Resolute

Just wanna give my two cents since I struggled more than i thought for such a simple privesc…

for user:
-Basic AD pentesting, if you cant get user on this (which i couldnt before doing some of the ad boxes then came back to this box) maybe take a look at some of the other AD Boxes first!

for root:
part 1:
-Enumerate, cant really hint this part without giving too much away.
part 2:
-Get to know who you are better
-Read the hint given by the other user in the file. Dont only read it, take it in!! cuz the hint went over my head and didnt think much, got it right the first time, completely messed up the timing, and went down a rabbit hole thinking i had to bypass this and code that when really it was just a few commands. So yeah, time your exploit in accordance to the note left by whatername.
-Get flag!

thanks for a cool but challenging box, wasnt easy but got there in the end lol
Message on discord if youre still stuck (Name is same as this, just search htb discord)

Could someone point me into the right direction? in PM i’ll describe what i’ve done so far and at what point i’m stuck (very last part…)

edit: rooted… missed 3 essential characters in building the p*****d

Would really appreciate help with getting the 2nd user :slight_smile:

Rooted, but root took me way too long and that’s because the dn****ins exploit i was trying didn’t work. The strangest part is that the commands didn’t output any error they just straight up didn’t want to work. Anyway, after copy pasting the same thing again and again it decided to work. Does anyone know why did this happen?
P.S. thanks for all the hints

Great box - learned a lot from the process

s*.ex* \******** stop ds
SERVICE_NAME: d
s
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

Can anyone please explain this, i can’t restart the service which required to gain root shell. ??

Solved finally, thanks a lot for whom I received nudges from, specially for @TazWake and @jibbiez
Thanks for sure for the creator :slight_smile: … I love my 2nd windows box

Anyone who can help me with root? I allready build the dll file and set up the s*b server in order to execute my code. But I just don’t get a reverse shell. …

Sure I’ll help you, pm me :slight_smile:

I’m in a similar boat I think. Following the dll injection steps but am just not getting a reverse shell returned. Anyone able to help?

@gunroot said:

Can anyone please explain this, i can’t restart the service which required to gain root shell. ??

At a guess I’d say it hasn’t stopped yet.

Hi. i got user2 but idk how can i elevate privileges. Can you give hint to me? Where should i start?

got root pm me for help lol :smile:

Got root. Straightforward box but doesn’t always behave. Thanks to @TazWake for the nudge.

For user1: Active Directory enumeration will give you good information, after obtaining this information and connecting to a windows service, it will give you a password for that first user.
User2: Logged in with the username and password you obtained earlier, look for things in C: using some commands that give you better kept information

For Root when using Wi *** eas.exe it will show you some things there is spo go on google and search for this information, it will give you all the way to privesc.

Anything can call me …

That was the best machine I’ve ever made.

Hello! Can someone help me with the last steps to get root? PM, I’m really stuck for a few hours… :neutral:
Thank you!

Ive tried a couple of things, but I havent been able to get them to work. msv seems the easiest route, after paying attetnion to architecture and creating a basic reverse shell, I am unable to actually get the shell using dnsc**. Could use a nudge

Stuck for hours and hours on checking if the victim is able to access my share through the smb…
“net view \smb_server_ip” → net.exe : The Server service is not started
Can someone help me? :frowning:

Amazing machine. Humble me too much.

C:\Users\Administrator\Desktop>whoami 
whoami 
nt authority\system

C:\Users\Administrator\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Really good box! I was nervous seeing there was no http service like usual but it really helped be learn about some new tools and windows! Thanks to the creator!