Nice box! Learned a few things and got a lot better at using different tools.
Foothold
Do not get stuck in the rabbit hole that I did on the web piece. Return to your nmap scan and keep things simple. Make a simple config tweak and observe the new avenue you have opened! From here, enumerate until you find a way in. Found a new piece of functionality that you do not know how to leverage? Maybe it can be used differently from how you're thinking about it.
User
Fairly simple once you find a way in. Basic reverse shell work.
System
Far easier than user. My difficulty was in achieving a stable shell and finding a good way to read the output of the tool I used. This tool is extremely commonplace for Windows privilege escalation; you will know what it is. Simply read the output carefully and Google for an article that demonstrates how to use the exploit; it is very straightforward and takes little time at all to execute.
The administrator is much easier than the user, even without any tools.
I got some hint on the user, and Iād like to know why? whatās in the scan tells you how to do what you should do on the initial foothold. Anyone to explain? (DM please to avoid any spoilers)
For foothold, if you know of this type of vulnerability you may have an easier time; if not, itās a good learning opportunity and an opportunity to test creativeness. Shout out to Pentesterlab.com for the assist
Rooted!
Very cool machine to make but I had some problems on wā¦sā¦ and I needed to restart the machine a few times.
user you need to enumerate and keep an eye on the return of the ports you find.
root there are several ways to get scaling. I found the user more difficult than root.
I have a question regarding PE. Itās the second time (different boxes) I upload winpeas on the target, but ānothing happensā when I run it. I mean not exactly nothing, but my shell becomes unresponsive and I have to ctrl+cā¦
Do you have any idea why?! On the last box I tried with different versions (winPEASx86, winPEASx64, and winPEASany.exe).
For User: I think I had an unintended approach. All I can say is avoid rabbitholes and you can get to the user in no time. Google is your friend. I used a P***** script I found online. I think there might be another way as well.
For Root: This was a nice part (and most painful too )
Study the output of Winpeas carefully. It was my first windows box and hints posted on this forum helped me a lot for privesc.
Honestly, I found this easier than knife but tougher than cap.
I have been doing HTB for a few days now and I feel HTB is really improving my skills.
Iāve been working on this a couple of days and I feel like Iām stuck somewhere between foothold and user. Iāve found the dev service and have been feeding it URLs. Iām getting some info back but I havenāt found anything that Iāve been able to leverage.
iām at a total lost for the footholdā¦ Iāve tried all ports but canāt get anything back from the browser. A nudge would be very much appreciated
This is my first time doing a good Windows box all the way through and it definitely helped me understand Windows pentesting methodology better. I also highly recommend https://book.hacktricks.xyz/ if youāre new like me.