Sauna
EasyStaff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …
Forest
EasyAnonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …
Blackfield
HardAnonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …