> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# MultiMaster

> Writeups verificados de la máquina MultiMaster de Hack The Box

# MultiMaster

<p className="machine-summary"><span className="prompt"><code>\$ tldr</code></span> SQLi unicode + WAF bypass → AD enum → privesc</p>

<div className="machine-meta">
  | ·                 | ·                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
  | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | Sistema operativo | Windows                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
  | Dificultad        | Insano                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
  | Vector            | <span className="vbadge vbadge-ad">Active Directory</span>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
  | IP                | `10.10.10.179`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
  | Fecha de retirada | 2020-09-19                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
  | Skills            | SQLI (SQL Injection) - Unicode Injection WAF Bypassing Advanced Python Scripting - Creation of an automation tool to handle Unicode in SQL injection Database enumeration through the previously created utility Cracking Passwords Active Directory Enumeration Enumerating domain information through SQL injection Obtaining domain RIDs through SQL injection Applying brute-force attack  (SID = SID+RID) to obtain existing domain users \[Python Scripting] SMB Brute Force Attack (Crackmapexec) Enumerating AD existing users (rpcclient/rpcenum) Abusing Remote Management User group Microsoft Visual Studio 10.0 Exploitation (User Pivoting) Using libwebsockets in order to connect to a CEF Debugger (RCE) AMSI Bypass - Playing with Nishang AMSI Bypass - Bypass-4MSI Alternative (evil-winrm) DLL Inspection - Information Leakage BloodHound Enumeration Abusing the GenericWrite privilege on a user Making a user vulnerable to an ASREPRoast attack - Disabling Kerberos Pre-Authentication Requesting the TGT of the manipulated user Abusing Server Operators Group Abusing an existing service by manipulating its binPATH We change the password of the administrator user after restarting the manipulated service |
</div>

## Writeups

| Idioma  | Autor       | Formato | Enlace                                                          |
| ------- | ----------- | ------- | --------------------------------------------------------------- |
| 🇪🇸 ES | **S4vitar** | Vídeo   | [Abrir](https://www.youtube.com/watch?v=z6nmcyk1Pbo)            |
| 🇬🇧 EN | **0xdf**    | Texto   | [Abrir](https://0xdf.gitlab.io/2020/09/19/htb-multimaster.html) |
| 🇬🇧 EN | **IppSec**  | Vídeo   | [Abrir](https://www.youtube.com/watch?v=iwR746pfTEc)            |

## Recursos por skill

Documentación curada para cada técnica que aparece en la columna *Skills* de arriba. Fuentes: HackTricks, GTFOBins, PortSwigger, etc.

| Skill                           | Fuente          | Enlace                                                                                                  |
| ------------------------------- | --------------- | ------------------------------------------------------------------------------------------------------- |
| Information Leakage             | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/pentesting-web/information-leak.html)                           |
| Active Directory                | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html)      |
| SQL Injection                   | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html)                        |
| SQL Injection                   | PortSwigger     | [Abrir](https://portswigger.net/web-security/sql-injection)                                             |
| Brute Force / Rate-Limit Bypass | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/brute-force.html)           |
| BloodHound                      | BloodHound docs | [Abrir](https://bloodhound.specterops.io/)                                                              |
| WebSockets Vulnerabilities      | PortSwigger     | [Abrir](https://portswigger.net/web-security/websockets)                                                |
| Port Forwarding / Pivoting      | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/generic-hacking/tunneling-and-port-forwarding.html)             |
| AS-REP Roasting                 | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/asreproast.html) |
| SMB (139/445)                   | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html)          |
| Remote Code Execution (RCE)     | HackTricks      | [Abrir](https://book.hacktricks.wiki/en/pentesting-web/command-injection.html)                          |

## Skills relacionadas que conviene dominar

Kerberoasting · DCSync · GetNPUsers (Impacket) · Group Policy Preferences (GPP) · Cross-Site Scripting (XSS) · EternalBlue (MS17-010) · MS08-067 (NetAPI) · Local File Inclusion (LFI)

## Si te gustó esta máquina, prueba

* [StreamIO](/htb/machines/windows/medio/streamio) — Windows, Medio
* [Intelligence](/htb/machines/windows/medio/intelligence) — Windows, Medio
* [Bankrobber](/htb/machines/windows/insano/bankrobber) — Windows, Insano
* [Fulcrum](/htb/machines/linux/insano/fulcrum) — Linux, Insano
* [Blackfield](/htb/machines/windows/dificil/blackfield) — Windows, Difícil

***

## Comentarios y truquillos

¿Algo no funcionó del writeup oficial? ¿Has encontrado un truco mejor? Compártelo aquí — los comentarios viven en [GitHub Discussions](https://github.com/FFuson/HTB_Writeups/discussions).

<div className="rootea-giscus-wrap" data-giscus-term="machine:multimaster" data-giscus-lang="es" />

*Última actualización: 2026-06-07*

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"TechArticle","headline":"MultiMaster — HTB Writeup Index","name":"MultiMaster","url":"https://rootea.es/htb/machines/windows/insano/multimaster","inLanguage":"es","datePublished":"2020-09-19","dateModified":"2026-06-07","about":{"@type":"Thing","name":"Hack The Box (HTB)"},"keywords":"Information Leakage, Active Directory, SQL Injection, SQL Injection, Brute Force / Rate-Limit Bypass, BloodHound, WebSockets Vulnerabilities, Port Forwarding / Pivoting, AS-REP Roasting, SMB (139/445), Remote Code Execution (RCE)","isPartOf":{"@type":"WebSite","name":"rootea.es","url":"https://rootea.es"},"author":{"@type":"Organization","name":"rootea.es"},"proficiencyLevel":"Insano"}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Inicio","item":"https://rootea.es"},{"@type":"ListItem","position":2,"name":"Windows","item":"https://rootea.es/htb/machines/windows/insano/index"},{"@type":"ListItem","position":3,"name":"Insano","item":"https://rootea.es/htb/machines/windows/insano/index"},{"@type":"ListItem","position":4,"name":"MultiMaster","item":"https://rootea.es/htb/machines/windows/insano/multimaster"}]}`}
</script>
