HTB PingPong Complete Writeup - ESC13, Cross-Domain DACL, gMSA, JEA, RBCD & ESC4→ESC1

A comprehensive penetration testing guide exploiting ADCS ESC13 for initial WinRM access, abusing cross-domain DACL ownership to read a gMSA password, pivoting through a JEA endpoint to recover credentials, using RBCD + S4U for MSSQL sysadmin, escalating to DC2 Administrator via GodPotato, and finally chaining ESC4 into ESC1 to become Administrator on the root domain.

April 26, 2026 • views • 36 min read • 258 words

Havoc

hackthebox 23 htb 27 windows 7 active-directory 6 domain-controller 3 forest-trust adcs 3 esc13 esc4 esc1 certipy 2 kerberos 7 pkinit pac-injection oid-to-group-link gmsa read-gmsa-password jea constrained-language psreadline rbcd 4 s4u2proxy 2 mssql xp-cmdshell seimpersonateprivilege godpotato dcsync cross-domain-dacl foreign-security-principal bloodyad 4 evil-winrm 4 chisel proxychains pypsrp bloodhound 6 impacket 3 lateral-movement 6 privilege-escalation 14 managed-service-account 2 genericwrite 2 season10 6 insane-difficulty

🔒 Content Locked

This writeup is password-protected to comply with HTB rules.

📧 Need access? Enter the password.

HTB PingPong Complete Writeup - ESC13, Cross-Domain DACL, gMSA, JEA, RBCD & ESC4→ESC1

🔒 Content Locked

☕ Support My Work

Comments

🔒 Content Locked

☕ Support My Work

Related Articles

HTB PingPong Complete Writeup - ESC13, Cross-Domain DACL, gMSA, JEA, RBCD & ESC4→ESC1

Pirate HackTheBox Writeup — Complete Season 10 Machine Walkthrough

Garfield HackTheBox Writeup- Hard Windows Active Directory Machine Walkthrough

HTB Logging Complete Writeup - CVE-2025-59287, Shadow Credentials & WSUS MITM

Comments