Impel: Mapping the RPC Coercion Surface on Windows Server 2025
This post covers Impel, a Linux-native RPC coercion surface scanner we built as the final tool in our Windows authentication coercion research series. The pr...
This post covers Impel, a Linux-native RPC coercion surface scanner we built as the final tool in our Windows authentication coercion research series. The pr...
Part one covered the mechanic and the lineage. This part is operational. We reproduce CVE-2026-24294 against a default Windows Server 2025 environment, docum...
Authentication reflection is a family of attacks that keeps getting declared dead and keeps coming back. It looks like a footnote to NTLM relay until you exa...
This box is rated hard difficulty on HTB. It involves us enumerating a pre-created machine account whose password is the same as its samAccountName value. Fr...
This box is rated hard difficulty on HTB. It involves us compromising a Linux web server running an outdated version of Icinga Web 2 through a File Disclosur...
This box is rated hard difficulty on HTB. It involves us finding a plaintext user password in one of the website’s images and using that account to Kerberoas...
All testing in this writeup was performed in an isolated, fully self-contained lab environment (corp.lab) with no internet connectivity and no production ...
In Part 1 and Part 2 of this series I laid out the research goal: build an isolated lab running current Windows Server 2025 defaults, then systematically tes...
This box is rated medium difficulty on HTB. It involves us finding a default password in an onboarding PDF located inside of a Guest-readable SMB share. Spra...
Part 1 covered the shape of the chain: coercion produces an authentication attempt, relay forwards it somewhere useful, and the protections that matter all l...