Overview We start TombWatcher with valid domain credentials, but that’s only a doorway. The push to Domain Admin is a stacked escalation driven by AD object control and certificate gaps. Using Blo...

Overview Penetrating the Media Windows machine begins with abusing its custom PHP uploader function to force an NTLMv2 authentication leak. After cracking the captured hash, we gain a foothold on ...

Overview Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to ...

When a user logs in, the operating system creates an access token containing their identity, group memberships, and a set of privileges (often called “user rights”). It’s crucial to understand that...

Overview Administrator is a medium Windows box built around a full domain-compromise chain. You’re given low-privileged credentials and must enumerate ACLs, SMB/WinRM, and AD data. BloodHound shows...