FFoundational
The bedrock material every later lesson assumes.
Why authentication is hard. What a domain controller actually does. The why behind the protocol — not the syntax of the tool that exploits it.
Example lessonKerberos AuthenticationYou hacked it.
Now explain it.
For technically capable security professionals who want to articulate what they know — in interviews, stakeholder briefings, and reports.
The proposition
Lab platforms teach you to run the exploit. They give you the box, the flag, the writeup. That’s the minimum entry requirement. We start where they stop: the moment a hiring manager asks you to walk them through it. Most platforms stop at the exploit. We teach the technique — and the language to explain it.
Every lesson ships with an interview answer, a stakeholder explanation, and report-ready language — plus a paired quiz, flashcard deck, and brief. The communication layer that other training platforms leave out.
- 0
- Lessons
- 0
- Tracks
- 0
- Attack paths
Three lesson types
The bedrock, the team skill, and the centerpiece.
Lessons come in three types: the concepts that underpin everything, the team-facing skills you’ll use every day, and the offensive techniques themselves.
EEssential Skills
Become the teammate every engagement needs.
Walking a hiring manager through your last engagement. Briefing a stakeholder under pressure. The plain-English habits that build trust on every engagement.
Example lessonInterviewing for Offensive Security RolesTTechnique
Learn to articulate what you just did.
Every Technique lesson ends in three communication blocks for three audiences — the words you can actually say out loud in an interview, in a conversation with a stakeholder, or put in a report.
Example lessonPass the HashWhat every Technique lesson delivers
The three communication blocks, in a real lesson.
Every Technique lesson ends with the same three blocks: an interview answer, a stakeholder explanation, and report language. Below is exactly what they look like in a real lesson.
TTechnique · Active Directory
Kerberoasting
Section 3 of 512 min
Communication
Interview answer
“Kerberoasting is when you ask the domain controller for a service ticket for an account with an SPN, then crack the ticket offline. The vulnerability isn’t Kerberos — it’s that any authenticated user can request a ticket, and the ticket is encrypted with the service account’s password hash. Find a service account with a weak password, and you don’t need to be on the domain controller to recover it.”
Stakeholder explanation
“We have service accounts running databases and applications. Anyone with a normal user login can ask the domain for a sealed envelope with that service account’s password fingerprint inside. If the service password is weak, we can open the envelope on our own laptop, no alarms. That’s why service accounts need long, random passwords — or a managed service account that rotates them automatically.”
Report language
“The domain permits Kerberos service ticket requests (TGS-REQ) for any account with a registered SPN, with no authorization check beyond a valid TGT. Three service accounts (SVC_SQL, SVC_BACKUP, SVC_REPORTS) had passwords that fell to a 2019 RockYou-style wordlist within 14 minutes on commodity GPU. Recommend rotation to 25+ character random passwords or migration to gMSA.”
Study Kit
Reinforce what you learn. Make it automatic.
Every lesson ships with three companion tools that make recall stick: a quiz, a flashcard deck, and a one-page brief. Below they appear exactly as they do inside lessons.
Quiz · Q1 of 6
1.Why does Kerberoasting work?
Kerberos issues a service ticket without checking whether the requester needs the service. The ticket is encrypted with the service account's password hash, so once you have it, you can crack it offline.
Flashcard · 3 of 12
Front
Service Principal Name (SPN)
Back
An identifier registered on a domain account that names a service the account runs (e.g., MSSQLSvc/host:port). Required for the KDC to issue Kerberos tickets to that service.
Brief · Block 1 of 5Kerberoasting
Definition
Asking the domain controller for a service ticket for any account with a Service Principal Name, then cracking the returned ticket offline to recover the service account's password.
— from “Kerberoasting” · Free
The on-ramp
One full attack path. Permanently free. Start there.
Not a trial, not a teaser, not seven days then a credit card. The whole path — every Technique, every callout, the full study kit. So you can decide whether the explanation actually clicks for you, before anything is at stake.
The Password Spray attack path
From weak password policy to full domain compromise — the most common real-world AD attack chain. Six Techniques, each with the three callout blocks and a printable brief.
- Enumerating password policy · Reconnaissance
- Password spraying · Initial Access
- Pass-the-hash · Lateral Movement
- DCSync · Domain Compromise
More than lessons
Two ways to learn: the structured path and the scenario walk-through.
Tracks build connected understanding. Attack Paths chain techniques into a full compromise narrative — the kind of scenario question interviewers actually ask.
Tracks
Structured paths that build depth and explanation skill.
Each track guides you through a deliberate sequence of lessons. They build on each other so you develop connected understanding, not isolated facts. Start here for a clear progression with milestones.
Explore TracksAttack Paths
Chain techniques into a full compromise narrative.
Interviewers ask about individual techniques, but the harder questions are scenario-based: “walk me through how you’d compromise this environment.” Attack Paths chain techniques into an ordered sequence from initial access to objective — with the reasoning behind every step.
Explore Attack PathsWhy this platform exists
Why I built ExplainTheHack
I earned the OSCP, OSEP, a CS degree, and spent years in labs and hands-on projects. That work built real skill, but it also exposed a gap I didn’t expect. My problem was never technical ability. It was explaining what I knew clearly.
Knowing how to do the work isn’t enough if you can’t articulate what you’re doing, why it matters, and how it fits into a real engagement. That communication gap costs people interviews, report credibility, and career momentum.
ExplainTheHack grew out of years of private notes turned into structured lessons — so people don’t just memorize techniques, they learn to understand them and explain them. That’s why this exists.
BSc. Computer Science · OSCP · OSEP · CRTO · CRTE
Premium
Everything else, for $15.
Every Technique, every attack path, every interview answer. New lessons added regularly as the library grows.
