Rooted the machine. But only because of some subtle hints in this thread. Please PM me if you can tell me HOW I should be able to find out this machine was vulnerable for this attack? User to administrator that is. Would really like to know how I can implement it in my enumeration going forward.
I had the same issue so I switched to parrot (as I had it in spare) and it worked!
Donāt know why.
1 Like
Oh great! I will try with Parrot thanks mate!
Okay, I started yesterday with this box. It was easy to get shell access as the sql_svc user, but now iām stuck. Iāve gained a shell with Evil-WinRM.
Can somebody give me a little hint? 
Check some sql logs
Ran certify.exe, then went to request a cert and it threw an exception saying a file was missing.
Run winPEAS to find another user. You will need to think, given the machine, how to capture credentials. Hope I havenāt given away too much, not intendedā¦
can someone help me with ce****y.exe ,im trying to run it to create a cert but i get this error
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
in case someone say why not to remove that ā¦ simply i cant with out admin priv
Didnāt work for me, had to run ntpdate ip address of target
Try certipy
Is HTB Pwnboxes down? Canāt get it to open, even trying different servers and different levels of access.
Thank you! Great hint!
