COERCION

Coercion

ALL TAGS

all-blogs(20)
pentesting(16)
hack-the-box(13)
linux(10)
windows(10)
season-8(9)
active-directory(9)
writeup(7)
web(7)
machines(5)
bloodhound(5)
medium(5)
ctf(4)
reverse-engineering(4)
python(4)
easy(4)
certification(4)
exam(4)
network(4)
scripting(3)
workflow(3)
hard(3)
rce(3)
suid(3)
kerberoasting(3)
kerberos(3)
netexec(3)
pwn(2)
deserialization(2)
port-forwarding(2)
review(2)
enumeration(2)
lateral-movement(2)
mimikatz(2)
hash-cracking(2)
ad-cs(2)
rbcd(2)
non-seasonal(2)
genericall(2)
dpapi(2)
evil-winrm(2)
acl(2)
runascs(2)
password-change(2)
writespn(2)
tombstone-restoration(2)
api(2)
ine(2)
ghidra(2)
bitsctf-2025(1)
obfuscation(1)
dfir(1)
forensics(1)
malware(1)
rng(1)
crypto(1)
aes(1)
broncoctf-2025(1)
bytecode(1)
decompilation(1)
code(1)
tensorflow(1)
restic(1)
backrest(1)
cpts(1)
reporting(1)
privilege-escalation(1)
tools(1)
oscp(1)
10-days(1)
comparison(1)
tips--tricks(1)
my-opinionpov(1)
season-9(1)
mssql(1)
dcsync(1)
cmdshell(1)
authz_basep(1)
cve-2024-30088(1)
unconstrained-delegation(1)
rubeus(1)
linkedsqlserver(1)
coercion(1)
xwiki(1)
cve-2025-24893(1)
netdata(1)
ndsudo(1)
path-hijack(1)
cve-2024-32019(1)
groovy(1)
solrsearch(1)
jetty(1)
config-file(1)
custom-binary(1)
mega-cli(1)
xml(1)
whitelist-bypassing(1)
pivoting(1)
idor(1)
php(1)
cronjob(1)
signed-binary(1)
php-wrappers(1)
openssl(1)
ssh2-wrapper(1)
insecure-design(1)
elf-signing(1)
secure-coding(1)
pem-key(1)
cron-abuse(1)
backup(1)
nats-server(1)
mitm(1)
rid-brute-force(1)
winlogon(1)
acls(1)
aces(1)
forcechangepassword(1)
readgmsapassword(1)
esc10(1)
s4u(1)
roundcube(1)
cve-2025-49112(1)
docker(1)
password-reuse(1)
mariadb(1)
credential-dumping(1)
sudo(1)
symlink(1)
below(1)
group-escalation(1)
nextjs(1)
cve-2025-29927(1)
terraform(1)
lfi(1)
directory-traversal(1)
authentication-bypass(1)
tf_cli_config_file(1)
container(1)
environment-variables(1)
configuration-override(1)
smb(1)
keepass(1)
password-spraying(1)
genericwrite(1)
time-roasting(1)
computer-account(1)
dll-hijack(1)
winrm(1)
delegation(1)
esc-15(1)
cve-2024-49019(1)
gmsa(1)
shadow-credentials(1)
writeowner(1)
certipy-ad(1)
information-disclosure(1)
auth-bypass(1)
command-injection(1)
env-leak(1)
credential-reuse(1)
kernel-exploit(1)
overlayfs(1)
fuse(1)
cve-2023-0386(1)
dacl(1)
wsl(1)
ntds(1)
bloodyad(1)
pypykatz(1)
ecppt(1)
methodology(1)
ejpt(1)
exploitation(1)
misc(1)
radare2(1)
cyberchef(1)
sql(1)
pcap(1)
tryhackme(1)
pt1(1)
ad(1)
tuctf-2024(1)
binary-exploitation(1)
debugging(1)

PUBLISHED ON
Blog Published on: April 6, 2026
Hack-The-Box - Hard - Windows - DarkZero
ALL-BLOGS Hack-The-Box Pentesting Machines Writeup Season-9 Windows Hard Active-Directory Bloodhound MSSQL DCSync CMDSHELL Lateral-Movement authz_basep CVE-2024-30088 Unconstrained-Delegation Mimikatz Rubeus LinkedSQLServer Coercion
Initial MSSQL access with provided creds revealed a linked server to DC02, enabling xp_cmdshell for lateral movement. CVE-2024-30088 granted SYSTEM on DC02 for user.txt. Unconstrained delegation on DC01 allowed TGT capture via coercion, then DCSync extracted Administrator hash for root.txt.

COERCION

Coercion

ALL TAGS

Hack-The-Box - Hard - Windows - DarkZero