Myles Nieman
← All writeups

BloodHound

9 writeups

Freelancer

Hard

An IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …

Windows

Playground

Hard

A Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …

Windows

PingPong

Insane

An assumed-breach scenario starting with domain credentials for c.roberts; initial BloodHound enumeration of ping.htb identifies ADCS as a potential …

Windows

Pirate

Hard

Starting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …

Windows

Succession

Easy

Given SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …

Windows

Sauna

Easy

Staff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …

Windows

Object

Hard

An open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …

Windows

Forest

Easy

Anonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …

Windows

Blackfield

Hard

Anonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …

Windows