Machine Synopsis

`Bruno` is a medium-difficulty Windows domain box that chains insecure application configuration and weak Active Directory hygiene to go from no access to domain admin. The service-facing component is a custom .NET application that extracts ZIP entries unsafely using `Path.Combine`, allowing crafted archives to perform a zip-slip and place files under `C:\samples\app`. That capability enables a DLL-search-path hijack - an attacker who can write to the queue share can drop a malicious `dll` and achieve code execution as the service user. On the network/AD side, an account svc_scan is discoverable and `kerberoastable/AS-REP crackable`; its recovered credentials grant write access to the queue share, which is used to trigger the DLL payload and get a low-privilege shell. From there the default `machine account quota` of authenticated users and `RBCD` are abused to perform a `Kerberos relay/RBCD` attack that resets the Administrator password and yields full domain compromise.