Puppy is another amazing assumed breach active directory box.

Planning is an easy Linux machine where web enumeration and a CVE-2024-9264 vulnerability lead to initial access, lateral movement, and full system compromise.

Fluffy is an easy Windows machine where initial credentials and CVE-2025-24071 lead to further user access, Active Directory enumeration, and ultimately Administrator compromise.

The compromise starts with exposed credentials and gradually escalates through misconfigurations in delegation and authentication, ultimately leading to full domain compromise.

Phantom is a Medium AD box where SMB enumeration leads to a decrypted VeraCrypt container, recovered credentials enable a foothold via password spraying, and Resource-Based Constrained Delegation (RBCD) is exploited to gain Administrator access.

On Nocturnal, an IDOR exposed credentials that unlocked the admin panel and source code. A command injection led to a shell, cracked database hashes enabled SSH access, and exploiting ISPConfig CVE-2023-46818 provided root.

LustrousTwo is a hard HackTheBox Windows machine where I use FTP to gather usernames, then spray with kerbrute and elpscrk to access an IIS site with Kerberos (IIS_KERBEROS_AUTH). By decompiling DLLs and abusing S4U2Proxy constrained_delegations, I achieve RCE and escalate via a Velociraptor server key.

VulnEscape is an Easy Difficulty Windows machine where users exploit a Remote Desktop Server to connect as KioskUser0, bypass restrictions using Microsoft Edge, and uncover a password to gain admin access and capture the root flag.