Authorized lab environment. Educational purposes only.
TL;DR
Five-stage chain: plaintext cred in SMB share → Kerberos TGT for Protected Users account → GenericWrite on gMSA to self-grant password read → WinRM via Pass-the-Hash → DLL hijack through scheduled task for lateral movement → ADCS ENROLLEE_SUPPLIES_SUBJECT to forge WSUS TLS cert → AD-integrated DNS poisoning → rogue WSUS with wsuks → PsExec as SYSTEM.
Environment
DC01.logging.htb, LOGGING.HTB domain, Windows Server 2019. The clock skew between the VPN and DC is ~7 hours — every Kerberos operation needs faketime -f "+7h". svc_recovery is in Protected Users, so NTLM auth is blocked at the domain level; Kerberos or nothing.
Full writeup — members only
The complete exploit chain, commands, and methodology are available to members on Buy Me a Coffee.
unlock on buy me a coffee€5 one-off · or monthly membership