Shadow-credentials

Initial Enumeration reveals an Excel file which discloses sensitive credentials that allow us to gain a foothold, then performing lateral movement to identify more credentials and gaining user access. Then, leveraging ACL misconfigurations to enumerate vulnerable cerificates which leads to ESC4. Thus, gaining DA

Enumerating SMB shares from given credentials reveals a hint about CVE-2025-24071 which leaks an NTLM hash then using that credential to map out ACE misconfigurations in Bloodhound which shows that the user has 'GenericAll' permission on 'Service Accounts' group. Using Shadow Credentials technique to gather NT hashes for Service Accounts then discovering that the CA issued a ceritificate vulnerable to ESC16. Thus, gaining Domain Admin.