← All posts
#

Shadow Credentials

2 posts

HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials
HTB · Easy

HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials

Starting with low-privileged domain credentials, the attack chain exploits CVE-2025-24071 to leak an NTLM hash, cracks it, abuses GenericAll ACLs, uses Shadow Credentials to take over service accounts, and finally forges an Administrator certificate via ADCS for Domain Admin.

09 Jun 2026 Easy
HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning
HTB · Medium Non-retired

HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning

Starting with a low-privileged user, SMB enumeration reveals hardcoded credentials in a log file. Password pattern inference leads to an updated credential. GenericWrite over a gMSA enables Shadow Credentials and WinRM access. DLL injection via a scheduled task gives lateral movement, and WSUS poisoning combined with ADIDNS spoofing and ADCS certificate abuse yields SYSTEM.

09 Jun 2026 Medium