You hacked it.
Now explain it.

Learn to turn offensive security findings into clear reports, interview answers, and client-ready explanations — with guided lessons, real attack paths, and a study kit that makes it stick.

  1. 1.Break in

    Follow real Active Directory attack paths.

  2. 2.Explain the impact

    Turn findings into client-ready language.

  3. 3.Write the finding

    Lift report-ready wording into your deliverable.

The proposition

Lab platforms teach you to run the exploit. They give you the box, the flag, the writeup. That’s the minimum entry requirement. We start where they stop: the moment a hiring manager asks you to walk them through it. Most platforms stop at the exploit. We teach the technique — and the language to explain it.

Every lesson ships with an interview answer, a stakeholder explanation, and report-ready language — plus a paired quiz, flashcard deck, and brief. The communication layer that other training platforms leave out.

0
lessons
0
tracks
0
attack paths

What interviewers usually hear

“I ran Rubeus, got some hashes, threw them at hashcat, one cracked… and then I basically had domain admin.”

What you’ll learn to say

“Any authenticated user can request a service ticket for an account with an SPN. The ticket is encrypted with that account’s password hash — so one weak service password falls offline, with no alarms and no foothold on the domain controller.”

Three lesson types

Not just finding bugs. Explaining impact.

Lessons come in three types: the concepts that underpin everything, the team-facing skills you’ll use every day, and the offensive techniques themselves — each one ending in the words to explain it.

FFoundational

The bedrock material every later lesson assumes.

Why authentication is hard. What a domain controller actually does. The why behind the protocol — not the syntax of the tool that exploits it.

Example lessonKerberos Authentication
TTechnique

Learn to articulate what you just did.

Every Technique lesson ends in three communication blocks for three audiences — the words you can actually say out loud in an interview, in a conversation with a stakeholder, or put in a report.

Example lessonPass the Hash

Product preview

A diagram, then the words. In a real lesson.

Techniques open with a diagram that shows how the attack flows, then end with three communication blocks: an interview answer, a stakeholder explanation, and report language. This is the actual lesson, rendered exactly as you see it in the app.

Lesson preview
TTechnique · Active Directory

Kerberoasting

Section 3 of 512 min
Diagram

Interview answer

Kerberoasting takes advantage of how Kerberos issues service tickets. Any domain user can request a TGS ticket for any SPN, and that ticket is encrypted with the service account's password hash. The KDC does not check whether the user is authorized to use the service before issuing the ticket, so an attacker with any domain account can request tickets for every service account with an SPN, take those tickets offline, and crack the password. The cracking happens entirely offline, so there are no failed login attempts to trigger alerts.

Explain it to a stakeholder

Kerberoasting is a technique where an attacker with any employee-level domain account can extract encrypted password material for service accounts and attempt to crack those passwords offline, with no interaction with the systems those accounts protect.

Report language

Finding: Kerberoastable Service Accounts with Weak Passwords. During the assessment, the operator identified multiple user-based service accounts with registered Service Principal Names (SPNs). Offline password cracking recovered the plaintext password for a service account with local administrator access to three production database servers.

Severity: High.

Study Kit

Reinforce what you learn. Make it automatic.

Every lesson ships with three companion tools that make recall stick: a quiz, a flashcard deck, and a one-page brief. Below they appear exactly as they do inside lessons.

Quiz · Q1 of 6

1.Why does Kerberoasting work?

Kerberos issues a service ticket without checking whether the requester needs the service. The ticket is encrypted with the service account's password hash, so once you have it, you can crack it offline.

Flashcard · 3 of 12

Front

Service Principal Name (SPN)


Back

An identifier registered on a domain account that names a service the account runs (e.g., MSSQLSvc/host:port). Required for the KDC to issue Kerberos tickets to that service.

Brief · Block 1 of 5Kerberoasting

Definition

Asking the domain controller for a service ticket for any account with a Service Principal Name, then cracking the returned ticket offline to recover the service account's password.

— from “Kerberoasting” · Free

The on-ramp

One full attack path. Permanently free. Start there.

Not a trial, not a teaser, not seven days then a credit card. The whole path — every Technique, every callout, the full study kit. So you can decide whether the explanation actually clicks for you, before anything is at stake.

The Password Spray attack path

From weak password policy to full domain compromise — the most common real-world AD attack chain. Six Techniques, each with the three callout blocks and a printable brief.

  1. 01Reconnaissance

    Enumerating password policy

  2. 02Initial Access

    Password spraying

  3. 03Credential Access

    Dumping LSASS

  4. 04Lateral Movement

    Pass-the-hash

  5. 05Lateral Movement

    WinRM execution

  6. 06Domain Compromise

    DCSync

More than lessons

Two ways to learn: the structured path and the scenario walk-through.

Tracks build connected understanding. Attack Paths chain techniques into a full compromise narrative — the kind of scenario question interviewers actually ask.

Tracks

Structured paths that build depth and explanation skill.

Each track guides you through a deliberate sequence of lessons. They build on each other so you develop connected understanding, not isolated facts. Start here for a clear progression with milestones.

Explore Tracks

Attack Paths

Chain techniques into a full compromise narrative.

Interviewers ask about individual techniques, but the harder questions are scenario-based: “walk me through how you’d compromise this environment.” Attack Paths chain techniques into an ordered sequence from initial access to objective — with the reasoning behind every step.

Explore Attack Paths

Why this platform exists

Why I built ExplainTheHack

I earned the OSCP, OSEP, a CS degree, and spent years in labs and hands-on projects. That work built real skill, but it also exposed a gap I didn’t expect. My problem was never technical ability. It was explaining what I knew clearly.

Knowing how to do the work isn’t enough if you can’t articulate what you’re doing, why it matters, and how it fits into a real engagement. That communication gap costs people interviews, report credibility, and career momentum.

ExplainTheHack grew out of years of private notes turned into structured lessons — so people don’t just memorize techniques, they learn to understand them and explain them. That’s why this exists.

Rafael Pimentel

Rafael Pimentel

BSc. Computer Science · OSCP · OSEP · CRTO · CRTE

Premium

Unlock the full path.

One subscription. Every technique, every attack path, and the words to explain all of it.

  • All 54 lessons AD techniques and professional skills
  • All 12 attack paths scenario walkthroughs, recon to domain takeover
  • Interview & stakeholder answers for every technique
  • Report-ready language lift it straight into deliverables
  • Full study kit quizzes, flashcards, and briefs for every lesson
  • New content regularly lessons and attack paths keep coming
$20per month
Unlock the full path

Cancel any time. The free path stays free.