Certifried
Very EasyAnonymous SMB enumeration on an Active Directory host reveals a readable share; null-session LDAP queries are not open, but unauthenticated SMB access …
Freelancer
HardAn IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …
Ghost
InsaneLDAP injection on a Next.js intranet leaks a service-account secret that unlocks Gitea; a custom Ghost CMS file-read exposes an RCE dev key; from …
OpenAD
HardA default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …
Playground
HardA Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …
Search
HardA password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …
PingPong
InsaneAn assumed-breach scenario starting with domain credentials for c.roberts; initial BloodHound enumeration of ping.htb identifies ADCS as a potential …
Logging
MediumReadable SMB log share leaks an svc_recovery password (with a year-increment pattern), Generic Write on MSA_HEALTH$ enables shadow credential abuse …
Pirate
HardStarting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …
Succession
EasyGiven SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …
VulnCicada
MediumAn exposed NFS share leaks domain usernames and a credential hidden inside an image file; the password belongs to Rosie.Powell, whose account is used …
Return
EasyA printer admin panel leaks credentials to Responder via a spoofed LDAP server address; the recovered svc-printer account belongs to Server Operators, …
Sauna
EasyStaff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …
Overcertified
EasyAn LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …
Printer
MediumA printer management web app leaks LDAP credentials to a Responder listener; Invoke-Pester in a constrained WinRM environment executes an arbitrary …
Logonshell
Very EasyA Microsoft Exchange Server 2019 RTM (15.2.221.12) on the edelweiss.htb domain is exploited via ProxyShell (CVE-2021-34473) — the auth bypass …
Object
HardAn open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …
Forest
EasyAnonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …
Active
EasyAnonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …
Blackfield
HardAnonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …