• Hello!

    Probably the best box since I started hacking the box.

    A few clues even though I think that said it all.

    User: Enumeration is the key (again). If you don't find it quickly, you're probably missing some notions for windows enumeration. Try to find a box that had the same services and look at the enumeration techniques on Write Up. There were as many as there are trees in a forest.

    User2: The answer is given in the first 10 pages of the forum...

    Root: I don't think there's much to say about that once you look at who you are, with a simple google search the box is solved.

    Little tip:

    • Stop believing what's subjective. When someone tells you that it's an easy box it can be very hard for you. For my part, there are some very easy boxes that I didn't pass and I found it very simple.

    I don't know why some people talk about lazy administrators etc. but I don't think you need that to succeed.

    If you're really stuck I'm available for pm (French & English)

  • Rooted. Nice box, a few tricks I hadn't seen before. As I'm trying to expand my windows skill this was very educational!

    Much has been said about all parts of the box already, but there is one thing I got stuck on when escalating to root a little bit so I want to mention this:

    Be quick. Stuff resets before you know it and your changes will be overwritten.


  • Finally done! I learnt a lot from this box. Just amazing. And advice I can give you is that if you've found the way to get root, be careful while setting up the tools you will need, you may be right in your path, yet you may be using the tools with wrong syntax. Try harder!

  • edited April 2020

    has anybody had issue with restarting d** service?

    Edit-Rooted using the intended way. i had to stop d** twice and start it twice to get it to restart.
    Notes overall
    hints on the forum are pretty good to get you moving. I would say this was a very real life kind of box. User2 really got me waste sometime but when i saw it, i realized the fun part of it as in real world too admins make similar mistakes, beins unaware what they are sending in a command..
    Root- was fun, service thing pissed me a bit as i thought it might have gone corrupt due to multiple attempts. At the end it was really a fun box. multiple attempts made me perfect the technique, i mean every bit.
    Good job creator.

  • need help cat ain't responding even after following the ds way. Hosted the payload in sb

  • edited April 2020

    I am stuck trying to own the 2nd user.
    I tried everything written on the forum. I know i am missing something but i just don't get it. I am not really good with Windows so i want to improve.

    EDIT : lol found it but i don't know if the way i found it is "the way to go". If someone can explain me WHY did i found them HERE :)

  • edited April 2020

    Can someone please explain to me why for e****-w**** the user has to be "\[username]" and NOT "MEGABANK\[username]". This issue costed me 2 hours.

  • Rooted!! Thank you @egre55 I learned soooooo much about Windows enumeration techniques...and commands LOL. Loved the clues you left! PM me for help!

  • Great box, just rooted!!

  • I am new on htb and this was my first root box. I have some backgroud on system admin but this is an all new world. Ty for the hints guys

  • Hello All
    I think I need just a little help

    I got the cred for the 2nd user, I see the associate service and how to injecte a file
    but that don't work... :neutral:

  • Hum Ok Rooted ;) ! Fun box !
    First windows OS rooted

  • edited April 2020

    Just wanna give my two cents since I struggled more than i thought for such a simple privesc..

    for user:
    -Basic AD pentesting, if you cant get user on this (which i couldnt before doing some of the ad boxes then came back to this box) maybe take a look at some of the other AD Boxes first!

    for root:
    part 1:
    -Enumerate, cant really hint this part without giving too much away.
    part 2:
    -Get to know who you are better
    -Read the hint given by the other user in the file. Dont only read it, take it in!! cuz the hint went over my head and didnt think much, got it right the first time, completely messed up the timing, and went down a rabbit hole thinking i had to bypass this and code that when really it was just a few commands. So yeah, time your exploit in accordance to the note left by whatername.
    -Get flag!

    thanks for a cool but challenging box, wasnt easy but got there in the end lol
    Message on discord if youre still stuck (Name is same as this, just search htb discord)

    Hack The Box

    More than happy to help out and give hints - sorry if you've messaged me on forum.htb and I haven't got back, I might be more reachable via discord: CRYP70🇦🇺#8985

  • edited April 2020

    Could someone point me into the right direction? in PM i'll describe what i've done so far and at what point i'm stuck (very last part...)

    edit: rooted... missed 3 essential characters in building the p*****d


  • Would really appreciate help with getting the 2nd user :)

  • edited April 2020

    Rooted, but root took me way too long and that's because the dn****ins exploit i was trying didn't work. The strangest part is that the commands didn't output any error they just straight up didn't want to work. Anyway, after copy pasting the same thing again and again it decided to work. Does anyone know why did this happen?
    P.S. thanks for all the hints

  • Great box - learned a lot from the process
  • s*.ex* \\******** stop d*s
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    Can anyone please explain this, i can't restart the service which required to gain root shell. ??

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Solved finally, thanks a lot for whom I received nudges from, specially for @TazWake and @jibbiez
    Thanks for sure for the creator ^_^ .. I love my 2nd windows box

    I wouldn't mind some +respect if I helped you ;)

  • Anyone who can help me with root? I allready build the dll file and set up the s*b server in order to execute my code. But I just don't get a reverse shell. ..

  • Sure I’ll help you, pm me :-)


  • edited May 2020

    I'm in a similar boat I think. Following the dll injection steps but am just not getting a reverse shell returned. Anyone able to help?

  • @gunroot said:

    Can anyone please explain this, i can't restart the service which required to gain root shell. ??

    At a guess I'd say it hasn't stopped yet.



    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Hi. i got user2 but idk how can i elevate privileges. Can you give hint to me? Where should i start?

  • got root pm me for help lol :smile:

  • Got root. Straightforward box but doesn't always behave. Thanks to @TazWake for the nudge.

  • edited May 2020

    For user1: Active Directory enumeration will give you good information, after obtaining this information and connecting to a windows service, it will give you a password for that first user.
    User2: Logged in with the username and password you obtained earlier, look for things in C: using some commands that give you better kept information

    For Root when using Wi *** eas.exe it will show you some things there is spo go on google and search for this information, it will give you all the way to privesc.

    Anything can call me ..

    That was the best machine I've ever made.

  • Hello! Can someone help me with the last steps to get root? PM, I'm really stuck for a few hours... :neutral:
    Thank you!

  • Ive tried a couple of things, but I havent been able to get them to work. msv seems the easiest route, after paying attetnion to architecture and creating a basic reverse shell, I am unable to actually get the shell using dnsc**. Could use a nudge

  • Stuck for hours and hours on checking if the victim is able to access my share through the smb...
    "net view \smb_server_ip" -> net.exe : The Server service is not started
    Can someone help me? :(

Sign In to comment.