@Gravemind said:
Just wanted to thanks everyone for all the hints, and the creator of the box, Learnt a lot on this one! Great first windows box!.
Would really love someone to PM me how i was meant to have identify r*** account had permissions he did to allow the d** exploit
i noted the group but couldn’t link the 2 things
You’ve answered your own question. You notice he’s a member of that group, which is very unusual and even has the word “admins” in its name, so it seems pretty likely that’s a good place to start looking for priv esc.
Just to clarify - that group is a built in group in AD that will always have permission to perform this exploit.
This will be my first Windows box and I’m a little confused on how to get the initial foothold. I’ve only worked with Linux boxes before so I’m a little uncomfortable with the windows ones but thought id give it a shot. Great learning opportunity and all. Any help would be greatly appreciated!
Rooted. Found a delicate solution to the AV problem. Make the D** does issue a system command instead of injecting shellcode, an extra uploaded or hosted file will be necessary. but it works like a charm every time. I’ve spent my fair amount of hours trying to bypass AV.
Anyone who knows the Ms* root method care to enlighten me? I cannot get my head around it, even it supposibly the simplest solution.
Thx.
This will be my first Windows box and I’m a little confused on how to get the initial foothold. I’ve only worked with Linux boxes before so I’m a little uncomfortable with the windows ones but thought id give it a shot. Great learning opportunity and all. Any help would be greatly appreciated!
Good thing about windows is that most people have some experience with a Windows PC at home or at work, so if you think of it that way, it isn’t so alien.
As for a starting point - its basically the same as Linux. Enumerate it. Find open ports, find things you can do with those ports and see if you can get your way in through those ports. On HTB, some windows boxes need web exploitation, others have an exposed SQL interface and others have open SMB ports.
Handily, Kali has built-in tools to enumerate SMB/RPC ports and there are metasploit payloads for this very step.
Hey, I’am new to HTB.
Was able to enum usernames and password. But the evil doesn’t let me in. Please send PM with some hints to go on
Edit: got user.txt, will go on for root now
Rooted. Initial foothold is very easy and getting access to user flag also.
Root: Everybody who has no respond with e…lw…m - are you sure that every command you copied and pasted works as it has to?)) Thx a lot - nice box.
Rooted! Another box where (for me anyway) moving laterally from initial user to “user might be able to something else” took way longer than it should simply because I was trying to rush things and missing the little details. Lessons have been learned!
rooted!! First Medium box! The priv esc was fun!!! I would also like to see the secondary option if someone wouldn’t mind shooting that to me in a msg.