Posts

Summary What’s up folks! In this post, we’re going to set up a simple, small AD homelab for CRTP prep and polishing our Red Team skills. There are already a number of practical AD homelab guides and YouTube videos out there, but for some reason, I found most of them difficult to follow. That’s why I decided to create my own and document the process here (so I don’t forget it myself!) Setting up an AD homelab is crucial if you are serious about Red Teaming. Homelabbing helps you understand both sides of the coin; you’ll understand why an attack works because you were the one who set up that misconfiguration in the first place. This changed my perspective on how I approach AD environments and truly helped me in my CRTP journey. I’m not a big fan of theory, so let’s get our hands dirty!" ...

Introduction Active Directory environments are designed with multiple safety mechanisms to prevent accidental or malicious privilege escalation—even by administrators. One such mechanism is AdminSDHolder, which quietly enforces strict permissions on high-privilege objects. At first glance, this protection may seem like an obstacle. But when understood correctly, it can become a powerful persistence mechanism. What are we looking at ? Let’s say we already have Domain Admin privileges in a domain. At that point, there’s almost nothing we can’t do. Full control, full access. ...

The Situation I woke up one fine day, powered on my laptop, expecting the usual GRUB menu where I choose between Kali Linux and Windows 11. But instead, the system booted straight into Windows. No GRUB. No Kali. No mercy. I opened my BIOS boot menu hoping to manually select Kali, but the only things listed were: Windows Boot Manager EFI PXE Network (which I don't use) That’s when I realized: The BIOS update I recently installed wiped my GRUB boot entry. ...

Room Link https://tryhackme.com/room/crocccrew Difficulty Insane Points 120 Summary This room is a full Active Directory attack simulation focused on realistic enterprise privilege escalation. We start with minimal external access, enumerate exposed services, and identify weak entry points into the network. After obtaining low-privileged AD credentials, we move into internal enumeration, discover misconfigurations in Kerberos Constrained Delegation, and exploit it to impersonate privileged users. From there, we extract NT hashes and Kerberos keys, gain full Domain Administrator access, and ultimately compromise the entire domain. ...