/posts/domain-delegation-attack/ 2025-09-27T00:14:41+08:00 /posts/attack-surface-mining-for-ad-cs/ 2025-10-16T14:17:22+08:00 /posts/relaying-wpad-authentication-using-mitm6/ 2023-04-04T13:55:58+08:00 /posts/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/ 2023-04-04T13:55:58+08:00 /posts/shadow-credentials/ 2025-09-27T01:44:53+08:00 /posts/privilege-escalation-ntlmrelay2self-over-http-webdav/ 2023-04-04T13:55:58+08:00 /posts/certifried-active-directory-domain-privilege-escalation/ 2023-04-04T13:55:58+08:00 /posts/certifried-combined-with-krbrelay-for-domain-privilege-escalation/ 2023-04-04T13:55:58+08:00 /posts/petitpotato-how-do-I-escalate-to-system-via-named-pipe/ 2024-01-18T23:30:09+08:00 /posts/privilege-escalation-exploiting-rbcd-using-a-user-account/ 2023-04-04T13:55:58+08:00 /posts/how-to-implement-a-dcsync-by-yourself/ 2023-01-06T23:26:00+08:00 /posts/revisiting-a-credential-guard-bypass-from-wdigest/ 2023-04-04T13:55:58+08:00 /posts/sekurlsa-how-to-dump-user-login-credentials-from-msv1_0/ 2024-04-02T00:18:16+08:00 /posts/sekurlsa-how-to-dump-user-login-credentials-from-wdigest/ 2023-02-06T23:26:00+08:00 /posts/how-to-pass-the-hash-by-yourself/ 2023-02-08T23:26:00+08:00 /posts/pass-the-certificate-when-pkinit-is-nosupp/ 2023-04-04T13:55:58+08:00 /posts/creating-windows-access-tokens-with-god-privilege/ 2023-07-13T13:28:25+08:00 /posts/how-to-forge-a-kerberos-ticket-by-yourself/ 2023-07-13T17:12:03+08:00 /posts/revisiting-a-uac-bypass-by-abusing-kerberos-tickets/ 2023-07-30T21:12:06+08:00 /posts/escalate-service-account-to-localSystem-via-kerberos/ 2023-11-27T16:53:46+08:00 /posts/revisiting-a-abuse-of-read-only-domain-controllers/ 2024-04-02T21:33:52+08:00 /posts/ad-cs-new-ways-to-abuse-manageca-permissions/ 2024-01-18T23:30:09+08:00 /posts/wint-2024-qwb-finals-rpc-local-privilege-escalation-review/ 2024-01-18T23:43:05+08:00 /posts/sharpadws-abuse-of-adws-protocol-to-enumerate-active-directory/ 2024-04-01T23:23:13+08:00 /posts/apache-tomcat-rce-via-write-enabled-default-servlet/ 2024-12-20T23:59:00+08:00 /posts/from-dpapi-to-chrome-a-journey-to-entra-id-takeover/ 2025-11-05T12:21:12+08:00 /posts/entra-id-tracing-the-abuse-history-of-connect-sync/ 2025-11-05T12:21:12+08:00 /posts/entra-id-attack-surface-of-pass-through-authentication/ 2026-01-02T23:20:04+08:00 /posts/entra-id-impersonate-the-compromised-pta-agent/ 2026-01-07T15:48:08+08:00 /categories/ 2026-01-07T15:48:31+08:00 /tags/ 2026-01-07T15:48:31+08:00 /archives/ 2026-01-07T15:48:31+08:00 /about/ 2026-01-07T15:48:31+08:00 / /tags/kerberos/ /tags/domain-delegation/ /tags/privilege-escalation/ /tags/active-directory/ /tags/adcs/ /tags/domain-escalation/ /tags/domain-persistence/ /tags/ntlm-relay/ /tags/mitm/ /tags/kerberos-relay/ /tags/pkinit/ /tags/smart-card/ /tags/webdav/ /tags/impersonate-privileges/ /tags/potatoes/ /tags/rpc/ /tags/unconstrained-delegation/ /tags/windows/ /tags/dcsync/ /tags/credential-access/ /tags/credential-guard/ /tags/lsass/ /tags/ldaps/ /tags/schannel/ /tags/rbcd/ /tags/windows-privileges/ /tags/uac-bypass/ /tags/rodc/ /tags/apache/ /tags/tomcat/ /tags/dpapi/ /tags/chrome/ /tags/microsoft-entra-id/ /categories/windows-security/ /categories/java-security/ /categories/microsoft-entra-id/ /page2/ /page3/