HTB Certified Writeup — Shadow Credentials, ACL Chains & ADCS ESC9 (2026)
Assumed breach AD box. WriteOwner abuse on a group, double shadow credentials chain, and ADCS ESC9 certificate abuse to Domain Admin.
Active-Directory
Active Directory Attacks Cheatsheet
Quick reference for AD enumeration, Kerberos attacks, lateral movement, and domain compromise.
AD Attack Methodology — From Zero to Domain Admin
Step-by-step methodology for attacking Active Directory — the chain I follow on every AD box.
BloodHound — Setup and Usage Guide
How I set up and use BloodHound CE for AD enumeration — collection, import, and finding attack paths.
HTB Active Writeup — Kerberoasting & GPP Passwords (2026)
My first AD box ever. Null session on SMB → GPP password in SYSVOL → Kerberoasting the Administrator → Domain Admin.
HTB Blackfield Writeup — LSASS Dump & VSS Shadow Copies (2026)
Hard AD box. AS-REP Roasting → BloodHound → ForceChangePassword → lsass.DMP → SeBackupPrivilege → VSS snapshot → NTDS.dit → Domain Admin.
HTB Forest Writeup — AS-REP Roasting, BloodHound & DCSync (2026)
Second AD box. AS-REP Roasting with no creds, BloodHound attack path through 5 nested groups, ACL abuse to DCSync.
HTB Monteverde Writeup — Azure AD Connect Exploit (2026)
Active Directory box — password spraying → Azure AD Connect credential extraction → Domain Admin.
Impacket — The Tools I Actually Use
Quick reference for the Impacket tools I use most — mssqlclient, GetUserSPNs, GetNPUsers, secretsdump, psexec, and more.