• Someone can give me a hint on how to read the flags after getting into a shell with nt authority\system.

    awesome machine by the way. Congrats @egre55

  • edited April 2019

    fucking awesome machine. I learned a lot!!!!!! This was painful, but it was cuz I'm windows noob

    My hints:
    - for user try to play with cookies, I think some has released an exploit (is new)
    Them play with the wonderful fruit

    • Root: this was my fucking pain. Whatever you are doing, don't use you the shell that you got (I know is strange)

    Thanks for this. I have to many question about the creation process for this box. I would like to know how did you do everything, if anyone can tell me, It would be appreciated

  • I found some usernames. I am trying to crack their passwords. The server is painfully slow. Is brute forcing the intended way or might the API help?

  • can anyone pm me with what to do with the very long string in creds?

  • What a nice machine! Congrats @egre55 :)

    Thanks to @CHUCHO @FlameOfIgnis and @jkr for all your help.

    PM for hints if you need some.

  • Apparently I've gone a couple miles down the unintended path. I don't see any way forward that doesn't involve targeted hash cracking. There are enough hints for that to be viable, I'd think, but it hasn't gotten me anywhere. Maybe I overlooked something in the mountains of mimikatz documentation. I dropped a forensics lib to read the raw flags. I was hoping to get the metadata, but it only returned the contents. I think that should count, since I technically have the flags.

    I saw where @egre55 was doing some things with calc.exe, so I'm wondering if a custom exploit is intended, though I don't see how it could help me now. I guess I'll go back to the users, since they each seem to have a purpose. I would like to know if the remoteaccess site is involved. A couple open ports make me think it might be, but I haven't seen anything else to support it. Alright this stream of consciousness has gone on long enough. good talk


  • Totally stuck as NT auth shell. tried all kinds of mimikatz trick, not getting anything. Have some idea as to whats going on , E*S .Always lacking one/two component to decrypt something crucial to decrypting the next step/cred/cert..., any hints?? Its fun running all kinds of tools on this machine though

  • Hello
    I need help,
    on the website i have succeeded the privilege escalation, what do i have to do now?

  • edited May 2019

    Stuck after decrypting a****-p***.xml. I was able to read that file, which results in a very long string. Someone suggested using PSCr*******l / Se****S****g . Been having trouble using the content of that file to do anything. Anyone know the syntax? pm, thx

  • edited May 2019

    rooted...damn, I learned a lot about powershell-fu...

  • I was afraid of this box because it is red. And after start I had hard time on the most step in spite of all hints. But after rooting I say that it is real box with real-case situations.
    It is very stable and it allows get additional hints from the result of work of other hackers.

    And that is why it defenitely is worth the force and the time.


  • edited May 2019

    I found creds for two users, but can't found way for change users, could somebody help me PM

  • A week later, finally rooted. Thank you to @tabacci and @Ripc0rd for the help. Helpful tips:

    Know Powershell. Understand commands and what you can use to leverage your way into getting root.txt.

  • Rooted and got user! Holy crap I'm sure I didn't do this the intended way because I f***ed this box HARD to get that to work. Hahaha. Okay, time to reset before anyone notices.

    Null | Nada- | Zip | Diddly | Zilch+

  • Could use some help for escalating to leo. I know what I need to do, but I am facing some difficulty.

  • I have administrator hashes, can pass the hash with psexec but I cannot read the root.txt or user.txt. I see the XML file but having problems decoding it. I am on the file system looking for something to get/do. I would appreciate a hint int he right direction.

  • Congrats to @egre55. Solid box. I haven't solved it yet, but I am determined to! Currently stuck after getting read access to the xml file. Probably should find a way to make that information useful, but I have run through all my ideas and need to seek guidance on where to go next.

  • Totally stuck with getting normal login done. Cannot find a way in this box. I know it sounds weird, but I think I know where to go, but do not know how.


  • If anyone can help me with reading flags, please PM. I'm able to login with two different users, but cannot read certain files. Any help is appreciated!

  • rooted but stuck with user.txt. any nudges?

  • I cannot read user nor root any of accounts. Any nudge would be good

    OSCP - Looking for pentest Jobs

  • I'm still trying to wrap my head around why psexecing as Administrator still shows i'm NT AUTH/SYS after running whoami


  • Stuck at LFI.. Is the user named L**s R*****o a hint? I found a PoC from Pedro R*****o but I cannot make it to work.

  • edited June 2019

    It's not about the destination but the journey, this is an all around great box. There is a shortcut and a long catch (that i know of) to root.txt/user.txt both is worth exploring. Thanks to @essex09 for the hints along the way.

    Apparently there is more than two ways :)


  • edited June 2019


  • edited June 2019

    Well finally rooted, I used the "easy way" and still this box was pretty cool. Still working on the other ways for now.
    Good job @egre55 the box is amazing

    Thanks to @0xskywalker for the hints !

  • Coincidentally, im listening to devil trigger XD

  • edited June 2019


    This machine was different and "new." I did learn a couple of new things and I loved it. So Thank you @egre55 for it.

    Anyway, there seems to be a couple of ways to get user and a couple of ways to get root.

    The easiest way from my opinion seems to be abusing the system permissions.

    Hack The Box

    OSCE | OSCP | CRTE | GPEN | eCPTX | CREST CRT | GDAT | eCPPTv2 | GWAPT | OSWP | ECSA (Practical)

  • what a great box! Message me if you need help

  • stuck with NT AUTH/SYS. my someone give me a hint via pm?

Sign In to comment.