The compromise starts with exposed credentials and gradually escalates through misconfigurations in delegation and authentication, ultimately leading to full domain compromise.
Phantom is a Medium AD box where SMB enumeration leads to a decrypted VeraCrypt container, recovered credentials enable a foothold via password spraying, and Resource-Based Constrained Delegation (RBCD) is exploited to gain Administrator access.
On Nocturnal, an IDOR exposed credentials that unlocked the admin panel and source code. A command injection led to a shell, cracked database hashes enabled SSH access, and exploiting ISPConfig CVE-2023-46818 provided root.
