May sound pretty noob, but I can’t even access the user list! I’ve tried the regular enums, anon logins etc. Even the l–p search gave nothing special. A nudge would be helpful at this point…
If anyone is up and around for a root nudge I’d appreciate it.
Happy to give out user / foothold nudges.
@AwkwardUnicorn pm.
.
Tried enuming the s-b shares with creds (the reset is killing me rn).
How to make sense out of the pr–t$ share?
EDIT: Rooted with nudges along the way. Nice box.
Finally rooted!
If anyone need a hint, dm me 
One more, great box.
Type your comment> @returnz said:
Tried enuming the s-b shares with creds (the reset is killing me rn).
How to make sense out of the ******$ share?
If you found that share, it’s no problem to learn more about it.
Enumerate everything. Use everything you have access to.
Finally root!
The box was simple & Great but the VS gave me a headache, thanks to @SanderZ31 @VbScrub @purplenavi @6h4ack for the nudges!
Simply don’t complicate things…
PM for nudges!
Some thoughts, post rooting.
Enumeration is important. ESP. with Windows machines that have a very small attack vector like this one. Take good notes. This will help for sure if you make a writeup but along the way you will be able to refeed your enumeration with old data and new data!
Foothold. enumeration of this box is the key to the foothold. Be logical about your approach and what you are presented with
Escalation/root. Use your previous enumeration along with local enumeration to determine your attack vectors. At this point on the forum there is enough spoilers out there you should be able to piece together a path if you have done even just a little bit of local enum plus google-fu.
Enjoyed the box. Frustrated that i could have had a fair chance at a blood but was too stupid to realize what i already had. thanks to those that helped keep me on the path and allowed me to rant about how frustrating this was at times. The frustrating boxes are always the good ones, you learn from them! @egre55
Spoiler Removed
I only could get a list of possible filenames and thats it. Anyone can give me a nudge ? Cant get any useful info from SM_ or RP_
@Warlord pm
Just got user, indeed it’s all about enumeration. I think i know what to do for root and i dread it… time to go to bed.
For those who struggling with initial foothold, don’t fall in rabbit hole. The initial foothold in this machine is almost similar to some recent machine’s foothold. "
Working on admin exploit; got clean builds of Pr*.exe, Eo*.exe, (only need one of these I know) and ExCa.exe … they seem to work clean on my Win 10 box I build them on with VS but on the victim wr shell they don’t even provide print statements (also no error messages). Also tried nc64 reverse shell to break out of wr shell with same results.
Any hints on what I’m missing appreciated.
@razntwn pm!
@razntwn said:
Working on admin exploit; got clean builds of Pr*.exe, Eo*.exe, (only need one of these I know) and ExCa.exe … they seem to work clean on my Win 10 box I build them on with VS but on the victim wr shell they don’t even provide print statements (also no error messages). Also tried nc64 reverse shell to break out of wr shell with same results.Any hints on what I’m missing appreciated.
I had to use VS2017 to get the E****** working. Compiled fine under VS2019, but didn’t execute on the target.
@HomeSen pm.
VS2019 Works fine!