Roundcube Webmail post-auth RCE (CVE-2025-49113) → decrypt stored mailbox credentials → pivot to SSH as jacob → privilege escalation to root via Below (CVE-2025-27591).

NFS → DNS hijack of NATS → steal Dev creds → NATS auth logs → Kerberoast → WinRM as IT admin → AutoLogon creds → ACL abuse → gMSA → ADCS ESC7-style UPN abuse → RBCD on DC → DCSync → Administrator.

SMB/LDAP enumeration → CVE-2025-24071 NTLMv2 capture → crack p.agila → abuse Service Account Managers → shadow credentials on winrm_svc → AD CS ESC16 on ca_svc → certificate auth as administrator.

LDAP enumeration → Office file password cracking → Kerberoast → recover deleted user → DPAPI masterkey extraction → extract credentials → SSH into DC (WSL) → sudo to root via svc_backup.

WriteSPN → targeted Kerberoast → gMSA read → password reset chain → owner/DACL abuse → soft-deleted ADCS operator → WebServer ESC15 → LDAPS pass-the-cert → EA

Teampass SQLi → hash crack → BookStack LFR → recover reader TOTP → SSH → sudo script + SysV SHM race → root.

SMB → MSSQL coercion → hash crack → WinRM → AD CS ESC1 → Administrator

Exposed .git → XSS → Webapp admin → SQLi → Creds reuse → Gitea XSS → root.

BackdropCMS + exposed .git → DB creds → CMS admin → module upload webshell → SSH via reused creds → sudo bee eval → root.

HTB Certificate: upload filter bypass via concatenated zips → PHP reverse shell → Pcap Analysis → AD CS ESC3 to Administrator.