CTF write-ups
Hack The Box, Proving Grounds, TryHackMe, and other CTF-style walkthroughs.
Featured walkthroughs
If you only read four: HTB Administrator for a clean BloodHound ACL chain into DCSync, HTB Sea for an XSS-to-RCE in WonderCMS pivoting through an LFI, HTB EscapeTwo for MSSQL → ESC4 cert abuse → WriteOwner to Domain Admin, and PG Resourced for a modern Resource-Based Constrained Delegation (RBCD) takeover.
PG • CTF • Access • Write-Up
Published: at 12:36 PMProving Grounds CTF - Access. File upload vulnerability, Kerberoasting, and SeManageVolumePrivilege abuse.
PG • CTF • Heist • Write-Up
Published: at 12:36 PMProving Grounds Heist write-up: turn a URL feature into SSRF, capture an NTLMv2 hash with Responder, abuse a gMSA password reader and finish with SeRestorePrivilege.
PG • CTF • Hutch • Write-Up
Published: at 12:36 PMProving Grounds Hutch write-up: from LDAP user discovery to abusing WebDAV uploads for ASPX RCE, and finally using LAPS to read back the local Administrator password.
PG • CTF • Nagoya • Write-Up
Published: at 12:36 PMProving Grounds Nagoya: SMB and MSSQL enumeration, Kerberoasting a service account, forging a Silver Ticket, and abusing impersonation tokens to land SYSTEM.