Pro Labs Premium

HackTheBox: Offshore Pro Lab

HackTheBox Offshore Pro Lab full walkthrough — 21 flags across 21 machines spanning three subnets and two Active Directory domains. PHP RFI, Ligolo-ng multi-hop pivoting, PetitPotam NTLM relay to ADCS ESC1, PrintNightmare CVE-2021-1675, Kerberoasting with S4U2Proxy constrained delegation, MSSQL linked server chain, Shadow Credentials via GenericAll, cross-domain SID history trust abuse, and DCSync for full forest compromise.

lazyhackers

Mar 29, 2026 · 27 min read · 1 views

#Active Directory #ADCS ESC1 #Constrained Delegation #DCSync #HackTheBox #Kerberoasting #Multi-Subnet #NTLM Relay #Offshore #Pass-the-Hash #PrintNightmare #Pro Lab #Red Team #Shadow Credentials #SID History

Offshore

HackTheBox

Linux/Windows Hard Pro Lab

Members Only Content

This article is exclusively available to premium members of LazyHackers. Login or subscribe to read.

HackTheBox: Xen Pro Lab 30 · 60m HackTheBox: Mythical Mini Pro Lab 7 · 22m HackTheBox: Puppet Pro Lab 6 · 22m HackTheBox: Unintended Pro Lab 4 · 12m

Published	Mar 29, 2026
Updated	Mar 29, 2026
Reading time	27 min
Views	1
Access	premium

Members Only Content

Related Articles