Type your comment> @Krose said: > Just rooted this machine and I really Loved! I Learned so much! There is really no shell needed here, just simple tips: > > * For user flag, enumerate everything, look into the website, the files and enumerate them, just look into the file names and you will understand, a simple python script will solve. > > > * for root… Impacket have everything you need, use google and be happy. > > > > You will probably hit some time syncing problems, not much of a problem, just google about this and you will be able to root the machine with no problems Got user. Agree with what @Krose stated. Same steps led me to user. Hoop root will do the same. 
> @JulianoPL said: > After 2 days of reading… lots of errors on commands… losing my way into AD (with bloodhound even breaking my VM) and all other dead ends that I can think of… > > Evil-WinRM PS C:\Users\Administrator\Documents> whoami > intelligence\administrator > > ■■■… this box was a lot harder than I thought (for a medium box)… Maybe because I know only the basic of windows pentesting (trying to improve here)… but learned a lot through several different sites, blogs, and other stuff… > > The basic enumeration (find the “hidden” files) is easy… get to the user is also pretty straightforward… on the above messages in this forum you’ll find all you need… just pick the line/docs you have in front of you and follow it to the end… > > But from there to 2nd user (and then root) was ALL new to me and I still don’t understand how some of the tools (site below) work… just copied some and change the names, pass, etc accordingly and put to run… after several different dead ends, I finally got it… I’ll now wait for this box to go retired and see ippsec walkthrough to understand what I could’ve done better/different… he also explains a lot why he’s doing this or that ^^ > > Either way this a very good reference, if you want to learn more about impacket tools (it helped me a lot to understand the tools on a box like this one): No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA > > Good luck 
I got the first user and I know the path to root… But the user I have does not have the right permissions to do it, and the t****t of s*****t user is uncrackable to the knowledge of kali wordlists. So basically I am stuck on the second user. Any hints?
That may be the first Windows box I’ve enjoyed. Just a super amount of fun and got to learn some new skills. Thanks!
EDIT: Solved it, after doing some more research on the error I saw that I missed a step. Once I executed that everything worked - rooted! All need some help. I’m trying to run a command going after root (near the end), but I am getting a specific authentication error message and I’m stuck on getting past it. Need a nudge on how to work around it - i’ll send the error message in a DM
Type your comment> @bestrocker221 said:
I got the first user and I know the path to root…
But the user I have does not have the right permissions to do it, and the t****t of s*****t user is uncrackable to the knowledge of kali wordlists.
So basically I am stuck on the second user. Any hints?
Not sure what your stars mean, but the hash you need to crack is inside what is probably the most famous wordlist, so if you can’t find it, either you have a wrong hash… or the wrong user
@KingaZ said:
I suppose there are more files besides 2 easy to notice. Do I need to write my own script to find others or I can just google a way to do it? I’m not good in scripting
Time to learn then !
That is light scripting, it’s basically creating a wordlist that fits the filenames you have access to. There are a few caveats but if you take your time and think about it you’ll make it work 
Rooted. ■■■■ this was a tough box. If anyone needs a nudge, let me know. Wrote my own python script to help with yanking the “files”. Happy to share it. Thanks to the creators! This simulated a lot of real-world scenarios.
Finally got root! I ended up having to do the last step to root about 60+ times because it just wouldn’t work, wouldn’t work, wouldn’t work, it worked… with no change in command, just checking my time again and again… This box was way more frustrating than it had any right to be to be honest, but I learned a lot about AD.
Help please : ( Clock skew too great ). I have this hash : d170…d621. I used nt****te and also set-ntp to true but I got always the same message.
Every DC has they own ntp server inside) You can sync your kali time from dc. NB. Just realize, that bl***d has not only win client, but also remote python! This makes this machine more easy and solid for me)
Hi, I feel stuck on root, I cannot get any “responses”. Can anyone help?
Those that said all you need is impacket are retards
retracted
Hey all I’m pretty much an AD n00b - I got some creds, fantastic, but now… I’ve been stuck for a while. I enumerated an L**** thing but I’ve got no idea where to go next or even what I’m looking at. Any pointers? thanks. Edit: Did some research online and realized I had completely forgotten something important and I already had user… *headdesk*
Hi,
I got the user.txt but I am not sure what is the next step? I wanted to send DMs but I cannot find the icon to do so in this new forum interface. I clicked on someone’s picture but did not see any envelope button to send a message?
I can’t seem to connect the dots. While the first step in getting root has a certain logic to (but still is kinda tricky) I’m absolutely lost on the next step. Can somebody give my some hints (and after getting it to work, explain to me why you did this?) Thanks!
I’ ve got root’s flag, but upon submission the system declared the flag was incorrect.
I’ ve tried to reset the machine, but in vain. Can someone give a hint on how to solve this ?
solved , it’s the vpn’s problem
invaluable for someone who wants to improve themselves on windowssec.
install rdate then:
sudo rdate -n #ip of DC#
Got the user flag, read the “important” docs. One of them lead me to find an important file that i am probably gunna use later. Also noticed a second user that i possibly might need to escalate too. However this is where im stuck at. I have no idea what to do with this important file. Ive tried some basic AD stuff like using some the packet to try and get some hashes but none were returned
can any1 give me a nudge in right direction