Windows

Administrator with an empty password on a Windows box — SMB signing disabled, psexec drops SYSTEM in 15 minutes flat. The most honest failure mode in Active Directory.…

PHP LFI forces the server to issue a NetNTLMv2 request to a rogue Responder listener; the captured hash cracks to Administrator in seconds.…

RDP and WinRM both accept a blank Administrator password — attack surface is two services wide when credential assumptions fail at the front door.…

XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into the watched directory.…

SMB null session on Windows delivers a flag from an exposed WorkShares share; the takeaway is unauthenticated SMB enumeration without Metasploit.…

Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.…

Two-domain AD forest under Assumed Breach. NTLM disabled globally. TCP port 88 asymmetrically filtered — a custom impacket monkey-patch unblocks Kerberos. ESC13 on TemporaryWinRM template grants WinRM shell on DC1. ……