I found a way to re-use the credentials for other systems based on this 😅 And spoiler: this enables a new DC-Pwn technique in combination with Spoolsample and an open MS-RPRN RPC service. Local admin -> DC-Shell -> DCSync. Didn't test it yet, this afternoon PoCing around. 🥸

— S3cur3Th1sSh1t (@ShitSecure) April 29, 2021