Finally changed the password of administrator and wmiexec in as administrator and was able to read root.txt. But felt a bit cumbersome. Please tell me if anyone know better way. I still don’t understand what trick in Windows prevent system account reading root.txt even it’s the owner of the file.
@jimmyzhang said:
Finally changed the password of administrator and wmiexec in as administrator and was able to read root.txt. But felt a bit cumbersome. Please tell me if anyone know better way. I still don’t understand what trick in Windows prevent system account reading root.txt even it’s the owner of the file.
You don’t need to change the password. You can extract what you need to access the system.
NTFS File Encryption is a good thing to look into. There is a note which hints this.
@jimmyzhang said:
@TazWake Many thanks, now I’m clear. Spoiler , do you know why?
I think I might but its a discussion that will either need to be in DM or after the box has retired.
Rooted!
Very interesting box, didn’t have the chance to play with these tokens before.
DM for nudges.
I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.
@wilywizard said:
I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.
So a lot of it depends on which is “User 1” to you - it could be one of 3 accounts as far as I can see.
The first is a crackable hash with the default settings.
Type your comment> @TazWake said:
@wilywizard said:
I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.
So a lot of it depends on which is “User 1” to you - it could be one of 3 accounts as far as I can see.
The first is a crackable hash with the default settings.
Thanks, that helped me figure out the issue.
Apparently there are multiple variants of r***y**.txt out there and mine was incomplete.
If you’re not getting results using it then look for a different version.
One of the best HTB boxes. Totally real world like with tons to learn. Thanks @TazWake for the nudge and @aas for the box Cheers
WTF is wrong withroot.txt on this box??
EDIT: ok, 2 resets needed…
To whoever is trying to view the content of root.txt at the final step and getting an access denied error, if you are using impaket tool then try another one.
I did and it worked!
I am enjoying this box. It feels real.
Got usernames, working on getting some hashes.
Edit:
Just got user. AD boxes are always very interesting.
Based on the name of the account I’m in, I have an idea of what my next move is.
I have 2 users accounts. I am working on my third account. I have a hash but I can’t crack it. Can some send me PM to discuss?
@marvin7408 said:
I have 2 users accounts. I am working on my third account. I have a hash but I can’t crack it. Can some send me PM to discuss?
There’s more to be done with hashes than just cracking them.
Type your comment> @returnz said:
To you and other peeps who face the same issue try this:
smbclient \\your ip\share -U ‘foo’ --socket-options=‘TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072’ -t 40000
worked for me!
Many thanks! I spent hours trying to get some of those files. Thanks to you hint I got the user flag in a minute. Let’s go for root.
Update: after an almost sleepless night struggling with the root flag, I get the infamous incorrect flag message.
Grrrrrr 
new update: a reset did “fix” it.
Type your comment> @heuvosenfuego said:
@marvin7408 said:
I have 2 users accounts. I am working on my third account. I have a hash but I can’t crack it. Can some send me PM to discuss?There’s more to be done with hashes than just cracking them.
Yes I noticed. I have the user flag 
I’m stuck after USER1 (at least I think it is user1 ;). Could someone give me a nudge to help me get USER2?
@Qtang said:
I’m stuck after USER1 (at least I think it is user1 ;). Could someone give me a nudge to help me get USER2?
It really depends on who you mean by user1.
If it is the same as my user1 then it might need some obscure research into things that account can do to other accounts.
I finally got the root.txt flag only to have it rejected by the system! I don’t have time to do this again! Has anybody reported this problem?
@tejon said:
I finally got the root.txt flag only to have it rejected by the system! I don’t have time to do this again! Has anybody reported this problem?
https://hackthebox.atlassian.net/servicedesk/customer/portal/1/user/login?destination=portal%2F1
It happens reasonably often and most of the threads have a discussion about this and popular solutions, but if you don’t report it, HTB won’t know about the problem.
The driving force is trying to prevent flag sharing so it’s unlikely that HTB will go back to static flags.