Theory: You compromise a unix host during a pentest and grab /etc/shadow and /etc/password. You take the entries for root in both and drop them into a unix host that you control that is set up with SAMBA to sync authentication. You then use windows methods to extract the LM/NTLM hash from SAMBA.
Problem: SAMBA doesn’t cache the LM/NTLM hash until the correct one is passed to it. I’m still not sure how SAMBA uses the *nix hashes so there still may be a vulnerability there, but I don’t think there is any research there yet. And I don’t have the cryptographic mind to figure it out.
Theory: Prepopulating a hidden upload field through SQLi or other methods of altering a site
Problem: The DOM does not allow this to happen, however, I don’t think that that rules out flash or VB script that I know of. Please comment and correct me if I am wrong.