Rooted…!!
All Hints are in this Discussion!
Feel Free To PM anytime ! 
my nmap scan is giving me ping error and when I try -Pn it gives me weird results is that suppose to be a part of the challange?
oh never mind my VPN was off for some reason 
Very easy box with some enumeration and rooted.
User: Just some fuzzing will give you the user flag.
Root: The AzureADSync is the best hint for the root file.
If you are stuck then feel free to pm.
no amount of password guessing is working for me 
Type your comment> @bugeyemonster said:
no amount of password guessing is working for me
alright i have to admit guessing the password was easier than i made it
a lot of the hints for root suggest there are already scripts on the users desktop to priv esc. this is false, these must have been uploads buy HTBers not part of the box itself. I know the A**** service is the one to exploit and have seen the T**** but am not sure how to put it all together yet. Maybe someone could point me to the POC 
back to gooogling
okay i have the user flag, do i need to pivot to another user before escalation with the poc script? i get an error about not being admin when i try to run it in what i think is the correct location.
Type your comment> @TestUserx said:
Type your comment> @TestUserx said:
Ok, got the file on there with what i’m 99% sure is the correct connection string after i did some numeration on the database side, but it’s erroring out
- … ibute" | select @{Name = ‘Password’; Expression = {$_.node.InnerXML}}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~The string is missing the terminator: '.
Nevermind.
Got root, i just needed to check the impostor formatting that got into a few characters of the script when copy-pasting it.
- one on the hint about using Google (literally, use Google. startpage was sabotaging me with its lack of relevant results)
The connection string part is pretty easy once you do some basic enumeration on the database side (edition, version, instance name, hosted databases, etc)
For future connection string references
SQL Server connection strings - ConnectionStrings.com
This hint was the most useful for me. Anything is easy once you know how and now I’ve got a better understanding of sql server.
Rooted…
ugh, I suck. I made a trivial syntax error with a very basic tool so even though I already had valid initial creds my second enumeration wasn’t working. I thought it was some fancy firewall or permissions issue but it was just me being stupid.
Done! PM for help if needed
Rooted, thanks @Solarstorm for the nudge
Good job! Happy to help
Mmm, got users, pretty sure I have the tool and a list of “common passwords” but no foothold… any hint is helpful!
Edit: Thanks to @Solarstorm for the nudge. I just needed someone to push me off the diving board.
After managing to get user.txt my only complaint is that some people here say that one should perhaps check the login times in the LDAP output, which ultimately led me to the decision to discard the user that was actually the one with the “lazy” creds…
Finally got to root! Thank you @VbScrub for the exploit that simplifies the process. I tried some powershell code as well, but afterwards I kinda figured out why it didn’t work. I need to learn more about database enumeration…
REading the comments here… for root, everyone is saying google the obvious things, which is right. Also saying you need to look at the connection string, which is also right. I would also add – brush up on basic simple MSSQL recon as well, which gave me the info I needed to fix my connection string.
someone can help me with a hint, i can’t get root
@4lb3rh4ck said:
someone can help me with a hint, i can’t get root
Enumerate the user account you are in. Find something unusual they have access to and look at a way to subvert that.