Walkthroughs
HTB box writeups — attack path, techniques, and CPTS takeaways.
-
HTB Retired Easy WindowsForest
AS-REP Roasting recovers credentials for a service account with no Kerberos pre-authentication. Nested group membership through Account Operators gives WriteDACL over the domain, enabling a DCSync attack for full domain compromise.
AS-REP RoastingCredential CrackingBloodHound Enumeration +3 -
HTB Retired Easy LinuxTrick
DNS zone transfer exposes a hidden payroll application vulnerable to SQL injection. File read via SQLi reveals a second vhost with an LFI vulnerability — exploited through a filter bypass with PHP-FPM running as the target user, leaking an SSH key. A writable fail2ban action directory and a NOPASSWD sudo rule finish the job.
DNS Zone Transfer (AXFR)SQL InjectionSQLMap File Read +6 -
HTB Retired Medium WindowsJeeves
Unauthenticated Jenkins access leads to remote code execution. A KeePass vault stored on the host contains reusable credentials that enable pass-the-hash access to Administrator.
Jenkins Script Console RCEWeb EnumerationKeePass Credential Extraction +3