@hefnyy said:
Well, I guess i shouldn’t have chosen this machine to start my HTB journey, but after struggling with it for 3 days and using a couple of hints from this forum for the machine enumeration part, i actually managed to root it and i am so proud of that!
Nice work! Welcome to HTB and I really hope you enjoy it here.
If someone could please DM me any resources / references to help me get better at the enum part for future reference, or that explain how you guys knew what you should look for that would be fantastic!!!
There isn’t really a simple answer for that. Enumeration is sort of a term people use to mean “trying stuff and seeing what turns up”.
There general methodologies - used by tools like Linenum / WinPEAS etc - but I am not a huge fan of these and you’ll discover they work on about 10% of HTB boxes. In real-world pentests they are often so noisy you’d struggle to justify using them.
At a very, very, basic level Enumeration for privesc is down to simply thinking of things to look at and then trying it. For example, I’ve seen lots of situations where sysadmins have left privileged credentials in web.config and unattended.xml files to support automation. Checking to see if any exist is a good enumeration step but - off the top of my head - I’ve never seen this work on an HTB box. However, the general principle off “Look for credentials in files related to automation” is fairly useful.
Really - all enumeration is about looking at things and deciding if you can use them. I try to avoid noisy things like cd /; grep -ir password * because (for me) it becomes to hard to use the output. But more targeted things like searches for specific files is useful.
Also, a lot of enumeration is down to drawing conclusions - for example finding a service is suspended and also discovering your account has the privileges to modify that service gives you an idea how to exploit it.