New to HTB, this was my 3rd box.
Thanks to @Tellico, @NoWay1911 for the root nudge.
Feel free to PM me if you’re running into problems.
Root hints for those rolling their own:
1- Debug mode won’t work.
2- Architecture is important.
3- You just need to implement 1 function. Less than 10 lines is all you need.
Got root. Thanks @kirkx and @TombBuster for the tips.
I was making some fundamental mistakes.
If anyone needs help, I’m happy to pay it forward, just PM me 
What a cool box, this was my first “medium” box!
Thanks a lot @inetshell!
I got r**** user, found a D** service and could create a user with Adm privileges, but now I can’t log in with this new user. Someone could help me?
My HTB messages is not working and IDK why.
Type your comment> @Arioch said:
Got user, I have a shell via user1 and a certain port, been enumerating hidden files on the system but I’m at a loss on finding user2’s creds. Maybe I’m missing something obvious? A hint would be appreciated.
look for hiden foldes/files in C:\ maybe you get a hint…
I’m looking to get in to User right now, and I’m stuck trying to find a way in with pass and user credentials. I’m using e***-w**** and i keep getting authorization errors. any nudge in the right direction would be great!
stuck on root. got a shell using r*** creds, cant seem to find the exploit everyone is discussing. any nudges would be appreciated
I have found the first user and have a shell on the box as m****** looked around for hidden files but cannot see anything. Can anyone PM me a nudge or throw some ideas at me. Thanks in advance
Type your comment
Hints:
Users
User1: Quite easy just do basic enumeration
User2: Again enumerate the hidden jewls from root directory
Root
Method1: I used DNSA**** way with D** injection this method is quite tricky and interesting
Method2: Once you get user2 creds give it to ms*t smb module and this is it. This method is piece of cake, learned from @grav3m1ndbyte thanks mate.
I agree with @kkaz :
If you want to do Method 1 (which I did), off the shelf works for D** injection. Make sure you know which arch you’re targeting though.
Also search groups for where to target
Dumb question… but where the heck is the user flag? Not in the ‘obvious’ place, or anything on the system that I can find. Box was reset recently, so I don’t think someone deleted it
Edit: nevermind, dumb question cuz im dumb lol.
I’m on a last part, I tried s** to avoid AV, even created exploit according to architecture, but still didn’t pop my shell back. Can any1 help me here.
Type your comment> @cycl0ps said:
I’m on a last part, I tried s** to avoid AV, even created exploit according to architecture, but still didn’t pop my shell back. Can any1 help me here.
you do not need to take care of AV. remember you do not need to upload file to target system you could do it other way
Type your comment> @kkaz said:
Type your comment> @cycl0ps said:
I’m on a last part, I tried s** to avoid AV, even created exploit according to architecture, but still didn’t pop my shell back. Can any1 help me here.
you do not need to take care of AV. remember you do not need to upload file to target system you could do it other way
Rooted! Thanks @qdada for help. Learned a lot.
Also @kkaz I was missing absolute path
@kkazz Your hint in Method1 helped me to root this box. My windows fu is not that strong, I have an enumeration question, any hints on how to come from c********r group to dsa*** I could not find out myself…
Type your comment> @emile74 said:
@kkazz Your hint in Method1 helped me to root this box. My windows fu is not that strong, I have an enumeration question, any hints on how to come from c********r group to dsa*** I could not find out myself…
Yes you are right the ry** is member of c***r that is alias for DAd, try whoami tool for groups to get it
anyone who can give me a nudge? I have the thing to inject, but connection is not comming up. Think i am almost there.
Nevermind, found an easier way for the creation and rooted it.