👋 Greetings, visitor!

I finally started using Molly to send and receive messages via Signal. Molly is a hardened fork of Signal for Android, offering features such as an encrypted message database, automatic locking, shredding no longer needed secrets from RAM, notifications via UnifiedPush, and Tor / SOCKS proxy support. This is by no means an alternative to Signal itself, but rather an alternative (and hardened) Android client for Signal. While these extra security features are great, my main motivation to use Molly was battery saving, actually. I’m on GrapheneOS, which does offer sandboxed Google Play (opt-in), yet I’ve chosen not to use it. This means I’m not using Google’s Firebase Cloud Messaging (FCM) for notifications either, which Signal by default heavily relies on. However, it continues to make me very glad I can still use a secure and open source mobile operating system (GrapheneOS) in 2025, without needing to rely on proprietary and privacy-impairing functionality. ...

I covered the basics of cracking hashes using Hashcat in an earlier post, and I had since been meaning to play around with Hashtopolis, but never really gotten to it. Until now, that is. Hashtopolis is an open source platform based on Hashcat to crack password hashes in a distributed manner. For each large hash cracking task, it chops up the work and distributes each chunk to separate systems, with their own hash cracking resources (ideally GPGPUs). Needless to say, this might be a bit redundant for a single cracking tower. ...

These are some scribbles if I ever need to look up how to dump AD hashes (in various ways). I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. This posts strictly limits itself to post-exploitation, after already having obtained DA credentials. Dumping Requesting a Kerberos ticket first: ...

Enum: mairon $ rustscan -a 10.129.232.128 --ulimit 5000 -- -Pn -n -v --open -A -sCV | tee rustscan.txt .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Port scanning: Making networking exciting since... whenever. [~] The config file is expected to be at "/home/mairon/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.129.232.128:53 Open 10.129.232.128:88 Open 10.129.232.128:139 Open 10.129.232.128:135 Open 10.129.232.128:389 Open 10.129.232.128:445 Open 10.129.232.128:464 Open 10.129.232.128:593 Open 10.129.232.128:636 Open 10.129.232.128:3269 Open 10.129.232.128:3268 Open 10.129.232.128:5985 Open 10.129.232.128:6520 Open 10.129.232.128:9389 Open 10.129.232.128:49270 Open 10.129.232.128:49269 Open 10.129.232.128:49664 Open 10.129.232.128:49669 Open 10.129.232.128:51185 Open 10.129.232.128:59555 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -Pn -n -v --open -A -sCV" on ip 10.129.232.128 Depending on the complexity of the script, results may take some time to appear. [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 14:09 +0100 NSE: Loaded 158 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:09 Completed NSE at 14:09, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:09 Completed NSE at 14:09, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:09 Completed NSE at 14:09, 0.00s elapsed Initiating Connect Scan at 14:09 Scanning 10.129.232.128 [20 ports] Discovered open port 135/tcp on 10.129.232.128 Discovered open port 445/tcp on 10.129.232.128 Discovered open port 139/tcp on 10.129.232.128 Discovered open port 49269/tcp on 10.129.232.128 Discovered open port 53/tcp on 10.129.232.128 Discovered open port 593/tcp on 10.129.232.128 Discovered open port 88/tcp on 10.129.232.128 Discovered open port 49669/tcp on 10.129.232.128 Discovered open port 6520/tcp on 10.129.232.128 Discovered open port 59555/tcp on 10.129.232.128 Discovered open port 464/tcp on 10.129.232.128 Discovered open port 51185/tcp on 10.129.232.128 Discovered open port 3268/tcp on 10.129.232.128 Discovered open port 9389/tcp on 10.129.232.128 Discovered open port 636/tcp on 10.129.232.128 Discovered open port 49270/tcp on 10.129.232.128 Discovered open port 3269/tcp on 10.129.232.128 Discovered open port 49664/tcp on 10.129.232.128 Discovered open port 389/tcp on 10.129.232.128 Discovered open port 5985/tcp on 10.129.232.128 Completed Connect Scan at 14:09, 0.02s elapsed (20 total ports) Initiating Service scan at 14:09 Scanning 20 services on 10.129.232.128 Completed Service scan at 14:10, 53.79s elapsed (20 services on 1 host) NSE: Script scanning 10.129.232.128. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:10 NSE Timing: About 99.96% done; ETC: 14:10 (0:00:00 remaining) Completed NSE at 14:11, 40.11s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:11 Completed NSE at 14:11, 0.61s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:11 Completed NSE at 14:11, 0.00s elapsed Nmap scan report for 10.129.232.128 Host is up, received user-set (0.012s latency). Scanned at 2026-01-30 14:09:32 CET for 95s PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-01-30 13:09:39Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 6520/tcp open ms-sql-s syn-ack Microsoft SQL Server 2022 16.00.1000.00; RTM | ms-sql-ntlm-info: | 10.129.232.128:6520: | Target_Name: OVERWATCH | NetBIOS_Domain_Name: OVERWATCH | NetBIOS_Computer_Name: S200401 | DNS_Domain_Name: overwatch.htb | DNS_Computer_Name: S200401.overwatch.htb | DNS_Tree_Name: overwatch.htb |_ Product_Version: 10.0.20348 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2026-01-30T13:07:29 | Not valid after: 2056-01-30T13:07:29 | MD5: 9826 167f cbfe db36 5da5 fd8e 9f1a c1f2 | SHA-1: 4872 b58e 57de 7612 b68f 6b1d 4115 5f8c 34b1 1ffb | SHA-256: 0e6b 5f94 f6fe 4eb1 1941 b8ae 695e 0236 36d1 14f6 606f fff2 9feb dbe6 bda1 5793 | -----BEGIN CERTIFICATE----- | MIIEADCCAmigAwIBAgIQYbYvmsvdZbhAzduf6y+mJjANBgkqhkiG9w0BAQsFADA7 | MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA | bABsAGIAYQBjAGswIBcNMjYwMTMwMTMwNzI5WhgPMjA1NjAxMzAxMzA3MjlaMDsx | OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs | AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKeGw0S2 | vd0ffVmPJqilh3YzYf7jsZ3gSzaE2V3X3+UL57L4oqHmU1Kc2J4zl5iroS0bufuu | pSf49BUJw4ih8rlVyjQpUh16kPDlVMekf+p32e1BdkjhkmvkHBWbfGna7qcLKg/p | qQjQw5se6rm64v0g/HdD5keTtXsn87W5y0jmHg8IuEncgR4WVKfpEX9gg5//zohx | Io4xE9d3O0X0zSGDkkWQq/BsBsrPfHy4x85k7hKPKyyvd56fQEGkGz9ogZgyMgqP | hqbxZ6uXHeViyKhlq8XbrITYmveUTijFi8ub8tockNkf9hHib3PbtjGhN97990XH | hUuO8+DyOCqQvvmPkFVvVaOFpMVh8jOpfLUzCxbXmHNYzYvroPlRyU2SG5XPwZMC | EcISGbZDtdQk5DFxPOeBHLh2K8DfXCjUtAvQFkh3mqGUQr0ZwYVdhzY7FB3Cr0d9 | +kkub0VMpAi+01//BYSqsfwQRsdg90Gq+XKiNt1BV5oh/NdSGTcNMtl4gQIDAQAB | MA0GCSqGSIb3DQEBCwUAA4IBgQCTJ6CQJUurIPrP3eOl96L7DgI/kkI23sZDCAim | f5JWuQWcR3uncpDA+97Z+yaQ4FYkb2lyFsUM8Jhh78eijUsh1UJhs9uuCpQr3fQm | ucbSkepGBuOJGtkrZlRO/ar6Pc2hUsJ0N+MJK79noMKxVzHm+x+0J+k5spq6SJW/ | QqT/uzHsSduOSt2m9s6DYlU3vaNXchLbIZVCqzaTdl7f/sbsjJLeTpkxml4n8Ct7 | vQjGCrPOV3JIkhv22zyfXN+5dAlDc/eYKpIyxnKpdBNGZI3GTroWxWt72u61fgcw | kRUiPmzZjzmZXMw1c1h3njtU1fp/iq1+otPIYB0wrEsOhNJ3qU4JuYQ2mzmqq5Vi | loLWBsNkb/PlFQvJWCrGNUI37sdtZGIk5aAAyiEikM7Ey/igMQYEKCQxNKAZwsnZ | TjWoR+NeJqCN1AzaVYGRLA+Xs+8/D2vowFwDqQ0/tty7fRs+aEWjuCaYY83niitV | y3Y8KkkewAL4hKc4HgAEV9K5EX8= |_-----END CERTIFICATE----- | ms-sql-info: | 10.129.232.128:6520: | Version: | name: Microsoft SQL Server 2022 RTM | number: 16.00.1000.00 | Product: Microsoft SQL Server 2022 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 6520 |_ssl-date: 2026-01-30T13:11:07+00:00; 0s from scanner time. 9389/tcp open mc-nmf syn-ack .NET Message Framing 49269/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 49270/tcp open msrpc syn-ack Microsoft Windows RPC 49664/tcp open msrpc syn-ack Microsoft Windows RPC 49669/tcp open msrpc syn-ack Microsoft Windows RPC 51185/tcp open tcpwrapped syn-ack 59555/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-01-30T13:10:31 |_ start_date: N/A |_clock-skew: mean: 0s, deviation: 0s, median: 0s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 55945/tcp): CLEAN (Timeout) | Check 2 (port 57027/tcp): CLEAN (Timeout) | Check 3 (port 30386/udp): CLEAN (Timeout) | Check 4 (port 44208/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:11 Completed NSE at 14:11, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:11 Completed NSE at 14:11, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:11 Completed NSE at 14:11, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.68 seconds ...

This machine was retired yesterday, so I decided to publish my writeup the day after. CodePartTwo is an easy machine, which runs a Flask web app vulnerable to RCE due to an outdated and vulnerable library it uses. Once exploited we can dump and crack the registered users' passwords hashes (MD5). That gives us a SSH access, along with the User Flag. Retrieving the Root Flag exploits a weakness in a backup utility the user has root access over (via sudo). ...

This was a real tough one, and I eventually got the System Flag in a very roundabout way. I really suspect there had to be easier ways to get that flag, but I could not figure out how to get around the walls I encountered left and right. Anyway, let’s get to it. Starting this machine, we already have basic credentials: As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw! — Machine Information ...

This is my second writeup, after my first one covering the Conversor machine (machine not yet retired, therefore writeup not yet published). I fell into a few rabbit holes trying to pwn this one, I’m sad to say. We’ll get to that part as well, but first: enum. mairon $ nmap -Pn -n -v --open --top 5000 10.129.7.105 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 21:12 +0100 Initiating Connect Scan at 21:12 Scanning 10.129.7.105 [5000 ports] Discovered open port 80/tcp on 10.129.7.105 Discovered open port 22/tcp on 10.129.7.105 Completed Connect Scan at 21:12, 1.28s elapsed (5000 total ports) Nmap scan report for 10.129.7.105 Host is up (0.017s latency). Not shown: 4998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds ...

I haven’t been pentesting for over 5 years now due to moving to new positions / roles. But lately I decided to dust off some of my dormant pentesting skills. Over the past few days I’ve completed the HTB Starting Point machines after work. All but the VIP (paid) ones. I’m rusty, but most basic skills came back pretty quickly. After each machine I quickly regained courage to keep at it and try harder. I even managed to find my old OSCP notes and snippets, rich with one-liners for popping reverse shells, start listeners, upgrading / stabilising shells, etc., etc. ...

My girlfriend and I bought a new house! And with it, an (older) Itho Daalderop CVE ECO 2SP mechanical ventilation unit. Itho Daalderop is a Dutch brand selling ventilation appliances and heating systems. I believe they mostly sell their products in The Netherlands. Figure 1. Our Itho Daalderop CVE ECO 2SP ventilation unit The above ventilation unit keeps the air in our house (specifically our bathroom, kitchen, and downstairs toilet) fresh by continuously exchanging indoor air with fresh outdoor air. It also came with a 868MHz RFT remote control to manually adjust the ventilation speed: ...

These are some notes describing how to build a deliberately vulnerable Active Directory test lab to test some well-known misconfigurations or exploits. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. This article assumes a Windows Server 2022 system (VM), and a non domain joined Linux system (VM) with pentesting tools such as impacket and certipy. ...