Well, we didn’t. In fact, this method wouldn’t work normally. All of the shares we had access to as james were “non-writeable” and therefore we wouldn’t be able to get a shell using this technique.
HOWEVER!
Reason why we got psexec to work is that the author of the box forgot to clean after himself. He left a certain service running which allows all the communication to be done through windows pipes. We are able to to overtake this pipe and get a shell… @ponder
I’m very sorry for my late reply, I don’t really check the forums often. Time is tight. If you want to get into contact you can try my twitter. It’s the same handle as HTB