This machine was retired yesterday, so I decided to publish my writeup the day after. CodePartTwo is an easy machine, which runs a Flask web app vulnerable to RCE due to an outdated and vulnerable library it uses. Once exploited we can dump and crack the registered users' passwords hashes (MD5). That gives us a SSH access, along with the User Flag. Retrieving the Root Flag exploits a weakness in a backup utility the user has root access over (via sudo). ...
This is my second writeup, after my first one covering the Conversor machine (machine not yet retired, therefore writeup not yet published). I fell into a few rabbit holes trying to pwn this one, I’m sad to say. We’ll get to that part as well, but first: enum. mairon $ nmap -Pn -n -v --open --top 5000 10.129.7.105 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 21:12 +0100 Initiating Connect Scan at 21:12 Scanning 10.129.7.105 [5000 ports] Discovered open port 80/tcp on 10.129.7.105 Discovered open port 22/tcp on 10.129.7.105 Completed Connect Scan at 21:12, 1.28s elapsed (5000 total ports) Nmap scan report for 10.129.7.105 Host is up (0.017s latency). Not shown: 4998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds ...
These are some notes describing how to build a deliberately vulnerable Active Directory test lab to test some well-known misconfigurations or exploits. I might expand on this later… ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. This article assumes a Windows Server 2022 system (VM), and a non domain joined Linux system (VM) with pentesting tools such as impacket and certipy. ...
These are some scribbles if I ever need to look up how to forge my own Kerberos Tickets, such as Silver, Golden, Diamond or Sapphire Tickets. I might expand on this later… ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment Previously, I’ve documented (also for myself) how to Kerberoast and ASREProast. For this article, we’re assuming we’ve already compromised the domain and have gotten our hands on the KRBTGT secrets (NTHash, AES keys). In other words, we’ve already got DA. ...
I finally got hashcat running on Docker, with GPU support for NVIDIA cards. First, I needed to install Docker and NVIDIA Container Toolkit on my system, and add my user to the docker group. root $ pacman -S --needed docker nvidia-container-toolkit root $ systemctl enable --now docker.service root $ usermod -aG docker user Then I created a Dockerfile to set up the hashcat environment with NVIDIA support (using a BlackArch image): FROM blackarchlinux/blackarch:latest RUN pacman -Syu --noconfirm && \ pacman -S --noconfirm \ blackarch/cracken \ blackarch/pack \ blackarch/pipal \ extra/hashcat \ extra/hashcat-utils RUN mkdir -p /etc/OpenCL/vendors && \ echo "libnvidia-opencl.so.1" > /etc/OpenCL/vendors/nvidia.icd RUN mkdir /cracking...
These are some scribbles if I ever need to look up how to exploit Kerberoasting or AS-REP Roasting. I might expand on this later… ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which GetUserSPNs.py /usr/bin/GetUserSPNs.py user $ which GetNPUsers.py /usr/bin/GetNPUsers.py user $ set win_domain company.org user $ set dc_ip 192.168.1.1 user $ set regular_user_account gijsbert...
These are some scribbles if I ever need to look up how to exploit AD CS misconfigurations, such as ESC1. I might expand on this later… ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following environment (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which certipy # https://github.com/ly4k/Certipy /usr/bin/certipy user $ which ldapsearch /usr/bin/ldapsearch user $ which smbclient.py # https://github.com/fortra/impacket /usr/bin/smbclient.py user $ which ewp # https://github.com/adityatelange/evil-winrm-py /usr/bin/ewp user $ which nxc # https://github.com/Pennyw0rth/NetExec /usr/bin/nxc user $ set win_domain corp.local user $ set dc_fqdn dc01.{$win_domain} user $ set dc_ip (dig +short dc01.corp.local) user $ set ca_fqdn ca01.{$win_domain} user $ set ca_ip (dig +short ca01.corp.local) user $ set ca_name CORPROOTCA user $ set esc1_template_name CorpAuth user $ set regular_user_account gijsbert user $ set privileged_user_account wilbert...
I’ve been using Hashcat since I’ve been pentesting at my previous jobs, but I haven’t had the need to use it for a couple of years now. Recently I had another use case for it but I still don’t need to use nearly as often as I once did. I therefore decided to document some of this to easily look things up in the future. Extracting All Hashes from Active Directory To copy all hashes from Active Directory, you need domain administrator credentials. Once acquired, make a copy like so: ...