Windows Authentication Coercion to NTLM Relay, Part 1: Fundamentals
Every technique in this series traces back to one design decision in Windows authentication: a machine will authenticate to whatever endpoint it’s told to co...
Every technique in this series traces back to one design decision in Windows authentication: a machine will authenticate to whatever endpoint it’s told to co...
This post covers ESC13 and ESC15 as full deep dives, then provides a consolidated reference for the remaining ESC techniques across the full taxonomy. The go...
This post covers the relay attack class in AD CS, where an attacker coerces authentication from a target machine, relays those credentials to a CA enrollment...
This post covers the AD object write attack class, where a write primitive on a PKI or account object is sufficient to introduce or directly exploit a certif...
This post covers the certificate-to-account mapping layer in Active Directory and how it becomes an attack surface. It walks through the KB5014754 strong map...
This post covers the foundational mechanics of Active Directory Certificate Services: how the PKI trust model is structured in AD, where configuration lives ...
This box is rated insane difficulty on HTB. It involves finding a writeable directory in an SMB share that we mounted, leading to an NTLMv2 hash theft and th...
This writeup covers the development, architecture, and OPSEC testing of DeleGator — a Linux-native Active Directory delegation abuse framework. It is split i...
This box is rated hard difficulty on HTB. It involves us discovering a Zabbix instance on a web server that allows for guest logins. Using an event notice, w...
This box is rated insane difficulty on HTB. It involves us getting a foothold on a domain-joined Linux web server through insecure deserialization. Then we d...