Windows

Eighteen — HackTheBox Writeup Eighteen is a Windows Server 2025 Domain Controller that chains a creative MSSQL impersonation attack with a web app credential harvest to gain an initial foothold, then exploits BadSuccessor (CVE-2025-53779) — a novel Active Directory privilege escalation abusing delegated Managed Service Accounts — to achieve full domain compromise. What makes this box particularly instructive is how many standard Windows privesc paths are deliberately closed off, forcing you to understand cutting-edge AD attack primitives rather than reaching for familiar tools. ...

MonitorsFour MonitorsFour is a medium-difficulty Windows box running WSL2 with Docker Desktop — a setup that makes the attack chain distinctly layered. The path runs from web enumeration through an authenticated Cacti RCE, into a Docker container, and finally out to the Windows host via an unauthenticated Docker API. Each pivot requires a slightly different mindset, which is what makes this box a great exercise in chained exploitation. Reconnaissance Port Scanning Starting with a standard nmap scan against the target: ...

Responder — HackTheBox Writeup Responder is a Very Easy Windows box that chains a classic Local File Inclusion vulnerability with NTLM hash capture to gain a foothold via WinRM. It’s an excellent introduction to how Windows authentication can be weaponized against itself when a server blindly follows UNC paths. Overview The attack path here is beautifully simple once you see it: a PHP web application has an LFI vulnerability in its language selector, Windows will attempt NTLM authentication when it tries to access a UNC path, and we’re sitting there with Responder ready to catch the hash. Crack the hash, log in over WinRM, read the flag. Along the way I hit a firewall issue that was a useful reminder about VPN interface trust zones — more on that later. ...

Archetype — HackTheBox Writeup Archetype is a Windows box that demonstrates a classic lateral movement chain: anonymous SMB access exposes a configuration file with database credentials, which leads to command execution via MSSQL, and sloppy PowerShell history hands us domain admin on a silver platter. It’s an excellent box for understanding how real-world Windows environments get compromised through misconfiguration rather than flashy exploits. Overview Field Value OS Windows Server 2019 Standard 17763 IP Difficulty Starting Point Date 2026-01-30 Reconnaissance Port Scanning I start every box the same way — a default script and version scan with nmap. The goal here isn’t to be fancy, it’s to quickly understand what services are exposed and build a mental model of the attack surface. ...

Dancing — Anonymous SMB Access on a Windows Target Dancing is a beginner-friendly Windows box that demonstrates one of the most common misconfigurations found in real-world environments: an SMB share left open to anonymous access. The entire engagement comes down to solid enumeration and knowing which shares are worth poking at. Reconnaissance Port Scanning I started with a standard service scan to get a picture of what’s running on the target. The -sC flag runs default scripts and -sV attempts version detection — together they give a solid baseline without being too noisy. ...