• Finally got root! 100% Kali. Agree with others that this was excellent Windows learning exp.

    User: Got hung up on the fact that my process was using ec2-user (AWS kali instance); need to be root on Kali when doing the thing where you don't have to use a Windows VM. Also, can't say I knew much about Windows cred storage until this box. A little embarassing. :)

    Root: Thanks @0xNoOne for handy script. Had to read through this forum a few times to figure out what everyone was talking about. LOL. That m******** app is a real bugger from a vuln perspective. Ouch!

    Thanks, @L4mpje!

  • @L4mpje Thank you for making an awesome box, very realistic but also friendly for new starters. I really enjoyed this and learnt quite a lot. (My favourite box so far)

    User: is fairly easy as long as you can find a large file and somehow read it's content
    Root: You'll need to do some research, enumeration, and find some tools to help you on the cracking journey ;-) (lower ports are your best friend)

  • @DAAAALY thank you, user owned, going for root :)

  • Spoiler Removed

    Running for OSCP

  • Rooted as well.

    This one had a harder user than root for me.

    user: just be sure to mount the v** backup correctly, and have a look inside there are pretty standard methods to get passwords for Wi*****.

    root: just have a look at what programs are installed in the machine, one is vulnerable.

    Good luck.

  • Rooted. I've wasted much time in getting root.

    USER: It's easy if you know to use a specific related to Windows registry.

    ROOT: It's easy when you have already discovered that stuff, but meanwhile you can break your brain till do it. The biggest hint I can give is, forget keep tracking the registry files because you won't find anything relevant and you could waste a lot of time looking those files from hell.

  • I read through most of this thread when I was stuck getting the user's password and saw a lot of people mentioning just getting the S*M file and brute force cracking the password hash. That seemed a bit weird to me, as it could take a very long time (I tried normal password lists and got nothing) and I assumed this is probably not what the creator intended us to do. So I did a bit more digging and found the user's password somewhere else, that did not require a dictionary or brute force attack. I won't spoil anything, but just wanted to post this in case other people are bored of trying to just brute force crack an NTLM hash like I was.

  • Rooted and User-ed! 1st HTB box down! Can do the whole thing in Kali Linux, and a great many of you are on the right track - have been using this thread to see if I was going off on a tangent.

  • My first Windows Box and even a nice one. Thanks, was fun!

  • Make sure to activate the Virtualize Intel VT from your CPU in the VM Settings otherwise you can't mount inside kali another thing.

  • USER complete, been working on ROOT now for 2 days. I see the m******** app but the only thing I can find to exploit the monster is MSFCONSOLE. This being said, rev shell is not giving feedback unless I am on normal s** session. I have googled ways to achieve what m******* gives you but the only thing I can find is darned msf. Any assistance to do this without msf would be fabulously appreciated! Thanks all!

  • edited July 2019

    [email protected]#whoami

    Bastion completed ..Don't hestiate to ping me.I am always for helping

  • Rooted in Kali. I would advise to try and use a Linux machine only, to practice mounting. That's the hint for the user.
    As for root, check the programs installed and then Google it.

    Discord : secHaq#7121

  • I can confirm that you can root this box without a Windows VM (unless you don't use Windows at all). I used Kali and then my fully patched Windows 10 desktop and that was all.

    Great box. Very realistic :)

  • edited July 2019

    I use 'guestmount' some.vhd file from /B****ps to '/mnt/vhd' but I don't see anything. Can anyone help me?

  • I mounted wrong vhd. so I'll do next step.

  • edited July 2019

    Can anyone help me out with the initial enumeration? I can't seem to properly look into the S** service as expected. Probably doing something silly.

    edit: nvm, i was being dumb

    OSCP | GCIH | SEC+

  • Hi all.
    this was my first box and it took a while but I gained user/root eventually. Just wanted to say thanks to everyone in this discussion. I needed a little nudge to pull me out of the rabbit hole when it came to gaining root.

    much appreciated
    Thank you

  • Type your comment

  • First box ever, been trying to brute force the ssh login with wordlist any hints? will be appreciated.

  • Is the Bastion box down this past couple days? I haven't been able to access it with nmap, nor will it mount the network or the vhd.


  • Alright, day 4 of privesc and I am really missing the nail here lol. I am lost on how to utilize the .py apps to dump the hashes out of r*****n and at this point Im not really learning. If anyone could please PM me a hint as to whether or not I need to move in a diff direction or if Im on target and just need to try harder!

  • Rooted. I used Kali and and my host Windows machine.

    If anyone needs a hint let me know.

    OSCP | PMP

  • Can anyone help me with the initial enumeration? Found the ports, and the services running. I tried looking into s** but i am just stuck. I have looked into creating n*** sessions but I am not sure where I am going wrong.

  • edited July 2019

    what do i do when im in desktop ?? sorry for stupid question :pensive:

  • Need a nudge for root.

    Know what the exploit is but for some reason cannot get it to work.


  • I'm getting a "MAC check failed" when I use the python script.
    Any help?

  • help with mount it seems that everything is asking 4 password.....and yes my VT-D is on.

  • i found what i need and mount it
    by the end of the day its all about your CLI input :)

  • Type your comment> @TimmyTheOG said:

    I'm getting a "MAC check failed" when I use the python script.
    Any help?

    I have this same problem.

Sign In to comment.