Archive: https://archive.today/NGVYO From the post: >>I stole Active Directory credentials from a production Windows server by uploading a shipping label. The server parsed my .nlbl file, followed a UNC path I embedded in it, and handed me the NTLMv2 hash of the service account over SMB. This is the story of how a label printer file format gave me domain credentials, and why the spec that made it possible is worse than anything I actually exploited.