Fluffy is an easy Windows machine where initial credentials and CVE-2025-24071 lead to further user access, Active Directory enumeration, and ultimately Administrator compromise.
The compromise starts with exposed credentials and gradually escalates through misconfigurations in delegation and authentication, ultimately leading to full domain compromise.
Phantom is a Medium AD box where SMB enumeration leads to a decrypted VeraCrypt container, recovered credentials enable a foothold via password spraying, and Resource-Based Constrained Delegation (RBCD) is exploited to gain Administrator access.
LustrousTwo is a hard HackTheBox Windows machine where I use FTP to gather usernames, then spray with kerbrute and elpscrk to access an IIS site with Kerberos (IIS_KERBEROS_AUTH). By decompiling DLLs and abusing S4U2Proxy constrained_delegations, I achieve RCE and escalate via a Velociraptor server key.
VulnEscape is an Easy Difficulty Windows machine where users exploit a Remote Desktop Server to connect as KioskUser0, bypass restrictions using Microsoft Edge, and uncover a password to gain admin access and capture the root flag.
Shibuya is a hard Windows machine that requires extensive enumeration across multiple services and accounts. The attack chain involves exploiting exposed protocols, credential discovery, and lateral movement. Privilege escalation is achieved through abusing Active Directory Certificate Services.
This blog post explains cross-session relay attacks, covering COM/DCOM basics and authentication flaws. It details how attackers exploit weak configurations to relay credentials.
Cicada is an excellent beginner-friendly Windows box designed for those new to Windows pentesting, without requiring any knowledge of Active Directory or its attack vectors and strategies. It focuses on the early stages of enumeration, which are essential for tackling more advanced machines, as well as some basic manual checks you can perform once you obtain a user shell.
