Querier

Man this machine beat me up.

Learned a ton.

There are tons of hints in thread already but if anyone is needs a little nudge let me know where you are and I’ll do my best.

Also huge thanks to @EnDeRuCn for the help.

Can I get a nudge in the right direction? I am trying to get a reverse shell going but keep getting blocked by the av. I already got user flag by using the x*_***l command in SQL. I already got the m-**c account cracked. Unless theres another way to get root without a shell.

Edit:Got reverse shell on m****-**c account. Now onto root. Any pointers?

Finally got root! Finally was able to finish this box. I had been working for over 26 hours collectively. I can now stop ripping my hair out. I had never learned so much about Windows box before. Great job to the creators.

PM for nudge.

Hi, Please could someone PM me with any tips for root? I’ve got the second user, but can’t find where to escalate from there? Thanks!

Box drove me crazy. Really cool though, not going to lie.
I always hate windows boxes but I always come away knowing learning really useful stuff. Definitely updated my notes.

USER:
Giddy. End of story. All you should need to know.

ROOT:
power up

Message me for nudges <3
let me know where you’re at.

Got Root!!! Many thanks to the Creators for this box, learned loads about tools that I have seen but never had occasion to use.

Props to Async @xh4h on HTB Discord for helping me get past PEBKAC errors too.

rooted thanks to @HEXE

Got root.

This was a really good box and gave me quite a bit to think about - more of the same please.

I was banging my head trying to run a script to avoid AV, but once I got that done it was on the home stretch an across the line.

Type your comment> @jvlavl said:

can someone give me a hint how to get a shell to this box? I have both creds found.
I xl is enabled under the sd user. Even m** is uploading with some messages in between but ending with no session

What do I not see?

I’m at the same point, have creds for r and m. trying to use x**l to start a prl conn, not working so far. am I thinking wrong here?

How to crack m*******c user creds.l? I’ve used john with rockyou as wordlist but nothing comes out of it.

Thank you for this box. Had a fun time and learned along the way. Happy to help anyone who’s stuck.

unable to bypass AV, very frustrating

EDIT: once again, overthinking, went stupid simple, then powershell mafia, rooted

Got the root, but struggling to get a shell

EDIT : finally got a shell, I was overthinking it

Got the second mssql user:pass and now trying profusely to get a file upload or shell but thoroughly stuck… Any nudge in the right direction would be appreciated…!

I just got my file uploaded. Now when I try to execute, it says No output, and my listener is not receiving anything. Am i in the right track?

Got user, root and shell.

For user: enumerate ports and escape special characters :wink:
For root: everything is written on this forum, just read carefully with understanding and do not search “uncles” in google - it has not sense :slight_smile: and the key to success is mafia :wink:

Really enjoyed this box :slight_smile: Learned a ton!

Thanks to the creator(s)!!!

Now I can sleep at ease (at least for tonight :P)

Can someone PM me im stuck with db connect :dizzy:

Type your comment> @Malone5923 said:

There is a lot of ■■■■■■ ports on this box. Gobuster is getting anything either. A lot of dead ends. Keep enumerating

@Ahm3dH3sham said:
Starting the discussion.

i need help to solve the machine 10.10.10.152

hey! does anybody know why I’m able to ps***c in the machine even if I don’t have write access to any brazilian-dance folder? I’m using the 2nd set of credential related to the DB.
I would try to check if it’s just some configuration that somebody has left behind but now I can’t revert it since it’s retired (I was going through this machine about a week ago)