Rooted
User: Enumeration, check all the services available, CSV, exploit
Root: Check remote services, CSV, exploit
Feel free to PM
Hi!, just stuck with root, unable to upload my payloads… any idea?
@aldebaransec said:
Hi!, just stuck with root, unable to upload my payloads… any idea?
You don’t really need to upload a payload.
However, certutil certainly works if you want to upload things .
Finally, I rooted This machine. It was very fun and easy. You only need to pay attention to minimal details.
rooted without any help 
tip for root: people are lazy and reuse passwords for different things.
Spoiler Removed
Rooted box !
All nudge are in the forum. Easy and nice windows box Some my skill are improved with this box.
Feel free to send PM.
Rooted!!!
Learned a lot about patience and resilience enumerating this machine.
Thanks to the creator and thanks to everyone who helped!
Hey Guys,
So I’m struggling with this one any PMs with a little help would be great.
I have managed to mt the locations found the sf file and from that managed to find the a**@.** account and password b************e
I found the .py exploit that didn’t require any changes and I can run some commands but not others, this is confusing me, so for example I can run a ping or ipconfig but I cant change directory ??? is this a permissions thing ?
I guess I believe that the next step for me is to get a payload downloaded via command but that is where I have been struggling.
any help would be awesome, thanks
CyberZombi3
Finally rooted. Many people said they had to struggle with user and root was simple afterwards. Well, for me it was quite opposite. Root gave me more trouble than the user.
USER: As many have already pointed out the high port sharing lots of files out of which one bears the fruit. You will need to pull some strings to get your access. A well-created exploit may help you further with gaining the user and initial shell.
ROOT: Here comes the moment of truth. IMO the method that requires a machine reset to work, cant be the intended method. US method works but is not stable hence I wouldnt recommend it. The box name related method doesn’t have straightforward information on google so I had to break it down into steps and google each step separately until I got the final creds. At the end, it was just a guess about what to do with them and it worked (lazy admins).
I am here to help anyone who needs it 
@Cyberzombi3 said:
I found the .py exploit that didn’t require any changes and I can run some commands but not others, this is confusing me, so for example I can run a ping or ipconfig but I cant change directory ??? is this a permissions thing ?
Try the other exploit. If this one isn’t working easily for you, the minimal changes to the other one might be a better path.
I really don’t get why tf people rank this machine (and some other ones) as easy.
Finally for root, used msfconsole so i feel i cheated a bit in reguard to my OSCP approach lol but done is done! Learned an incredible amount and amazed myself a few times
Thanks to all who fielded my questions you know who you are, much appreciated as usual!
I found this box difficult, not having done much windows privesc before, and it forced me to review my notes a lot. Enumeration is key here.
Other things that I have learned to be on the lookout for:
- Some things just aren’t very easy to bruteforce, pick your battles
- Sometimes there are bugs in pocs
- Sometimes there are bugs in metasploit modules
Advice for the T********r root: enumerate and google. Go back over your notes from the foothold, find a way that perhaps you’d ignored.
Just rooted this box after hours of struggling with what to do with the information you get from the intended exploit.
To my fellow linux buddies who are also new to windows hacking: don’t do what I did and try to execute code as another user and/or switch to another user within your reverse shell. Close your reverse shell, have another good long look at the open ports, and think evil thoughts.
Rooted! Fun box, good challenge for beginners. I’m not very familiar with windows boxes so it was a good opportunity to sharpen my enumeration skills. Other people have done a great job with hints so I won’t risk revealing spoilers. Everything you need for root is this thread.
Can anyone help me with getting User please. I have managed to get the exploit to work and can see what user I am but I cannot see user.txt…
I also have seen the remote service but struggling to find user/pass for it, already tried all local users on system and old pass I already have for exploit.
Type your comment> @Ninkasi said:
Can anyone help me with getting User please. I have managed to get the exploit to work and can see what user I am but I cannot see user.txt…
I also have seen the remote service but struggling to find user/pass for it, already tried all local users on system and old pass I already have for exploit.
how can you find a file in windows? 
@aldebaransec said:
how can you find a file in windows?
Any time I try find or findstr and try to traverse directories i.e. search throughout all of C:\ or search each users desktop the script fails and I get a prompt instead, you know the carrot (>).
It’s doesn’t like something about C:\ so how can I search? Also dir has the same problem.
How did anyone find out how to search using the script effectively, it either doesn’t work and gives an error message most of the time or it just hangs and does nothing.
Simple command like whoami work…
Type your comment> @Ninkasi said:
Any time I try find or findstr and try to traverse directories i.e. search throughout all of C:\ or search each users desktop the script fails and I get a prompt instead, you know the carrot (>).
Have you looked in the user’s folders with dir ?