Authority is a medium‑difficulty Windows domain controller that weaves together a captivating chain of misconfigurations. It begins with an anonymous SMB share exposing Ansible playbooks, whose weak vault passwords fall to a simple offline crack. That vault unlocks a PWM (Password Manager) instance, where a malicious configuration change redirects an LDAP test to our attacker‑controlled listener, spilling domain credentials straight into our hands. With a foothold, we discover an ADCS vulnerability (ESC1) that only domain computers can exploit – so we create one. A rogue computer account requests a certificate for the Domain Controller, and through a Pass‑the‑Cert attack, we rewrite group memberships, ultimately placing ourselves in the Domain Admins group. The lab is a perfect blend of credential theft, certificate abuse, and lateral thinking, showing how small cracks can cascade into total compromise.

Timelapse is an Easy‑rated Windows Active Directory box on Hack The Box. The initial foothold relies on cracking a password‑protected ZIP archive that is freely available via an anonymous SMB share. Inside is a .pfx certificate that – once unlocked – gives shell access over WinRM. Privesc follows a classic AD route: find credentials in PowerShell history, then abuse membership of the LAPS_Readers group to retrieve the local Administrator password of the Domain Controller.

Sauna is an Easy Windows Active Directory machine that showcases a classic internal penetration test path. Starting from anonymous enumeration, we extract a list of potential employees from the corporate website and validate usernames using Kerberos. An account without pre‑authentication allows an AS‑REP roast attack, giving us an initial foothold.

Administrator is a real‑world Active Directory compromise scenario that begins with nothing more than a single set of low‑privileged credentials. Using Olivia : ichliebedich, you must carefully navigate a web of ACL misconfigurations, chaining password resets through multiple users until you uncover a password‑protected safe that holds the keys to a WinRM session. From there, a targeted Kerberoasting attack leveraged through GenericWrite privileges yields yet another set of credentials, which ultimately unlocks DCSync rights and the entire domain. This machine is a masterclass in combining BloodHound‑driven attack path analysis, offline cracking with Hashcat, and classic Active Directory escalation techniques.

This is Cicada, a Windows Active Directory machine which attack path involves enumerating SMB shares to find a default password in a welcome note, performing RID cycling to discover usernames, and password spraying to find a user still using the default credentials. After gaining a foothold with one user, LDAP enumeration reveals a password stored in another user’s description. That user has access to a DEV share containing a backup script, which leaks further credentials. Finally, the SeBackupPrivilege is exploited to dump hashes and achieve domain administrator access.

This writeup details the complete compromise of the HackTheBox machine “EscapeTwo.” The attack path involves an assumed breach with low-privileged credentials, information extraction from corrupted Excel files, lateral movement through found credentials, exploitation of a service account, abuse of Active Directory Certificate Services (ADCS) misconfigurations, and ultimately achieving Domain Admin privileges.

Support is an Easy Windows machine that begins with an open SMB share allowing anonymous access. Inside the share, a custom .NET executable UserInfo.exe is found. Reverse engineering or network analysis reveals LDAP credentials used by the binary. Those credentials are used to query the domain LDAP and discover a user support whose info attribute contains a password. This password grants WinRM access. On the machine, BloodHound analysis shows the Shared Support Accounts group (of which support is a member) has GenericAll on the Domain Controller. A Resource‑Based Constrained Delegation attack is performed to obtain a ticket for the Administrator and ultimately compromise the domain, yielding NT Authority\\System access.

The following report addresses each question raised during the investigation.