A series of writeups from retired HackTheBox machines. Each post documents the full methodology from enumeration through to root, including tools used and key techniques along the way.
Windows — Active Directory #
Forest — Easy #
A Windows domain controller vulnerable to AS-REP Roasting. After cracking the
svc-alfresco hash, BloodHound reveals a DACL abuse path through the Exchange
Windows Permissions group, leading to a DCSync attack and full domain compromise.
Key techniques: LDAP enumeration, AS-REP Roasting, BloodHound, WriteDACL abuse, DCSync
Sauna — Medium #
A Windows AD box for a fictional bank. Employee names on the website are used to build a username list for AS-REP Roasting. BloodHound then reveals a GetChangesAll privilege on a service account, enabling a DCSync to extract the Administrator hash. Key techniques: Username enumeration, AS-REP Roasting, BloodHound, DCSync, Pass-the-Hash
Windows — General #
Bastion — Easy #
A Windows box exposing a full VHD backup over an SMB guest share. The image is mounted locally to extract SAM/SYSTEM hive files, and a weak mRemoteNG credential store reveals the Administrator password. Key techniques: SMB enumeration, VHD mounting, SAM/SYSTEM extraction, mRemoteNG decryption
Keeper — Easy #
A Linux box running a Request Tracker instance with default credentials. A KeePass memory dump (CVE-2023-32784) is recovered from the box and exploited to extract the master password, which unlocks a PuTTY SSH key granting root access. Key techniques: Default credential abuse, KeePass memory dump exploitation, PuTTY key conversion
Linux #
ServMon — Easy #
(Full writeup available)
Support — Easy #
(Full writeup available)
Writeups are only published for retired machines in line with HackTheBox’s content policy.