Esc1

All Posts

Published on
July 29, 2025
HTB - Authority (Medium)
machine windows Active-Directory ansible2john pwm pass-back-attack Certificate-Service-DCOM-Access ESC1 ldap-shell Schannel S4U2Self S4U2Proxy
SMB enumeration reveals ansible configuration files for a running webserver that is hosting an LDAPS Server. In those files, contains an ansible vault that has a crackable password revealing credentials to the LDAP Server and executing a Pass-Back Attack revealing more sensitive credentials that are used for initial foothold. Later enumerating ADCS reveals ESC1 for Computer Accounts group which led to creating a computer account and spawning an LDAP-shell and adding the low-privileged user to the Administrators group gaining DA access
Published on
July 24, 2025
HTB - Escape (Medium)
machine windows Active-Directory MSSQL NTLM-Relay ESC1
Guest Logon enumeration leads to early access to an SQL Server which allows for performing an NTLM Relay attack that captures a crackable hash. Using the valid credentials to find other credentials of another user in a backup log file. Elevating to Domain Admin by enumerating vulnerable certificate templates that reveal the current template is vulnerable to ESC1
Published on
July 12, 2025
HTB - EscapeTwo (Easy)
machine windows Active-Directory MSSQL WriteOwner ESC4 ESC1 shadow-credentials
Initial Enumeration reveals an Excel file which discloses sensitive credentials that allow us to gain a foothold, then performing lateral movement to identify more credentials and gaining user access. Then, leveraging ACL misconfigurations to enumerate vulnerable cerificates which leads to ESC4. Thus, gaining DA

Esc1

esc1 (3)

HTB - Authority (Medium)

HTB - Escape (Medium)

HTB - EscapeTwo (Easy)