Stuff I find out. Short notes, quick wins, things worth keeping.
You are SYSTEM on a Commvault CommServe. You want the credential vault in plaintext. The vault sits in the local SQL instance, but the passwords are V5 blobs. You cannot crack them, and offline decryption does not work. The key only lives inside a running Commvault service. So you borrow it.
Full source is on GitHub: 0xCZR1/Commvault-JVMInjection.
You are SYSTEM on a domain-joined Windows box. You want the service account passwords stored in the LSA secret vault. The direct API path (LsaOpenSecret / LsaQuerySecret) works for DPAPI_SYSTEM and $MACHINE.ACC, but _SC_ prefixed secrets, the ones holding service account passwords, return ACCESS_DENIED even under SYSTEM. So you copy the encrypted registry blobs to a temp key and read them through LsaRetrievePrivateData instead.
You hold a child domain krbtgt key and you want forest root. The plan is an ExtraSid diamond ticket with the Enterprise Admins SID, then chase the referral to the root DC. On a fully patched forest it dies. The KDC returns 0x520 and your TGT gets purged from the cache.
The cause is impacket, not the trust. Here is the fix.