OpenAD
HardA default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …
Search
HardA password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …
Pirate
HardStarting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …
Overcertified
EasyAn LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …
Active
EasyAnonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …