Finally… Root and the broken enumeration tools out of kali …took me the most Time learned a lot, first machine! thanks!!
Would love a nudge on root. I’ve gutted the animals on the server, but whenever i try any of my tools to dissect the results, e***-w***m just times out before the analysis completes. I’m worried i’m down the wrong path here, and i’m quite unfamiliar with windows in general!
Type your comment> @0x45nice said:
Would love a nudge on root. I’ve gutted the animals on the server, but whenever i try any of my tools to dissect the results, e***-w***m just times out before the analysis completes. I’m worried i’m down the wrong path here, and i’m quite unfamiliar with windows in general!
i hope you are trying with procdump tool which will take you to the right direction of the dump process and once you done the dump. try to string it with powershell cmd. (hints : Child-****** -Recurse *******)
Could someone PM me and give some hints? I have 6 usersa and 3 passwords and I dunno where to go next.
OK I am stuck at root.
So i got the k*.d* , but does i need it? And if yes what do i do with it?
Or is there a more direct way by using “the process”?
I feel like i have the answer right before me …
If you have all the user/pass and you still cant get it in, reset the box. I tried every permutation and couldn’t get it. – reset and I got right in.
Also would appreciated a hint on root. specifically how I actually go about opening the “process files”. Cant seem to figure that part out
I would like to chat with someone who got the user flag. I already got some loot but still having trouble.
Thanks.
How we can transfer the d**p file, i am using nc.exe but getting no-data error.
Can someone give me hint?
Edited: finally rooted my first windows machine. Thanks @MinatoTW for this nice stuff.
Thanks @watashiwaojsn for your help.
very new to windows, got user but completly lost on root, would love a pm from someone
removed
thanks for the machine. It was nice. 
I have gotten a list of the usernames from the SD workgroup, I have the h** and c**** passwords verified using a connection to the shares. I know this forum said use a ruby script to connect to the rpc. I think I am using the wrong one because I absolutely cant get it to work. Could someone tell me the author of the script as a hint?
Hang on… got one hit off of C username with metasploit module w****_****n
Stuck on root…I’d really apprecihate it if someone PM me and give some hints how to get root…I read all the previous comments, but they mean nothing to me. I am absolutley n00b in windows env. Thanks!
edit: Rooted. I have no idea how I did it 
Windows boxes are still a weakness of mine, but I did learn a few new tricks on this, so thanks to @MinatoTW for a good box to learn from.
So, my hints.
USER
- Passwords aplenty! There is a nice python script available specifically for decoding one type of password, while JTR or hashcat can be used for the other.
- An impacket script can be used to find more people.
- The suggest “evil” script can be used, but there are other options (MSF) to give you access.
ROOT
As I was late to the game, I will be focusing on the supposed intended path.
- Monitor the processes. One of them implies that the owner left his b****er window open
- “Stig of the ****” that process. Make sure to use the right settings.
- Get a good “grep” to find your access.
PM me here or on Discord (not the HTB site) for further hints. Don’t forget to tell me your progress to avoid sploilers! (“Can I get a hint on user/root” is not progress!!)
Im pretty much stuck :/, I’ve gotten 3 creds but I can’t find anywhere to use them, I’ve tried using evil-w**** and smbclient but I havent gotten anywhere. Could someone pm me and give me a nudge please?
Type your comment> @Expanding said:
Im pretty much stuck :/, I’ve gotten 3 creds but I can’t find anywhere to use them, I’ve tried using evil-w**** and smbclient but I havent gotten anywhere. Could someone pm me and give me a nudge please?
The 3 passwords and creds you have should be enough to get more usernames. Remember users like to reuse passwords alot… so if you can find a 4th username try all the passwords you have, then begin the enumeration phase again. Remember all your enum tools for linux, and you should be able to find more… 
■■■ Im a total NOOB… so used to linux had no clue what I was doing after I ran E***_****M. Didn’t even notice it opened me into a PS c>… User done. Now for root!
Spoiler Removed
Ok, someone has closed Fx services and the machine cannot be reset.
I’m stuck with the root.
I’m using internal p*p to dump service. How to read inside the file?