This was my first hack ever. Took me about a week since im still finding and learning my tools and how to use them. Would not have been able to get through it without @VBScrub help. Check out his YouTube channel if you are stuck on getting a foothold with the first user.
HI Folks, I’m fairly new to Windows machines and Active Directories, currently own users hh and fh, used bldhd to map the AD, user s*_l**mr seems to have something relevant to own root, but I don’t know where to search in order to reach him. Any nudges / PM will be appreciated !
Thank you for the hints, root dance! Very surprised how fast the second user and root was to obtain. My hint to add to everyone else didn’t need a tool to find the next bread crumb, just looked into something you should never play with on a Windows machine unless you know what you are doing (that includes me!).
@secucyber said:
Got user. Sorry, WinRM on the box was buggy when i tried…
Yeah WinRM on this box has been super buggy since launch. Randomly not allowing connections and not even showing up in a port scan even after resetting the box.
I raised it with HTB support and was told “people are solving the box so there cannot be anything wrong”
I have raised this as well.
If I run my scans on EU or US servers the high port is returned Open and I can connect properly.
But if I run my scan on AU server the port returns filtered and I cannot connect.
SOLID box to solidify skills especially if you’ve struggled through some of the other windows boxes on this site.
USER: Take your time enumerate and think like an admin. May take a couple guesses but you can make bulk guesses if you’re using the right tools
ROOT: A familiar exploit if you’ve been around the block on HTB, may not have been the actual intended path and did take a nudge from @VbScrub but nonetheless not too bad.
User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si. User2: Enumeracion basica en Windows - Privilege Escalation. Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
Nevermind. I’m an idiot. Just need the tool, nothing extra.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
Nevermind. I’m an idiot. Just need the tool, nothing extra.
sometimes the things we need are right there in-front of us
Rooted a few hours ago.
The box is indeed quite intuitive and straight.
The only issue is that it’s quite unstable.
The same tool that failed for the whole evening eventaully ran smooth the morning after.