0xdfBruno from VulnLab (now on HackTheBox) features .NET reverse engineering, ZipSlip archive path traversal into a DLL hijack for foothold, then Kerberos relay via KrbRelayUp abusing missing LDAP signing for RBCD and Administrator access.
HTB: Bruno
Bruno is a Windows Active Directory box. I’ll start by finding a .NET sample scanning application on FTP, and after reverse engineering it, discover a ZipSlip vulnerability in how it handles zip archives. Combining that with a DLL hijack, I’ll get a shell as the service account that runs the scanner. For privilege escalation, I’ll exploit the lack of LDAP signing by performing a Kerberos relay attack, setting up resource-based constrained delegation to impersonate the Administrator.