Querier

If anyone is still stuck and needs help, feel free to PM for a nudge

ROOOTED!

the user part has been great! But an old version of the tool made me waste weeks to do a crucial step. Fortunately fixed a week ago

root : basically 99% of the time has been wasted trying to get an user shell to enumerate properly the machine… AV will make the life hard, at least for me. Once you get a stable shell, running the right enum script you will get root.txt in 5 min.

THX @mrh4sh and @egre55 one of my favorite box!

PM me if you need help

Rooted thanks to @HEXE and @Silv3rDawg23.
PM me for help, while it is fresh.

So after a handful of hours I got user and root. Overall, great box. Pretty realistic too.
Most of the issues along the way were syntax related to various tools, and issues with I******* were… Bountiful.
Another frustrating thing that happened to me is my hashcat on my Kali vm is busted, but after giving jtr the right stuff cracking someone’s hash was pretty easy and quick

I spent way too much trying to get a root shell when the root.txt was easily available going about the same direction as getting the first file needed to really kick things off.

My advice is:

  1. As usual, enumeration is key. If you don’t poke around you won’t find what you need
  2. Don’t over complicate things. In all honesty, this box is really easy. If you’ve done PWK labs, this box should feel right at home with the lower tier boxes
  3. If you don’t get output or results you expect, take a look at all the options or switches you’re using
  4. A particular “Defense” mechanism built into the OS isn’t really going to be as big of a deal as you probably think it is

If you were able to get a root shell, hit me up. I’ve got a method that I KNOW should be working, as I’ve used it on engagements in the past

Man this machine beat me up.

Learned a ton.

There are tons of hints in thread already but if anyone is needs a little nudge let me know where you are and I’ll do my best.

Also huge thanks to @EnDeRuCn for the help.

Can I get a nudge in the right direction? I am trying to get a reverse shell going but keep getting blocked by the av. I already got user flag by using the x*_***l command in SQL. I already got the m-**c account cracked. Unless theres another way to get root without a shell.

Edit:Got reverse shell on m****-**c account. Now onto root. Any pointers?

Finally got root! Finally was able to finish this box. I had been working for over 26 hours collectively. I can now stop ripping my hair out. I had never learned so much about Windows box before. Great job to the creators.

PM for nudge.

Hi, Please could someone PM me with any tips for root? I’ve got the second user, but can’t find where to escalate from there? Thanks!

Box drove me crazy. Really cool though, not going to lie.
I always hate windows boxes but I always come away knowing learning really useful stuff. Definitely updated my notes.

USER:
Giddy. End of story. All you should need to know.

ROOT:
power up

Message me for nudges <3
let me know where you’re at.

Got Root!!! Many thanks to the Creators for this box, learned loads about tools that I have seen but never had occasion to use.

Props to Async @xh4h on HTB Discord for helping me get past PEBKAC errors too.

rooted thanks to @HEXE

Got root.

This was a really good box and gave me quite a bit to think about - more of the same please.

I was banging my head trying to run a script to avoid AV, but once I got that done it was on the home stretch an across the line.

Type your comment> @jvlavl said:

can someone give me a hint how to get a shell to this box? I have both creds found.
I xl is enabled under the sd user. Even m** is uploading with some messages in between but ending with no session

What do I not see?

I’m at the same point, have creds for r and m. trying to use x**l to start a prl conn, not working so far. am I thinking wrong here?

How to crack m*******c user creds.l? I’ve used john with rockyou as wordlist but nothing comes out of it.

Thank you for this box. Had a fun time and learned along the way. Happy to help anyone who’s stuck.

unable to bypass AV, very frustrating

EDIT: once again, overthinking, went stupid simple, then powershell mafia, rooted

Got the root, but struggling to get a shell

EDIT : finally got a shell, I was overthinking it

Got the second mssql user:pass and now trying profusely to get a file upload or shell but thoroughly stuck… Any nudge in the right direction would be appreciated…!

I just got my file uploaded. Now when I try to execute, it says No output, and my listener is not receiving anything. Am i in the right track?

Got user, root and shell.

For user: enumerate ports and escape special characters :wink:
For root: everything is written on this forum, just read carefully with understanding and do not search “uncles” in google - it has not sense :slight_smile: and the key to success is mafia :wink: