Myles Nieman
← All writeups

Kerberoasting

5 writeups

OpenAD

Hard

A default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …

Windows

Search

Hard

A password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …

Windows

Pirate

Hard

Starting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …

Windows

Overcertified

Easy

An LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …

Windows

Active

Easy

Anonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …

Windows