Things learned from pwning 250 HackTheBox machines.

This post outlines the authentication flow of the Kerberos protocol and the exact data structures for each message during transfer.

VulnCicada presents a specific scenario where ESC8 can be exploited using a Kerberos relay in an Active Directory environment with NTLM disabled. First, I unpack the Kerberos authentication workflow at a high level and parse the RFCs to show what exactly is in a Keberos ticket and what data are exchanged during authentication. Next, I introduce the Kerberos relay attack, its prerequisites, and a niche scenario where it can be effective. Finally, I put the technique into practice and walk through exploiting the box using the method described.

Media is a medium-difficulty Windows box on HackTheBox featuring a "by-design vulnerability" in Windows Media Player that can be leveraged to steal users' NTLM hashes. In this writeup, I demonstrate how WMP playlist/redirect behavior can be abused to leak NTLM hashes. I also demonstrate exploiting the powerful "SeTcbPrivilege" to gain SYSTEM privileges.

Corporate is an epic, insane-difficulty Linux box on HackTheBox that presents a scenario where the Content Security Policy (CSP) can be bypassed to achieve cross-site scripting (XSS) by chaining multiple HTML-related vulnerabilities as an initial entry point. It also includes IDOR, JWT forging, Bitwarden PIN cracking, Docker socket abuse, and more. In this writeup, I demonstrate various enumeration, privilege-escalation, and lateral-movement techniques used to pivot from the external network to the internal network, moving through five users and ultimately obtain root access.

Baby is an easy-difficulty Windows box with several vulnerabilities. In this writeup I walk through a realistic attack scenario in which I gain control of a privileged user via password spraying and then abuse `SeBackupPrivilege` to compromise the domain. I also show a scenario where `nxc ldap --users` can be unreliable for user enumeration, underscoring the importance of manual LDAP queries.

Delegate features a vulnerable delegation scenario with the "SeEnableDelegationPrivilege" privilege. In this write-up, I showcase the planning and execution of different attack techniques, including a specific case of unconstrained delegation.

Introduction IoT devices are everywhere, but their security often lags behind. Inspired by the OWASP Firmware Security Testing Guide, I conducted a personal project to hone my IoT penetration testi...