windows

  • 22nd December 2025

Administrator writeup

writeupshack-the-boxwindowsactive-directorybloodhoundpermission-chainingpassword-spraytargeted-kerberoastingdcsyncpass-the-hash

Administrator is a Windows Active Directory box that demonstrates permission chaining, BloodHound enumeration, and password‑spraying. We will use a recovered PasswordSafe database for credential spraying, perform targeted Kerberoasting, abuse DCSync, and finally use pass‑the‑hash to gain domain administrator access.

Read more 
  • 16th December 2025

Fluffy writeup

writeupshack-the-boxwindowsactive-directorysmbresponderhash-crackingcve

Fluffy is a Windows Active Directory box that focuses on SMB share enumeration and NTLM hash capture. We will exploit CVE‑2025‑24071 via Responder, crack the obtained hash, then leverage shadow credentials and the ESC16 vulnerability to gain domain administrator access.

Read more 
  • 15th December 2025

TombWatcher writeup

writeupshack-the-boxwindowsactive-directorykerberoastingshadow-credentialscertificate-abusebloodhound

TombWatcher is a Windows Active Directory box that involves lateral movement through multiple user accounts, Kerberoasting, shadow credential attacks, and certificate template abuse. We will perform BloodHound enumeration, set a service principal name for Alfred, Kerberoast to obtain Alfred’s hash, then leverage GenericAll permissions to manipulate SAM, John, and CERT_ADMIN accounts, finally using ESC1 vulnerability to request a certificate as the domain administrator.

Read more