P.O.O — Part 5: p00ned From local Administrator to Domain Admin, and the final flag. Enumeration as local Administrator 💭 Thought Process: “HackTheBox notes indicate this host is domain-joi...

P.O.O — Part 4: Foothold Using IIS credentials to move from database access to a system foothold. 💭 Thought Process: “Now that we have the previous flag, let’s continue enumerating the machine...

P.O.O — Part 3: BackTrack Escalating privileges through linked servers and uncovering hidden IIS credentials. 💭 Thought Process: “At this point, I wasn’t sure where else to go, so I referenced...

P.O.O — Part 2: Huh? Leaked MSSQL credentials and our first dive into the database. In the last post, we ended the Recon phase with the discovery of connection.txt. Inside it, we found: SERVER=1...

P.O.O — Part 1 Recon From IIS defaults to hidden .DS_Store files and the first flag. This is the first blog in a 5-part series where I’ll be showcasing how I exploited and rooted the P.O.O networ...