dpapi

MACHINE Windows

HackTheBox: Pov

A Windows box: a path-traversal read leaks the ASP.NET machineKey from web.config, forged ViewState deserialization (ysoserial.net) gives a shell as sfitz, a DPAPI-encrypted connection.xml yields alaading, then SeDebugPrivilege is abused with psgetsys to impersonate winlogon for SYSTEM.

MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.