Myles Nieman
← All writeups

Windows

26 writeups

Certifried

Very Easy

Anonymous SMB enumeration on an Active Directory host reveals a readable share; null-session LDAP queries are not open, but unauthenticated SMB access …

Windows

Freelancer

Hard

An IDOR in a base64-encoded OTP URL allows hijacking an admin account on a freelancer platform, exposing an MSSQL terminal; privilege escalation …

Windows

Ghost

Insane

LDAP injection on a Next.js intranet leaks a service-account secret that unlocks Gitea; a custom Ghost CMS file-read exposes an RCE dev key; from …

Windows

Infosek

Medium

Exposed WordPress credentials in a public location grant admin panel access; a webshell upload reveals database credentials for the ryder account, and …

Windows

OpenAD

Hard

A default-credentialed Apache ActiveMQ 5.18.2 console on a Windows domain controller is exploited via CVE-2023-46604 for initial access; a Kerberos …

Windows

Playground

Hard

A Windows domain controller with restricted anonymous access is probed with SMB null sessions, kerbrute, and extensive RPC endpoint mapping; the notes …

Windows

Search

Hard

A password embedded in a webpage image seeds a chain through SMB Kerberoasting, password spraying, and an Excel spreadsheet full of plaintext …

Windows

PingPong

Insane

An assumed-breach scenario starting with domain credentials for c.roberts; initial BloodHound enumeration of ping.htb identifies ADCS as a potential …

Windows

VulnEscape

Easy

An RDP kiosk running Microsoft Edge is escaped by adding a local HTML page and renaming PowerShell to msedge.exe; Remote Desktop Plus stores a masked …

Windows

Logging

Medium

Readable SMB log share leaks an svc_recovery password (with a year-increment pattern), Generic Write on MSA_HEALTH$ enables shadow credential abuse …

Windows

Pirate

Hard

Starting with provided pentest credentials against a Windows domain controller, BloodHound reveals two Kerberoastable accounts; the ADM service ticket …

Windows

Succession

Easy

Given SSH credentials for david.smith, BloodHound and netexec confirm the BadSuccessor (dMSA delegation abuse) primitive; SharpSuccessor creates a …

Windows

Rainbow

Medium

Anonymous FTP access combined with a custom web service on port 8080 leads to a stack-based buffer overflow that overwrites ECX; exploiting the crash …

Windows

VulnCicada

Medium

An exposed NFS share leaks domain usernames and a credential hidden inside an image file; the password belongs to Rosie.Powell, whose account is used …

Windows

Return

Easy

A printer admin panel leaks credentials to Responder via a spoofed LDAP server address; the recovered svc-printer account belongs to Server Operators, …

Windows

Sauna

Easy

Staff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …

Windows

Toolbox

Easy

SQL injection in a PostgreSQL-backed login form yields an os-shell inside a Docker container; the Docker Toolbox VM is reachable via SSH with default …

Windows

Overcertified

Easy

An LDAP service account password stored in its own description field enables BloodHound collection and Kerberoasting of the MSSQLSERVER account; MSSQL …

Windows

Caring

Very Easy

An unauthenticated SMB Config share leaks a config.ini containing credentials for the user claudio; WinPEAS then surfaces Administrator credentials …

Windows

Printer

Medium

A printer management web app leaks LDAP credentials to a Responder listener; Invoke-Pester in a constrained WinRM environment executes an arbitrary …

Windows

ADSelfService

Very Easy

An exposed ManageEngine ADSelfService Plus portal running version 6.1 is vulnerable to CVE-2021-40539 (REST API authentication bypass to RCE), …

Windows

Logonshell

Very Easy

A Microsoft Exchange Server 2019 RTM (15.2.221.12) on the edelweiss.htb domain is exploited via ProxyShell (CVE-2021-34473) — the auth bypass …

Windows

Object

Hard

An open Jenkins registration on port 8080 lets an attacker create a job that executes arbitrary commands as oliver; Jenkins credential files are …

Windows

Forest

Easy

Anonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …

Windows

Active

Easy

Anonymous SMB access leaks a Group Policy Preferences cpassword for SVC_TGS; that account is used to Kerberoast the Administrator SPN and crack the …

Windows

Blackfield

Hard

Anonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …

Windows