Plur1bu5

https://plur1bu5.dev/Plur1bu5Offensive security, Active Directory pentesting, CTF writeups, and cybersecurity research by plur1bu5. 2026-04-24T16:14:33+01:00 plur1bu5 https://plur1bu5.dev/ Jekyll © 2026 plur1bu5 /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Freelancer: a hard HackTheBox machine2026-03-20T10:00:00+00:00 2026-04-06T18:54:36+01:00 https://plur1bu5.dev/posts/freelancer-htb-machine/ plur1bu5

Hard HackTheBox Overview Freelancer is a hard box with a creative initial access chain through a freelancing web application. A logical flaw in the password reset flow lets you activate an account without confirmation, and an IDOR in the QR-based SSO lets you log in as admin. From there it’s MSSQL impersonation for RCE, a full memory dump with credentials buried inside, and RBCD to finish...

Search: a hard HackTheBox machine2026-03-20T10:00:00+00:00 2026-04-06T18:54:36+01:00 https://plur1bu5.dev/posts/Search-htb-machine/ plur1bu5

Hard HackTheBox Overview Search is a hard Active Directory box. Initial access comes from a password visible in an image on the web server. From there it’s kerberoasting, password spraying, digging through an xlsx file in a redirected folder share, and a chain of credential pivots that eventually leads to abusing a certificate template for privilege escalation. Still finishing this one up...

BlackField: a Hard HackTheBox machine2026-03-19T10:00:00+00:00 2026-04-06T18:54:36+01:00 https://plur1bu5.dev/posts/Blackfield-htb-machine/ plur1bu5

Hard HackTheBox Overview Blackfield is a hard Active Directory box. Guest access lets you enumerate usernames, AS-REP roasting gives you an initial foothold, and a ForceChangePassword edge in bloodhound opens up a forensic share containing an lsass dump. From there you extract a hash for a backup operator account, abuse VSS shadow copies to grab the NTDS, and dump the domain. Reconnaissa...

Vintage: a hard HackTheBox machine2026-03-17T10:00:00+00:00 2026-04-06T18:54:36+01:00 https://plur1bu5.dev/posts/vintage-htb-machine/ plur1bu5

Hard HackTheBox Overview Vintage is a hard assumed-breach Active Directory box. You start with credentials for a low-privileged user in a domain where NTLM is disabled, forcing kerberos-only authentication throughout. The path involves gMSA abuse, targeted kerberoasting, password spraying, DPAPI credential decryption to pivot between users, and finally RBCD to fully compromise the domain....

Cascade: A medium HackTheBox machine2026-03-16T10:00:00+00:00 2026-04-06T18:54:36+01:00 https://plur1bu5.dev/posts/cascade-htb-machine/ plur1bu5

Medium HackTheBox Overview Cascade is a medium Active Directory box and probably my most detailed writeup in terms of methodology. A legacy password attribute left in LDAP gives the first foothold, and from there it’s share enumeration, VNC password decryption, reverse engineering a custom .NET audit tool to extract an AES-encrypted password, and finally abusing AD Recycle Bin access to r...