https://adityatelange.in/tags/htb-windows/Recent content in HTB Windows on Aditya Telangehttps://adityatelange.in/assets/tn.jpghttps://adityatelange.in/assets/tn.jpgHugo -- 0.156.0en2020 - 2026 Aditya TelangeSun, 06 Jul 2025 19:50:00 +0530https://adityatelange.in/writeups/hackthebox/escape/Sun, 06 Jul 2025 19:50:00 +0530https://adityatelange.in/writeups/hackthebox/escape/Escape is a medium-difficulty Windows machine on Hack The Box that revolves around Active Directory. The initial foothold is gained by finding credentials in a PDF file on an open SMB share. This access is then leveraged to connect to an MSSQL service, from which we capture and crack the NTLM hash of a service account. Lateral movement is achieved by discovering another user&rsquo;s credentials in a log file. Finally, privilege escalation to Administrator is accomplished by exploiting a misconfiguration in Active Directory Certificate Services (ADCS), specifically the ESC1 vulnerability.https://adityatelange.in/writeups/hackthebox/resolute/Sun, 29 Jun 2025 19:00:00 +0530https://adityatelange.in/writeups/hackthebox/resolute/Resolute is a medium-difficulty Windows machine on HackTheBox that involves a realistic Active Directory penetration test. The initial foothold is gained by enumerating domain users via a null SMB session and discovering a default password in a user&rsquo;s description, which is then reused to gain access as another user via WinRM. Lateral movement is achieved by discovering cleartext credentials for a more privileged user within PowerShell transcripts. Finally, privilege escalation to SYSTEM is accomplished by abusing the permissions of the DnsAdmins group to load a malicious DLL.https://adityatelange.in/writeups/hackthebox/certified/Thu, 20 Mar 2025 20:40:31 +0530https://adityatelange.in/writeups/hackthebox/certified/<code>Certified</code> is a Windows machine having misconfigured ACL in Active Directory environment where initial access for a low-privileged user <code>judith.mader</code> is provided. Exploitation of the Active Directory Certificate Service (ADCS) is required to get access to the <code>management_svc</code>, <code>ca_operator</code> and <code>Administrator</code> account by abusing shadow credentials and <code>ESC9</code>.https://adityatelange.in/writeups/hackthebox/legacy/Fri, 03 Jun 2022 22:15:51 +0530https://adityatelange.in/writeups/hackthebox/legacy/Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS. We find the exploit with metasploit and get access to priviledged user <code>NT AUTHORITY\SYSTEM</code> directly.https://adityatelange.in/writeups/hackthebox/love/Sat, 07 Aug 2021 00:00:00 +0530https://adityatelange.in/writeups/hackthebox/love/Love is a fun box where we find a hidden subdomain that helps us retrieve Forbidden pages, where admin credentials are leaked of another service. The access to the admin dashboard has a file upload, through which we get a reverse shell. The box then has <code>AlwaysInstallElevated</code> that allows a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges, which helps us get the Administrator access.