Resolute

Just wanted to thanks everyone for all the hints, and the creator of the box, Learnt a lot on this one! Great first windows box!.

Would really love someone to PM me how i was meant to have identify r*** account had permissions he did to allow the d** exploit

i noted the group but couldn’t link the 2 things

@Gravemind said:
Just wanted to thanks everyone for all the hints, and the creator of the box, Learnt a lot on this one! Great first windows box!.

Would really love someone to PM me how i was meant to have identify r*** account had permissions he did to allow the d** exploit

i noted the group but couldn’t link the 2 things

You’ve answered your own question. You notice he’s a member of that group, which is very unusual and even has the word “admins” in its name, so it seems pretty likely that’s a good place to start looking for priv esc.

Just to clarify - that group is a built in group in AD that will always have permission to perform this exploit.

Hey,

Got root… if someone need help PM me :wink:

Rooted. Dm me for help ?

This will be my first Windows box and I’m a little confused on how to get the initial foothold. I’ve only worked with Linux boxes before so I’m a little uncomfortable with the windows ones but thought id give it a shot. Great learning opportunity and all. Any help would be greatly appreciated!

Yeah doing root the fun (more involved) way includes sorting out some snaggy details that will trip you up.

Rooted. Found a delicate solution to the AV problem. Make the D** does issue a system command instead of injecting shellcode, an extra uploaded or hosted file will be necessary. but it works like a charm every time. I’ve spent my fair amount of hours trying to bypass AV.

Anyone who knows the Ms* root method care to enlighten me? I cannot get my head around it, even it supposibly the simplest solution.
Thx.

@LMAY75 said:

This will be my first Windows box and I’m a little confused on how to get the initial foothold. I’ve only worked with Linux boxes before so I’m a little uncomfortable with the windows ones but thought id give it a shot. Great learning opportunity and all. Any help would be greatly appreciated!

Good thing about windows is that most people have some experience with a Windows PC at home or at work, so if you think of it that way, it isn’t so alien.

As for a starting point - its basically the same as Linux. Enumerate it. Find open ports, find things you can do with those ports and see if you can get your way in through those ports. On HTB, some windows boxes need web exploitation, others have an exposed SQL interface and others have open SMB ports.

Handily, Kali has built-in tools to enumerate SMB/RPC ports and there are metasploit payloads for this very step.

Hey, I’am new to HTB.
Was able to enum usernames and password. But the evil doesn’t let me in. Please send PM with some hints to go on
Edit: got user.txt, will go on for root now

@Papalapap said:

Hey, I’am new to HTB.
Was able to enum usernames and password. But the evil doesn’t let me in. Please send PM with some hints to go on

So, hard without knowing your problem. Some suggestions:

  1. You may not have the right username / password combo.
  2. You might not be running evil correctly

I have user 1 and 2 however root is escaping me, I feel like the answer is right in front of me but I’m not able to grasp it.

I’ve never handled D** and I’ve been trying to see how evil I can get however, nothing is working.

I’ve read through these comments hoping, for a spark, while I can see great answers, nothing is helping…

Hints / PMs would be great

Rooted :slight_smile:

My first window box, took a whole day to crack since I am mostly a linux person

Feel free to PM for nudges

Woah! Can someone maybe give me a nudge? Im at the final step but the thing i want to do doesn’t connect back to my multi handler / nc…

Rooted. Initial foothold is very easy and getting access to user flag also.
Root: Everybody who has no respond with e…lw…m - are you sure that every command you copied and pasted works as it has to?)) Thx a lot - nice box.

Rooted! Another box where (for me anyway) moving laterally from initial user to “user might be able to something else” took way longer than it should simply because I was trying to rush things and missing the little details. Lessons have been learned!

rooted!! First Medium box! The priv esc was fun!!! I would also like to see the secondary option if someone wouldn’t mind shooting that to me in a msg.

@zetascrub said:

I have user 1 and 2 however root is escaping me, I feel like the answer is right in front of me but I’m not able to grasp it.

I’ve never handled D** and I’ve been trying to see how evil I can get however, nothing is working.

I’ve read through these comments hoping, for a spark, while I can see great answers, nothing is helping…

Hints / PMs would be great

If you google the service name and what you are trying to do, you should find a blog post by ired.team which will help a lot.

Spoiler Removed

I might be going down a rabbithole. Can someone offer for PM or PM me.

ldS*** and got a temp pw. Found a user that was able to log into that. Ran sm*C***** and found shares but nothing interesting.

Used ev**-w**** to log into the user. Found 3 files. virus scanner did not like the .exe. Also showed a .c file and a file Q*.

Am I going down the right trail, any any help or nudges would be much appreciated.

@menorevs said:

I might be going down a rabbithole. Can someone offer for PM or PM me.

ldS*** and got a temp pw. Found a user that was able to log into that. Ran sm*C***** and found shares but nothing interesting.

Used ev**-w**** to log into the user. Found 3 files. virus scanner did not like the .exe. Also showed a .c file and a file Q*.

Am I going down the right trail, any any help or nudges would be much appreciated.

Just to check - do you have the user flag now?

If so, privesc is 90% enumeration.