HackTheBox: Ghost
An Insane Windows AD box: LDAP injection leaks a Gitea token, source review yields path-traversal and command-injection bugs for a Docker root shell, then Kerberos ticket theft, a fake DNS record for NTLMv2 capture, a gMSA password read, a Golden SAML forge against ADFS, a linked-MSSQL pivot and a cross-domain Golden Ticket with Extra SIDs fully compromise both domains.
Read 