My writeup on owning Sizzle - it required a physical crypto token, joining a Windows box to Sizzle’s domain, and faking DNS service records for the domain.
This attack is possible as the low-priv user amanda can modify certificate templates, so you can edit one of the templates available on the website to turn it into a smartcard logon template:
You add the Administrator’s User Principal Name to the Certificate Signing Request, submit the request, and then import certificate and key to the crypto token / smartcard. On the box you joined to the domain you can then run net use /smartcard to grab the flag from the C$ share or you can run runas /smartcard to start a shell as the Administrator.
. Really cool write up 