2 writeups tagged with NTLM
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
SQL injection via stored procedure triggers NTLM hash capture. Responder catches hash, crack for WinRM. Ubiquiti UniFi privesc via service abuse.
