Start here when you don’t think “I’m in phase 04” — you think “why the hell doesn’t this valid credential work?” Match what you’re seeing to its likely cause, route to the page that fixes it, and know what proof to grab on the way.

This index aggregates the 🛠️ Troubleshooting tables across the manual and the 🧭 Diagnostic Map sections in the write-ups — it doesn’t replace them. The routed page holds the fix in full; its ⏱️ Stop condition (on the decision pages) tells you when to abandon the thread.

🔐 Authentication & Kerberos

SymptomLikely classRouteProof to capture
STATUS_NOT_SUPPORTED, NTLM:False on SMB/LDAPNTLM disabled — wrong mechanism, not bad credsNetExec_LDAP_Kerberos · Have_Credserror + same cred succeeding via Kerberos
Valid creds rejected over SMB/LDAP, accepted elsewhereNTLM disabled or wrong realm/FQDNNetExec_LDAP_Kerberosfailing vs working auth command
Tool targets HTB:88 / wrong realmdomain/realm inference wrongNetExec_LDAP_Kerberoscorrected krb5.conf + FQDN target
Kerberos fails after config looks correctclock skew or wrong ccacheHave_Credsklist before/after ntpdate
KRB_AP_ERR_SKEWattacker/DC time driftrun sudo ntpdate [DC_IP]skew resolved
NetExec prints (Guest)auth fell back to guest — not successHave_Creds(Pwn3d!)/[+] vs (Guest)
evil-winrm -H fails as AdministratorNTLM disableduse NT hash → Kerberos TGTTGT request + Kerberos WinRM
smbclient Could not find a suitable mechtypelocal Samba SPNEGO/Kerberos issueuse impacket/nxc --use-kcacheworking nxc command
klist: No credentials cache found after getST succeedsgetST wrote a long-named ccache (<user>@<spn>@REALM.ccache), not dc.ccachels *.ccache then export KRB5CCNAME the exact fileklist showing the delegated cifs/... ticket

🩸 Active Directory & BloodHound

SymptomLikely classRouteProof to capture
BloodHound shows no path to DAstale collection / owned not marked / missing ADCS or sharesStuck_In_AD · NetExec_BloodHoundfresh collection + owned marks
BloodHound says a user isn’t in the DBcollected before the object existed/was restoredStuck_In_ADrecollection showing the object
SPN write succeeds but Get-DomainSPNTicket fails in WinRMWinRM/Kerberos context, not the ACLAD_ACL_Abuse · AD_KerberoastingSPN read-back proving the write landed
ACL/WriteDACL change has no effectAD replication delayAD_ACL_Abusere-check after ~60s
Set-DomainObject/Set-DomainUserPassword not recognizedPowerView not loadedAD_ACL_AbusePowerView load + cmdlet working
Restore-ADObject returns nothingnormal — no output on successStuck_In_ADre-enum of deleted objects
MachineAccountQuota: 0 but you hold SeEnableDelegationPrivilege + write over a computer objectabuse an existing computer for constrained delegation (no new machine needed)Attack_Patterns · Stuck_In_ADthe priv + the control edge + DCSync output
MSSQL login works but not sysadmin / xp_cmdshell disablednot RCE — pivot to domain SID/RID account enumerationAttack_Patterns · Stuck_In_ADenumerated user list from the RID sweep
DC has no explicit cifs/ SPN for an S4U targetHOST SPN mappings cover CIFS — the target still worksAD_Privileged_AccesssPNMappings showing cifs under host=
Restored AD object lacks rights / keeps getting purgedinherited OU rights aren’t reapplied on un-tombstone + a cleanup task re-deletes itAD_ACL_Abuse · Pass_the_Certificatedacledit … -inheritance re-push; restore→reset→enrol in one pass

🖥️ Shell & privilege escalation

SymptomLikely classRouteProof to capture
WinRM works but AD cmdlets crash/failKerberos double-hop / no delegated credsAD_Kerberos_Double_Hopin-session klist (no TGT) + working PSCredential/RunasCs
Shell, but no privesc vector foundnot yet enumerated as the user, or it isn’t hereHave_Shellautomated-enum output + whoami /priv
$Cred/PowerShell command errors in zshyou’re on Kali, not in the PS sessionAD_Kerberos_Double_Hopreconnected session
Shell lands as root but /.dockerenv existscontainer root, not host rootHave_Shell/.dockerenv + app config holding internal creds
/dev/tcp or /bin/bash reverse shell failsminimal container (no bash)Shell_Stabilizationworking /bin/sh + named-pipe nc shell
.vault-token (or similar secrets token) in a home dirHashiCorp Vault — check token policy + secrets enginesAttack_Patternsvault token lookup (root policy) + SSH OTP role
Outbound callback hits 22/2222 but no shell; client banner says paramiko/SSH-2.0it’s an SSH client, not a reverse shell — honeypot itAttack_Patterns · Linux_Remote_Management_SSH_Rsync_RServicessshesame log capturing the offered username/password
pam_exec SSH capture logs the username but an empty passwordthe user has no local account — sshd ran a dummy auth path and never fed the token into PAMLinux_Auth_Process · Attack_Patternsfirst pass user: (empty) → useradd → second pass user:<cleartext>
sudo -l pins a file-processing binary to a tight regex/fixed flagsnot a flag-escape — attack the file format it ingests (patch symlink write, parser XXE)Attack_Patterns · Linux_PrivEsc_Permissions_Sudothe file-write/file-read landing as the target user/root
Privileged clamscan/patch/parser says OK / “applied cleanly” but no leak shownsuccess is the side effect; disclosure rides stderrLinux_PrivEsc_Permissions_Sudothe leaked content captured via 2>&1
Expected file/flag/credential “missing” from a normal dir/listinghidden in an NTFS Alternate Data StreamWindows_PrivEsc_Credential_Huntingdir /R / Get-Content -Stream revealing the stream
Modified Fail2Ban action never runs after a restartrestart ≠ run — actionban only fires on an actual banLinux_PrivEsc_Services_Cron · Attack_Patternsa triggered ban executing the payload as root
PowerShell reverse shell silently never connects backbare IP in TCPClient(...) parsed as integer arithmeticShell_Bind_Reversequoted TCPClient("[LHOST]",[LPORT]) connecting

🌐 Web & application

SymptomLikely classRouteProof to capture
App has a login but no obvious exploitundiscovered vhost/param, known-app CVE, or default credsVirtual_Hosts · Common_Apps_Discovery_Notablevhost/content fuzz results + app+version
Found a file/share/config — noise or not?check for secrets before discardingCredential_Hunting_Network_Sharesgrep hits for pass|secret|key|connectionstring
”Test connection” feature stores credsabusable to leak the stored credentialHave_Credslistener capture of the bind
Injected math (2.4+2.4) changes behaviour but raw ;id/wget does nothingsink is code (Python eval, template), not shell — payload must be valid in that languageCommand_Injection_Fundamentalsthe evaluated-expression behaviour
Attacker HTTP server logs a 404 from the target IPblind code execution proven (missing path is irrelevant)Command_Injection_Fundamentalsthe inbound request log line
API/app rejects auth (Authentication failed / Invalid token)the creds live in the app’s source — read its repo, issues, and commit historyCommon_Apps_GitLab_osTicketcreds recovered from git history
Download/export feature returns a ZIP/archive, not the raw fileLFI still works — the file is wrappedLFI_Path_Traversal_Bypassesunzip -p showing the traversed file (e.g. /etc/passwd)
Password reset says “failed to send” for one address but errors differently for invalid onesusername oracle + the flow trusts DNS mail routingAttack_Patterns · Attacking_Email_Servicesthe differing responses + captured reset email
Readable BIND config shows key "rndc-key" + zone allow-updateauthenticated dynamic DNS update is possibleAttack_Patterns · Attacking_DNSnsupdate adding a test record, confirmed by dig
dig returns NXDOMAIN / ignores /etc/hostsquery is hitting local DNS, not the target’sAttacking_DNSsame query succeeding with @[TARGET_IP]
Leaked/readable ASP.NET web.config with a <machineKey>forge a signed __VIEWSTATE → deserialization RCECommon_Apps_IIS_Tilde_LDAP_ThickClient · Attack_Patternsysoserial.net -p ViewState payload executing as the app pool
Redis answers PING/INFO with no NOAUTHit’s a file-write primitive, not just data exposureAttacking_Redis · Attack_PatternsSSH key flushed to authorized_keys via config set dir

🪪 Certificates (AD CS)

SymptomLikely classRouteProof to capture
certipy find: enrollee-supplies-subject + client-auth templateESC1Pass_the_Certificatethe vulnerable template output
certipy authKDC_ERR_PADATA_TYPE_NOSUPPPKINIT unsupported — cert still validPass_the_Certificateerror + Schannel/Pass-the-Cert whoami
Certificate “has no object SID”strong mapping enforcedPass_the_Certificatere-request with -sid <DOMAIN_SID>-500
OpenSSL Mac verify error: invalid password?PFX has a blank import passwordPass_the_Certificateextraction with -passin pass:
certipy find -vulnerable shows no vulnerable templatesdoesn’t rule out ESC16 — it’s a CA-wide setting, not per-templatePass_the_Certificate · Attack_Patternsthe CA-level ESC16/“Security Extension Disabled” flag
certipy find flags ESC15 (schema-v1 + enrollee-supplies-subject)escalate via application-policies injectionPass_the_Certificatereq … -application-policies 'Client Authentication' -sid <target> succeeding
Unresolved/orphaned SID in a template’s enrollment ACLclue to a tombstoned principal — restore it to recover enrollmentPass_the_Certificate · Stuck_In_ADthe SID matched via Get-ADObject -IncludeDeletedObjects

🧭 Pivoting & tunneling

SymptomLikely classRouteProof to capture
proxychains tools hang / nmap finds nothingSYN scan can’t traverse SOCKSNetExec_Proxychains_Pivot · Need_To_Pivotworking -sT -Pn scan
scp/tool resolves target to 127.0.1.1run from inside the SSH sessionNeed_To_Pivotcommand run from the attack box
Can’t reach internal hostnamesnot in /etc/hostsNeed_To_Pivothosts entry + resolution
Internal DB/host (e.g. db) only resolves from the foothold/containerservice lives on the internal/container networkNeed_To_Pivot · Attacking_SQL_Databasesquery run from inside the container with the app’s deps
SSH fails: no matching host key type … ssh-rsamodern client rejects the legacy algorithmLinux_Remote_Management_SSH_Rsync_RServicesconnect with -o HostKeyAlgorithms=+ssh-rsa (or pivot elsewhere)

🔑 Credentials & hashes

SymptomLikely classRouteProof to capture
Have a hash but NTLM disableduse the hash to request a Kerberos TGTHave_Creds · Pass_the_HashgetTGT -hashes + Kerberos auth
Cracked value doesn’t work as the passwordit’s an intermediate key (e.g. Ansible Vault)Have_Credsthe real secret it decrypts
New identity foundretest everything as this identityHave_Credsvalidation matrix + BloodHound re-mark
Recovered password fails as a login but an SSH key is encryptedpassword reused as the key passphraseHave_Credskey unlocks with the recovered password
Recovered cred fails over SMB/LDAP but looks service-specific (e.g. SQLGuest)it’s a local service account, not a domain userHave_Creds · Attacking_KeePasscred succeeding via --local-auth against its service
Recovered an infrastructure key (RNDC/TSIG, API token), not a user passwordtest it against its own service, not auth endpointsHave_Creds · Attacking_DNSthe key driving its service (e.g. nsupdate zone change)
sqlmap-exfiltrated key/cert/archive is truncated or unusablebinary content mangled without hex encodingSQLMap_Advancedre-run --file-read … --hex yielding an intact file

📸 Evidence & reporting

SymptomLikely classRouteProof to capture
About to move on but didn’t capture proofstop and capture firstReporting_SysReptorcommand + output + screenshot saved

🔗 Related Nodes