HTB Bruno

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/02/24/htb-bruno.html
• Blog Title: HTB: Bruno
• Suggested Section: Pentesting Web / File Inclusion-Path Traversal -> Archive Extraction Path Traversal (ZipSlip), and/or Windows Local Privilege Escalation -> Dll Hijacking (arbitrary file write to DLL search order hijack); cross-link to Active Directory Methodology -> ASREPRoast and LDAP signing/relay -> RBCD

🎯 Content Summary

Title / target
HackTheBox “Bruno” is a Windows Server 2022 Active Directory Domain Controller (DC) for domain bruno.vl, host BRUNODC (brunodc.bruno.vl, also bruno.vl). The compromise path is: recon → discover a .NET “SampleScanner” service via anonymous FTP → reverse engineer and identify insecure ZIP extraction (ZipSlip) → use the resulting arbitrary file write to drop files into the scanner’s app directory → identify a...

🔧 Technical Details

AS-REP roasting (Kerberos pre-auth disabled) to recover a password offline: If a domain user does not require Kerberos pre-auth, request an AS-REP for that username without a password and capture the $krb5asrep$23$... blob (etype 23). Crack it offline with Hashcat (often autodetected as mode 18200). Example: netexec ldap <dc> -u svc_scan -p '' --asreproast out → hashcat out rockyou.txt to recover the plaintext password.

ZipSlip in .NET ZIP extraction → arbitrary file write: When code extracts ZIP entries by computing destination = Path.Combine(baseDir, entry.FullName) and calling ExtractToFile(destination) without validating that destination remains inside baseDir, an attacker can set entry.FullName to ..\..\-style traversal paths or an absolute path to write outside the intended extraction directory. Craft an archive where a fil...

🤖 Agent Actions

Summary:

• Documented .NET ZipArchive ZipSlip pattern with Path.Combine/FullName misuse, PoC archive creation, and added references to the Bruno case and defensive .NET guidance.
• Added a practical chain from arbitrary file write (e.g., ZipSlip) to DLL search-order hijack using ProcMon discovery, msfvenom payloads, and escaped ZIP delivery.
• Updated ASREPRoast with quick kerbrute/netexec workflows and hashcat mode guidance; highlighted LDAP signing “None” relay risk and tied RBCD abuse to that condition, including KrbRelayUp-style relay notes.

Files Modified:

• src/generic-hacking/archive-extraction-path-traversal.md
• src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
• src/windows-hardening/active-directory-methodology/asreproast.md
• src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md
• src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md

Tests: Not run (documentation changes only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/02/24/htb-bruno.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / File Inclusion-Path Traversal -> Archive Extraction Path Traversal (ZipSlip), and/or Windows Local Privilege Escalation -> Dll Hijacking (arbitrary file write to DLL search order hijack); cross-link to Active Directory Methodology -> ASREPRoast and LDAP signing/relay -> RBCD".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0