HackTheBox: Authority
A Windows DC: cracked Ansible-vault credentials from an SMB share open a PWM config panel whose LDAP test leaks cleartext creds for svc_ldap, then a vulnerable AD CS template (ESC1), a fake computer account, Pass-the-Cert and RBCD escalate to the Administrator hash.
Read 