What is scoping? Scoping is the first phase of a penetration test, during which a pentester and an organization formally define which systems may be tested, how the testing will be conducted, and ...

Overview StreamIO is a Windows host running PHP on IIS, backed by an MSSQL database. The foothold begins with SQL injection in the movie search functionality, allowing full extraction of user cred...

Overview Authority is a Windows domain controller. I’ll start by enumerating open SMB shares and uncovering Ansible playbooks containing encrypted values. After cracking those Vault fields, I obta...

Overview VulnCicada is a Medium Windows Active Directory machine that starts with an exposed NFS profile share leaking a user password hidden inside an image. Using those credentials, we discover ...

Overview Redelegate is a hard Windows AD machine that opens with Anonymous FTP exposure, leaking a KeePass database that leads to a valid local MSSQL login. Using that foothold to enumerate domain...

Overview We start TombWatcher with valid domain credentials, but that’s only a doorway. The push to Domain Admin is a stacked escalation driven by AD object control and certificate gaps. Using Blo...

Overview Penetrating the Media Windows machine begins with abusing its custom PHP uploader function to force an NTLMv2 authentication leak. After cracking the captured hash, we gain a foothold on ...

Overview Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to ...

When a user logs in, the operating system creates an access token containing their identity, group memberships, and a set of privileges (often called “user rights”). It’s crucial to understand that...

Overview Administrator is a medium Windows box built around a full domain-compromise chain. You’re given low-privileged credentials and must enumerate ACLs, SMB/WinRM, and AD data. BloodHound shows...