HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning
Starting with a low-privileged user, SMB enumeration reveals hardcoded credentials in a log file. Password pattern inference leads to an updated credential. GenericWrite over a gMSA enables Shadow Credentials and WinRM access. DLL injection via a scheduled task gives lateral movement, and WSUS poisoning combined with ADIDNS spoofing and ADCS certificate abuse yields SYSTEM.
