HackTheBox: Pov
A Windows box: a path-traversal read leaks the ASP.NET machineKey from web.config, forged ViewState deserialization (ysoserial.net) gives a shell as sfitz, a DPAPI-encrypted connection.xml yields alaading, then SeDebugPrivilege is abused with psgetsys to impersonate winlogon for SYSTEM.
Read 