In this HTB challenge, I pwned a Windows machine which had a copy of the SYSVOL SMB share, where an encrypted password was stored in a GPP. This password could be decrypted, because Microsoft published its AES key. This challenge also included the interesting Kerberoast attack, which was new to me, and I found a lot of joy looking into it.
This was a no brainer challange, it demonstrated the infamous eternalblue vulnerability which was use by the WannaCry ransomware worm which almost put the world into shambles in 2017.
This challenge was fairly complex. After enumerating the target for virtual hosts, I found a Gite instance which gave me hints for a path traversal vulnerability in the webapplication running on the server. This vulnerability eventually gave me read access to the database which then leaked the hashed user passwords. Cracking these gave me the password I needed. Privilege escalation was possible because of a cronjob and a binary which was vulnerable to code injection.