Pro Labs, APT Labs &
Insane Machines
Comprehensive writeups for Hack The Box Pro Labs, APT Labs, Endgames, Insane-difficulty machines, and Sherlocks. Focused on Active Directory exploitation, binary pwn, and red team operations.
High school student from Vietnam passionate about offensive security, binary exploitation, and Active Directory attacks. Member of W4LLZ CTF team.
HTB Endgame: XEN
Complete domain compromise through Citrix VDI breakout, Kerberoasting, NetScaler PCAP analysis, password spraying, and SeBackupPrivilege abuse to extract ntds.dit from the Domain Controller. Six flags across the entire kill chain.
HTB Pro Lab: Dante
Red Team Operator Level I lab walkthrough. Pivoting through 14 machines across three subnets using Ligolo-ng, WordPress exploitation, LLMNR poisoning, buffer overflows, and KeePass credential extraction to achieve domain dominance.
HTB Pro Lab: Zephyr
Red Team Operator Level I. Assumed breach Active Directory environment starting with a standard domain user. Escalate through Kerberoasting, delegation abuse, constrained delegation, ACL attacks, and DCSync to achieve full Domain Admin compromise across a hardened enterprise network.
HTB Pro Lab: Offshore
Red Team Operator Level II. Advanced corporate network penetration testing requiring deep pivoting across multiple subnets, exploiting web vulnerabilities, Grafana exploitation, complex privilege escalation paths, and tunneling deep into the internal AD environment to compromise the domain.
HTB Pro Lab: Cybernetics
Red Team Operator Level II. Advanced Active Directory attacks across five domains including Kerberos delegation abuse, GPO exploitation, forest trust pivoting, and cross-domain compromise with 25 flags.
HTB Pro Lab: RastaLabs
Red Team Operator Level III. The most advanced HTB Pro Lab featuring realistic APT-style operations — Cobalt Strike C2 infrastructure, Citrix VDI exploitation, network pivoting through multiple trust boundaries, and full enterprise domain takeover with 30+ flags.
HTB APT Labs
Advanced Persistent Threat simulation environment. 18 machines across 3 AD forests — phishing initial access, Kerberoasting, RBCD, DCSync, Golden Tickets, cross-forest trust exploitation, and full domain compromise. 20 flags, 24h daily reset.
DarkCorp
Full Active Directory chain attack including NTLM relay, GPO abuse, Silver Ticket forgery, and Shadow Credential exploitation on a hardened Windows domain environment.
Sorcery
Docker escape through Kafka RCE combined with SSRF chain exploitation, leading to FreeIPA domain compromise through container breakout and privilege escalation.
Brainfuck
WordPress exploitation combined with RSA cryptographic attacks. From web application foothold through custom cipher decryption to root access on a hardened Linux system.
APT
Advanced persistent threat simulation on a Windows Domain Controller. NTLMv1 downgrade attacks, DC exploitation, and multi-stage privilege escalation in a hardened AD environment.
Rope
Binary exploitation through format string vulnerability to ROP chain construction. Stack-based buffer overflow with custom exploit development on a 64-bit Linux binary with protections.
RopeTwo
V8 engine out-of-bounds exploitation leading to browser sandbox escape and kernel-level privilege escalation. Advanced pwn chain from JavaScript engine to root on Linux.
Driver's Shadow — Unmasking the Kernel Intruder
Linux memory forensics deep dive with Volatility3. Hunting a kernel rootkit that uses ftrace hooks for syscall interception, XOR-obfuscated payloads, udev persistence, and covert IPC via the kill syscall. Full chain from ISF generation to kernel module extraction and reverse engineering.
APTNightmare2
Memory forensics investigation of an APT intrusion. Rootkit analysis, process reconstruction, and indicator extraction from a compromised Windows memory dump.
SalineBreeze-1
Threat intelligence deep dive into Salt Typhoon's network-device espionage toolkit (JumbledPath, Crowdoor, GhostSpider) and GhostEmperor's kernel-mode Demodex rootkit. MITRE ATT&CK mapping, CVE analysis, and APT profiling.