HTB Certified Writeup — Shadow Credentials, ACL Chains & ADCS ESC9 (2026)
Assumed breach AD box. WriteOwner abuse on a group, double shadow credentials chain, and ADCS ESC9 certificate abuse to Domain Admin.
Box Writeups
Writeups for retired HackTheBox and Proving Grounds machines, structured like mini pentest reports.
HTB Active Writeup — Kerberoasting & GPP Passwords (2026)
My first AD box ever. Null session on SMB → GPP password in SYSVOL → Kerberoasting the Administrator → Domain Admin.
HTB Blackfield Writeup — LSASS Dump & VSS Shadow Copies (2026)
Hard AD box. AS-REP Roasting → BloodHound → ForceChangePassword → lsass.DMP → SeBackupPrivilege → VSS snapshot → NTDS.dit → Domain Admin.
HTB Forest Writeup — AS-REP Roasting, BloodHound & DCSync (2026)
Second AD box. AS-REP Roasting with no creds, BloodHound attack path through 5 nested groups, ACL abuse to DCSync.
HTB Monteverde Writeup — Azure AD Connect Exploit (2026)
Active Directory box — password spraying → Azure AD Connect credential extraction → Domain Admin.
HTB Querier Writeup — MSSQL Exploitation (2026)
SMB guest access → Excel macro with MSSQL creds → Responder hash steal via xp_dirtree → xp_cmdshell → reverse shell.
PG Algernon Writeup — SmarterMail Deserialization RCE (2026)
Proving Grounds box — anonymous FTP, SmarterMail on a weird port, .NET deserialization RCE straight to SYSTEM. No privesc needed.