bloodhound

  • 22nd December 2025

Administrator writeup

writeupshack-the-boxwindowsactive-directorybloodhoundpermission-chainingpassword-spraytargeted-kerberoastingdcsyncpass-the-hash

Administrator is a Windows Active Directory box that demonstrates permission chaining, BloodHound enumeration, and password‑spraying. We will use a recovered PasswordSafe database for credential spraying, perform targeted Kerberoasting, abuse DCSync, and finally use pass‑the‑hash to gain domain administrator access.

Read more 
  • 15th December 2025

TombWatcher writeup

writeupshack-the-boxwindowsactive-directorykerberoastingshadow-credentialscertificate-abusebloodhound

TombWatcher is a Windows Active Directory box that involves lateral movement through multiple user accounts, Kerberoasting, shadow credential attacks, and certificate template abuse. We will perform BloodHound enumeration, set a service principal name for Alfred, Kerberoast to obtain Alfred’s hash, then leverage GenericAll permissions to manipulate SAM, John, and CERT_ADMIN accounts, finally using ESC1 vulnerability to request a certificate as the domain administrator.

Read more