Rooted this box last night. It is indeed great fun!
Just be aware that you might need to reset the box, in case the root flag doesn’t work for you!
This was a really fun box once I’d been nudged a bit. Thanks to @Encomo for a very gentle nudge when I was stuck. When the light goes on it gets really fun from there.
Thanks to the box maker for that one. I learned something new about windows.
This was my very first active hard machine to root, it was quite a challenge, (and a bit of a headache towards root due some problems here and there, nothing that reading things carefully and some nudge telling me to read them even closer couldn’t fix ! )
Thanks to @aas for this machine !
hei guys i need help on user 2
@zdko said:
hei guys i need help on user 2
Connect as user 1, look around. Find something you’d normally struggle to dump as an attacker. Extract user2 credentials from that thing. Log in as user 2, get user flag.
Guys. I got root and found the root.txt file.
But the system will not accept the hash?
Any ideas?
Type your comment> @drforbin said:
Guys. I got root and found the root.txt file.
But the system will not accept the hash?
Any ideas?
As mentioned several on this thread and others:
- Reset the box (Dynamic Flag rotation issue) + do it again to obtain the new flag value
- Raise a Support Ticket
- Do 1 + 2
Got root. Its an awesome box.
Will be happy to provide nudges 
Type your comment> @TazWake said:
@zdko said:
hei guys i need help on user 2
Connect as user 1, look around. Find something you’d normally struggle to dump as an attacker. Extract user2 credentials from that thing. Log in as user 2, get user flag.
thanks bro i alredy did
This is one of the best HTB machines I have ever done. I’m really grateful to the box creator for the effort they clearly put in. I’d appreciate any feedback on my writeup for this box: GitHub - Purp1eW0lf/HackTheBoxWriteups: Writeups for the machines on ethical hacking site Hack the Box
I wanted to offer some hints that maybe haven’t been said on this forum yet, or need to be reiterated:
User 1 to user 2
- There’s a username that stands out, and correlates with an SMB share description.
- RPC is what you want, but the syntax needs a google.
User 2 to User 3
- Need to take the Kat for a walk but you’re on Linux? There’s a specialised tool for this very purpose.
- If you’ve done proper LDAP enum, and paid attention to a high port, you should know whose user creds you’re looking for.
User 3 to Root
- I found that Tobor knew what they were talking about more. But Tobor can’t spell for ■■■■, so double check their spelling mistakes
- For some reason, you’re going to need to add one space-bar space at the end of every line for that script. I have no clue why, but just go the end of each line and hit space.
Can anyone give me a nudge on this box i have found some large number of information probably usernames via S*B*T having Sharename pfE$ after that i am clueless what to do next. even i tried to find hash/password but i get nothing. 
Learnt quite a bit from this. Spent a few hours thinking the root flag was encrypted as it wasn’t accepted when inputted into HTB. A system reboot fixed that.
Type your comment> @TazWake said:
@zdko said:
thanks bro i alredy did
Awesome.
user flag done now to root very nice machine
anyone need help dont be shy to ask
Stuck on root. Is getting DS** to work all about RTFM? I keep getting access denied on one of the script steps.
Type your comment> @willywet said:
Stuck on root. Is getting DS** to work all about RTFM? I keep getting access denied on one of the script steps.
it simple bro think about where the active der object stored and notice the scv_backup privilege then search what you have to to get that file
I’ll probably have to PM you to avoid spoilers. Even with that privilege, it doesn’t seem to allow copying a certain entirety of something I need to get to that file.
Type your comment> @willywet said:
I’ll probably have to PM you to avoid spoilers. Even with that privilege, it doesn’t seem to allow copying a certain entirety of something I need to get to that file.
yah bro i will help with pleasure