Exploit Universal RCE with Ruby YAML.load (versions > 2.7) to gain a reverse shell then grab hard-coded credentials for a user that has root permissions to run ruby script that lead to root.

A wordpress plugin is vulnerable to unauthenticated sql injection, we exploit this to dump the database and hashes of users. Then we can log in as manager user and we found a way to abuse the upload file functionality to get creds for ftp. Finally for root we just need to crack a php private key.

Exploit a domain controller that allows us to enumerate users over RPC, attack Kerberos with AS-REP Roasting, and use Evil-WinRM to get a shell. Then using Bloodhound we can take advantage of the permissions of some user that allow us to dump admin hash to get a shell as admin.