Cracking Hashes Using Hashtopolis

I covered the basics of cracking hashes using Hashcat in an earlier post, and I had since been meaning to play around with Hashtopolis, but never really gotten to it. Until now, that is. Hashtopolis is an open source platform based on Hashcat to crack password hashes in a distributed manner. For each large hash cracking task, it chops up the work and distributes each chunk to separate systems, with their own hash cracking resources (ideally GPGPUs). Needless to say, this might be a bit redundant for a single cracking tower. ...

March 1, 2026 · 6 min

Hack The Box: CodePartTwo

This machine was retired yesterday, so I decided to publish my writeup the day after. CodePartTwo is an easy machine, which runs a Flask web app vulnerable to RCE due to an outdated and vulnerable library it uses. Once exploited we can dump and crack the registered users' passwords hashes (MD5). That gives us a SSH access, along with the User Flag. Retrieving the Root Flag exploits a weakness in a backup utility the user has root access over (via sudo). ...

January 30, 2026 · 17 min

Hack The Box: MonitorsFour

Enum mairon $ rustscan -a 10.129.8.223 --ulimit 5000 -- -A -sCV -oN mo nitorsfour.txt .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- RustScan: Where scanning meets swagging. 😎 [~] The config file is expected to be at "/home/gkroon/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.129.8.223:80 Open 10.129.8.223:5985 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -sCV -oN monitorsfour.txt" on ip 10.129.8.223 Depending on the complexity of the script, results may take some time to appear. [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 19:59 +0100 NSE: Loaded 158 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed Initiating Ping Scan at 19:59 Scanning 10.129.8.223 [2 ports] Completed Ping Scan at 19:59, 0.01s elapsed (1 total hosts) Initiating Connect Scan at 19:59 Scanning monitorsfour.htb (10.129.8.223) [2 ports] Discovered open port 80/tcp on 10.129.8.223 Discovered open port 5985/tcp on 10.129.8.223 Completed Connect Scan at 19:59, 0.01s elapsed (2 total ports) Initiating Service scan at 19:59 Scanning 2 services on monitorsfour.htb (10.129.8.223) Completed Service scan at 19:59, 6.06s elapsed (2 services on 1 host) NSE: Script scanning 10.129.8.223. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 5.05s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.08s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed Nmap scan report for monitorsfour.htb (10.129.8.223) Host is up, received syn-ack (0.0090s latency). Scanned at 2026-01-29 19:59:09 CET for 11s PORT PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack nginx |_http-favicon: Unknown favicon MD5: 889DCABDC39A9126364F6A675AA4167D | http-methods: |_ Supported Methods: GET | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: MonitorsFour - Networking Solutions 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:59 Completed NSE at 19:59, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds ...

January 29, 2026 · 10 min

Hack The Box: Eighteen

This was a real tough one, and I eventually got the System Flag in a very roundabout way. I really suspect there had to be easier ways to get that flag, but I could not figure out how to get around the walls I encountered left and right. Anyway, let’s get to it. Starting this machine, we already have basic credentials: As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw! — Machine Information ...

January 27, 2026 · 17 min

Hashcat on Docker

I finally got hashcat running on Docker, with GPU support for NVIDIA cards. First, I needed to install Docker and NVIDIA Container Toolkit on my system, and add my user to the docker group. root $ pacman -S --needed docker nvidia-container-toolkit root $ systemctl enable --now docker.service root $ usermod -aG docker user Then I created a Dockerfile to set up the hashcat environment with NVIDIA support (using a BlackArch image): FROM blackarchlinux/blackarch:latest RUN pacman -Syu --noconfirm && \ pacman -S --noconfirm \ blackarch/cracken \ blackarch/pack \ blackarch/pipal \ extra/hashcat \ extra/hashcat-utils RUN mkdir -p /etc/OpenCL/vendors && \ echo "libnvidia-opencl.so.1" > /etc/OpenCL/vendors/nvidia.icd RUN mkdir /cracking...

June 19, 2025 · 1 min

Kerberoasting & AS-REP Roasting

These are some scribbles if I ever need to look up how to exploit Kerberoasting or AS-REP Roasting. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which GetUserSPNs.py /usr/bin/GetUserSPNs.py user $ which GetNPUsers.py /usr/bin/GetNPUsers.py user $ set win_domain company.org user $ set dc_ip 192.168.1.1 user $ set regular_user_account gijsbert...

October 11, 2024 · 4 min

Cracking Hashes Using Hashcat

I’ve been using Hashcat since I’ve been pentesting at my previous jobs, but I haven’t had the need to use it for a couple of years now. Recently I had another use case for it but I still don’t need to use nearly as often as I once did. I therefore decided to document some of this to easily look things up in the future. Extracting All Hashes from Active Directory To copy all hashes from Active Directory, you need domain administrator credentials. Once acquired, make a copy like so: ...

August 17, 2024 · 6 min