS</td> <td>Windows Server 2019</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>IP</td> <td>10.129.X.X</td> </tr> <tr> <td>Domain</td> <td>logging.htb</td> </tr> <tr> <td>DC</td> <td>dc01.logging.htb</td> </tr> </tbody> </table> <p><strong>Attack Chain:</strong> <code>Anonymous SMB → Credentials in Logs → Shadow Credentials (gMSA) → WinRM → DLL Hijack → Domain User Shell → ESC17 (ADCS + WSUS MitM) → SYSTEM</code></p> <hr> <h2 id="1-reconnaissance"> 1. Reconnaissance <a class="heading-link" href="#1-reconnaissance"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <h3 id="port-scan"> Port Scan <a class="heading-link" href="#port-scan"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rustscan -a 10.129.X.X --ulimit <span style="color:#a5d6ff">5000</span> -- -sV </span></span></code></pre></div><p><strong>Key open ports:</strong></p>https://z3r0s6.github.io/machines/garfield/Sun, 22 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/garfield/<blockquote> <p><strong>Difficulty:</strong> Hard | <strong>Platform:</strong> Windows Active Directory | <strong>Category:</strong> Seasonal<br> <strong>Tags:</strong> <code>active-directory</code> <code>smb</code> <code>kerberos</code> <code>rbcd</code> <code>rodc</code> <code>golden-ticket</code> <code>keylist</code> <code>mimikatz</code> <code>rubeus</code></p> </blockquote> <hr> <h2 id="machine-info"> Machine Info <a class="heading-link" href="#machine-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Machine Name</td> <td>Garfield</td> </tr> <tr> <td>IP Address</td> <td>10.129.27.196 (initial) / 10.129.23.120 (reset)</td> </tr> <tr> <td>OS</td> <td>Windows Server 2019 (Domain Controller)</td> </tr> <tr> <td>Domain</td> <td>garfield.htb (GARFIELD.HTB)</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>Starting Creds</td> <td><code>j.arbuckle / Th1sD4mnC4t!@1978</code></td> </tr> </tbody> </table> <hr> <h2 id="1-executive-summary"> 1. Executive Summary <a class="heading-link" href="#1-executive-summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Garfield is a Hard-rated Windows Active Directory machine on Hack The Box's seasonal lineup. It simulates a real-world corporate AD environment with multiple chained vulnerabilities spanning SMB misconfigurations, AD ACL abuse, logon script hijacking, RBCD (Resource-Based Constrained Delegation) attacks, Read-Only Domain Controller (RODC) compromise, and a KeyList attack to retrieve the main DC's Administrator hash - ultimately achieving full domain compromise.</p>