HackTheBox: VulnCicada
A Windows DC where the first credential hides in an image on a public NFS share, and with NTLM disabled an ESC8 (ADCS HTTP web enrollment) attack requires Kerberos relaying: coerce the DC, relay to /certsrv for a machine-account certificate, then DCSync the Administrator hash. Covers both the Linux (bloodyAD/certipy) and Windows (RemoteKrbRelay) methods.
Read 