Iām having trouble running sharpup on the host. Is it just me ?
This was a fun machine. Kudos to the author.
A bit late to the party, but if anyone needs help feel free to reach out 
A few hints first :
User : Enumerate, dump, grep and crack. Then think about what you could do with your newly found powers.
Root: carefully read the output of your tool. What is allowed to perform what you are intending to do ? And what is not ?
hey everyone! anyone willing to help me validate some findings? I think I have something, but I got a bit stuck and not sure if I am not in a rabbit hole. Thanks
Solved it 
ping me for support if you get stuck on the cert step
For the ones that get the error Unknown DCE RPC fault status code: 00000721 or even the NETBIOS timeout error here is the thing you should try :
- Add the dc to the DNS source /etc/resolv.conf file
- Try to request the template using the Pwnbox machine
Rooted.
Feel free to shoot me a DM if youāre having issues.
Let me know where youāre stuck and what you have tried.
Same here, but expect delays on replies for DMs. Really fun box, solid medium, thatās for sure.
I got some files for certain automation tool, got all the cleartext passwords, got encrypted passwords from this automation tool decrypted, managed to login to pwm. With some assbackwardery managed to find all users from ldap directory.
I see that pwm has some proxy user. Passwords that I found do not match to that proxy user.
I created a list of all usernames/passwords (encrypted/decrypted) found and tried hydra on smb, winrm and ldap. No luck so far.
Iām rather confused at what to do next. I am thinking of trying recovering ldap proxy password from pwm, but feels like Iād need to spend days in pwm source code to understand how it works. Feels like a rabbit hole.
It seems like the most logical thing is to do something inside of pwm. But Iām stuck at this point. Would appreciate a hint if possible.
Actually, Iām wrong about bruteforcing. I got some credentials to SMB, but it does not give me access to anything. 
With a hint from awesome folks I think Iām able to proceed to the next step.
And I got the user shell 
, now to the rooting part.
Just rooted, this is such a weird machine, the privesc is the first time that i do something similarā¦
If you need a nudge towards admin, feel free to DM.
Hi there!
Iām completely stuckā¦ Already downloaded the files, cracked the hashes and enumerated all services, but I cannot use the credentials anywhereā¦ Anyone available to give me a hint? Iām sure Iām doing something wrongā¦ 
if you ONLY cracked the hash(es), you didnāt finish the job
Thanks! I wanna feel desperate first
Also, the name of the machine + what I saw in automation scripts kind of give me an idea.
Finally!!
Iād rate user as easy and root as insane - but only for me ā¦
ā¦ had the solution already but it wasnāt working as I had a small typo in one of the command options.
So Iāve thrown it away and wasted 3 whole days looking for an āalternativeā solution 
My hint: If you get some errors look at the -help sections of the tools you are using. Some tools share the same options but in a slightly different way/syntax. So donāt copy & paste them blindly.
My VM made this so much harder than it needed to be.
Half the commands and tools i needed in the end did not work out of the box and needed to be fixed first 
Guess i have to go through some retired windows machines to check which of the tools are actually working and which are not
feel u bro
Anyone willing to dm a nudge in the right direction? Im close to finished foothold but stuck on the last part