shadow-credentials

  • 26th December 2025

Certified writeup

writeupshack-the-boxwindowsactive-directoryshadow-credentialscertificate-abuse

Certified is a Windows Active Directory box that focuses on certificate template abuse and shadow credential attacks. We will exploit ESC9 vulnerability via a certificate template with no security extension, chain permissions through MANAGEMENT and CA_OPERATOR groups, and ultimately obtain domain administrator access.

Read more 
  • 15th December 2025

TombWatcher writeup

writeupshack-the-boxwindowsactive-directorykerberoastingshadow-credentialscertificate-abusebloodhound

TombWatcher is a Windows Active Directory box that involves lateral movement through multiple user accounts, Kerberoasting, shadow credential attacks, and certificate template abuse. We will perform BloodHound enumeration, set a service principal name for Alfred, Kerberoast to obtain Alfred’s hash, then leverage GenericAll permissions to manipulate SAM, John, and CERT_ADMIN accounts, finally using ESC1 vulnerability to request a certificate as the domain administrator.

Read more