• edited April 3

    Type your comment> @nobyl said:

    Type your comment> @kpwn said:

    I have creds for 3 User accounts but login only works with one of them.
    The account starting with s.... has a long PW starting with Mo.........
    But i cannot login with that account. Is the box stuck?

    Possibly. You should be able to connect with that s*c account via e***-w***m.

    I am in the same situation as nobyl. Got s** password but unable to login ...
    Box was reseted 3 times and I still can't, is there soemthing I'm missing?

    Edit: got shell, had to find logon username for this account.

  • How the heck do i copy "SomeBloodyInfo" from PS to my kali host?
    Been taking a walk into the forest but the steps seem to fail.

    Please assist with hints!

  • Hello, first machine I'm trying, love HTB ;)

    In my case, I am either on a rabithole or close to finish. got some juicy secrets but seems to fail using some basic syntax using a very well known rock file. Am I missing something?

    Thanks :)

  • That was my first windows box and i pwned it and i learned many new things i didn't know before!

    for the foothold: try to think as an admin, or you can read about how companies refers to employees names in emails.
    for user: I really missed chicken roasting! Try to roast something.
    for root: winPEAS.exe will help you in basic enumeration then find the wanted AD attack!

    If you need help, just DM me and if you already pwned it you can pass-the-flag here [ ] to read my write-up ^_^

  • Rooted.


  • I had a really hard time with this box and in the end one method for root worked while another didn't and I do not really understand why. If anyone wants to PM me with information or answers to my questions it would be great!

    Im so bad at Windows......

  • > @zalazalaza

    Send me a PM with what you didnt understand and I'll explain
  • guys I am stuck. I've tried every possible way to login using s**_****** and it's just not happening. got user flag and used all of hades pet's tools and im turning up nothing. any help is extremely appreciated. been going all morning on this one

  • nm, figured it out ;)

  • edited April 5

    I haven't figured out the root part yet, I believe I have User 2 creds for s*_r, I'm using the ti*****r tool but I'm getting aurgument required errors

  • Great box! Thank you @egotisticalSW I am not great with AD and I had to learn a lot. But that's what wea re all here for. Here are my tips:
    User: Sometimes you can't just get the users. Sometimes you have to use OSINT and make a list yourself. Then find a way to check your work.
    Root: I found more creds. I used them on a tool to help me dump a bunch of secrets.
    Feel free to PM for nudges.


  • if you're stuck on user, try the team page and barbecuing all the possible usernames

  • Type your comment> @dezatino said:

    Type your comment> @Ad0n said:

    Hey guys is clock skew giving anyone problems ?

    the people that you are trying to hangout maybe live in a different country... :wink:

    If you are having skewing problems, sync your system time with the DC as the NTP server

  • Hello, Can someone PM me?
    This is my first windows box and I'm stucked.
    DId basics network, web and ldap enumeration. I don't know which protocol must be the vulnerable target.. And do want to be on the wrong path!
    Thank you in advance

  • Rooted!

    User: Enumerate and Google 4 common ActiveDiretory exploitation techniques.
    Root: Take a walk through the Forest. Some key techniques should lead you to the right path.

  • Password:
    [-] SMB SessionError: STATUS_PASSWORD_EXPIRED(The user account password has expired.)

    Getting this error.... please help

  • > @parag1232
    > The user account password has expired

    I'm not sure how much clearer anyone could explain it?
  • Type your comment> @VbScrub said:

    The user account password has expired

    I'm not sure how much clearer anyone could explain it?

    I am getting this error for user2 .... h****t

  • edited April 5

    look at another user account then. That one is not usable

  • edited April 5

    Yay, got root after 2days !

    Was stuck with an error when i was trying to connect with the f user.
    Lost few hour with this, after that it's pretty fast to get what you want

    For those who are experiencing the same issue with the "Etool", switch lab, worked for me.

  • Rooted.
    Hint: Evil is your friend, always.

  • Got user f*** creds. Found user srv*** creds. Got NO idea how to escalate :( DM for nudges pls

  • Write-up available here : (French, protected by password). DM message if you need some help. This box was very interesting. Enumeration is the key!


  • Help please! I have user f****h and pwd T**********3. Not sure how to use them..been trying to log in usin ev**-****m but no luck..Please dm

  • I sent you a DM.


  • Type your comment> @Psyfer said:

    Help please! I have user f****h and pwd T**********3. Not sure how to use them..been trying to log in usin ev**-****m but no luck..Please dm

    I sent you a DM.


  • Am i supposed to find some hash in the foothold ? I only got one user (hs), no idea where to go next (tools requires password).


  • Ok with some help i've found the user.

    To be clear : i was in the wrong way because of the H*** S**** thing. If you find this, dont insist with this and think more simply/logical.

    Also, ive found 2 versions of the G**PN*****, the first i had didnt handled userslist. I had to nano a .py with the good script, strange.


  • User complete, on my way to root!

  • Hi, i tried access through default username and password, getting error "WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError". Can u help me for fixing this.

Sign In to comment.