Finally got root with a tip posted on this thread from @Kedaegan
I ended up creating a Windows 10 VM on my network and then setup a vulnerability to match the HTB VM. This made testing the PoC a lot easier.
The box was very nice i think .For user i went into a little bit of rabbit holes .And it took me longer to relialize my mistake . Root was very easy once you find how to run what you cannot run on the machine .With the right tool you can achieve what you want and it will work like charm .
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.198] 49839
Microsoft Windows [Version 10.0.17134.1550]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
Learned some new stuff from this machine, what i didnt know was possible with a Windows machine. 
Type your comment> @rholas said:
Very Easy User in an Easy box finally
Compared to (retired) box Netmon, it was hard 
can anyone please tell me how do i run the exploit on the victim, when python is not installed in it.
Hmm, quick question for anyone who has found the a***n page: is the Browse/upload button meant to work?
@agpriyansh i messaged you ā¦
connect to [10.10.15.16] from (UNKNOWN) [10.10.10.198] 51619
Microsoft Windows [Version 10.0.17134.1550]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
The foothold is very simple, you just canāt miss it.
Hint: you donāt have to enumerate, just good observation will get you on the right path.
Root: There is something on this box that can help you move āforwardā.
PS: The root for me was a bit tricky because i never knew you can exploit something using those methods.
Feel free to PM me if you need a nudge!
Nudge for people stuck on the root exploit not working where you believe it should:
Check the output from āgeneration toolā - donāt just copy paste as you might copy a tiny bit more than you need.
For those scratching their heads at how to execute the specific exploit remotely, think about how you might make a service or port extend back to your attacker machine.
Please remove post if this gives too much away or is deemed a spoiler.
Cheers to @gunroot for the initial nudge!
@mechs85
you can make it work
Type your comment> @davesipos said:
@mechs85
you can make it work
Ahh! Is that meant to happen? Or was that an unintended bypass?
Type your comment> @mechs85 said:
Hmm, quick question for anyone who has found the a***n page: is the Browse/upload button meant to work?
It can actually work if you play a little with the javascript. so inspect element and modify.
Finally rooted after @gunroot 's nudge! PM for hints:wink:
Type your comment> @agpriyansh said:
can anyone please tell me how do i run the exploit on the victim, when python is not installed in it.
Build a bridge or make a tunnel.
im kinda lost with this machine. I made my way inside the shell but i cant do much. I saw and tried to use n4.* file but couldnāt do much of a thing. Im frustrated bc i know this is an easy machine but Iām unable to move forward
Type your comment> @ciberpapi said:
im kinda lost with this machine. I made my way inside the shell but i cant do much. I saw and tried to use n4.* file but couldnāt do much of a thing. Im frustrated bc i know this is an easy machine but Iām unable to move forward
Iām guessing the name of the box helps. You can ādirā and ātypeā locations. Have a browse
Iām struggling with the B.O as it seems the file isnāt even running
@mechs85 google the file and a vulnerability will come up ā¦
Type your comment> @MariaB said:
@mechs85 google the file and a vulnerability will come up ā¦
Thanks, I got the name before but for it to be exploited it needs to be running - thatās my struggle at the moment. Not sure if its my shell or not
ConnectionRefusedError: [WinError 10061] No connection could be made because the target machine actively refused it
Anyone else getting this error when trying to get root. Any help would be appreciated
Can someone give me a nudge? I found the /a***n page and got the āābuttonāā working. But it gives me errors when uploading a shell. Also tried bypass, gave me a download button. Is that ok?