HTB

SMB null session on Windows delivers a flag from an exposed WorkShares share; the takeaway is unauthenticated SMB enumeration without Metasploit.…

Log4Shell in UniFi Network Application 6.4.54 — JNDI in the remember field hands over shell as root. MongoDB's default no-auth exposes admin password hash, cracked in seconds.…

Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.…

Two-domain AD forest under Assumed Breach. NTLM disabled globally. TCP port 88 asymmetrically filtered — a custom impacket monkey-patch unblocks Kerberos. ESC13 on TemporaryWinRM template grants WinRM shell on DC1. ……

Telnet with empty root password, and the RFC-854 quirk that explains why netcat falls silent where telnetlib succeeds.…