The compromise starts with exposed credentials and gradually escalates through misconfigurations in delegation and authentication, ultimately leading to full domain compromise.
LustrousTwo is a hard HackTheBox Windows machine where I use FTP to gather usernames, then spray with kerbrute and elpscrk to access an IIS site with Kerberos (IIS_KERBEROS_AUTH). By decompiling DLLs and abusing S4U2Proxy constrained_delegations, I achieve RCE and escalate via a Velociraptor server key.
