Sorry for the delay. I was only able to spend 1 hrs a day writing the below writeup because of my dry life-saving work. Hope you all enjoy this beautifully designed AD environment Windows machine.
You had a much more thorough approach - on the early steps I quickly gave up on trying to do it manually and used Sqlmap instead
Dont misunderstand me when I say I am pleased the AD bit took you a week! It nearly broke me. I spend easily that much time trying to find articles and hints etc.
This was definitely a box where getting user was like conquering the world.
I like your breakdown of the VSCode attack. It never occurred to me during the time I was on the box to try different approaches. I might have to go back and see if I can recreate them one day. I just spent a lot of time in a fight with port forwarding…