Official EscapeTwo Discussion

HTB Content Machines
124

no one likes to be told to enumerate more, but frankly being told to look harder is a big hint in itself.

if you have a shell from xp_cmdshell then yeah sorry you just have to keep looking. the domain name of the network should clue you in as to what application’s files you should be combing through.

best of luck!

1 Like
125

Care to give me a hint? Stuck on escalating to root. Did WinPeas help you?

126

I’m still going through my winPEAS output, but so far nothing, feel like this is going to be something I’m really overlooking

127

Yeah me too. Rabbit holes are awesome.

128

There is no rabbit-hole. Look at perms Ryan has. Once you find what Ryan has control over, you will know what to exploit. Look into the things name, what it means…winPEAS will not help you at all for privesc.

1 Like
130

That’s been a few steps ago, but I grant you it is a useful hint. Right now it’s ryan that’s getting on my nerves, I know theoretically what I need to do with him, but I’m overwhelmed by the how.

131

Nonetheless, I do appreciate the feedback.

132

Any hints to get the initial foothold? I am new to AD testing and smb does not seem to be the way in like it usually is with easy windows machines. i was able to enumerate some users with kerbrute but i do not know what to do next.

133

can we all agree to use the same password for ca_*** ?

134

Did you see that the box comes with credentials?

1 Like
135

wow haha, it was a bit hidden bcs i did not have my browser on full screen. how stupid of me xd thanks!

136

wow… i didnt check this… wow im an idiot

1 Like
139

Yes I know, just trying to figure out if there’s a way to address the situation another way.

1 Like
140

but i assume(when doing it manually), you have to patch the template yourself? something c***py does for you

141

password should be :

password123*

im sick of ppl changing it and removing the permissions
please let’s al agree

1 Like
142

not sure, I have only done a couple of ADCS machines, and I’m not very good with this. I could very well be missing a few things here. Still have to go through the Academy module.

143

Are you talking about the password for s**_**c?

144

No,
I found the root gg

145

theres a cleanup script that removes permissions and resets pws, even if you set a specific one. Also if you pick a easy pw like password123* on a account with spn set you open up the unintended route of someone else being able to kerberoast that account and accidentally bypassing 60% of the box, thinking this is the intended way.

1 Like
146

yeah i figured