@nyckelharpa said:
They’re not suggesting to get the admin password, but the use the hash of the root or administrator password. If you have root access to the machine, you can simply cat out the shadow file to get it, even if you don’t necessarily need the root password to root the machine. I don’t know where to find that hash on a windows system, but should just be a quick Google search to learn that, I guess…
While this would be a better alternative (for boxes where it is possible to do this and it doesnt break the box early - remember, RE you pretty much have admin access to get the user flag, the root flag is harder to get), from HTB’s point of view it doesn’t really solve the sharing problem. People can just share the hash then read the writeups and get the flag.