This was my first hack ever. Took me about a week since im still finding and learning my tools and how to use them. Would not have been able to get through it without @VBScrub help. Check out his YouTube channel if you are stuck on getting a foothold with the first user.
Thanks again @VBScrub…I owe you.
HI Folks, I’m fairly new to Windows machines and Active Directories, currently own users hh and fh, used bldhd to map the AD, user s*_l**mr seems to have something relevant to own root, but I don’t know where to search in order to reach him. Any nudges / PM will be appreciated !
Thank you for the hints, root dance! Very surprised how fast the second user and root was to obtain. My hint to add to everyone else didn’t need a tool to find the next bread crumb, just looked into something you should never play with on a Windows machine unless you know what you are doing (that includes me!).
Thanks, discovered R * G Q * Y for myself!
Can someone plz help me out- I have 2nd user s**-****r and password but not sure how to use s*****p. THX!
Edit: Solved…read closely
Type your comment> @VbScrub said:
@secucyber said:
Got user. Sorry, WinRM on the box was buggy when i tried…Yeah WinRM on this box has been super buggy since launch. Randomly not allowing connections and not even showing up in a port scan even after resetting the box.
I raised it with HTB support and was told “people are solving the box so there cannot be anything wrong”
I have raised this as well.
If I run my scans on EU or US servers the high port is returned Open and I can connect properly.
But if I run my scan on AU server the port returns filtered and I cannot connect.
SOLID box to solidify skills especially if you’ve struggled through some of the other windows boxes on this site.
USER: Take your time enumerate and think like an admin. May take a couple guesses but you can make bulk guesses if you’re using the right tools
ROOT: A familiar exploit if you’ve been around the block on HTB, may not have been the actual intended path and did take a nudge from @VbScrub but nonetheless not too bad.
PM for hints
Algunas de las pistas que puedo dejar:
User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si.
User2: Enumeracion basica en Windows - Privilege Escalation.
Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. 
Type your comment> @moose said:
Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
@acidbat said:
Type your comment> @moose said:Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
@moose said:
@acidbat said:
Type your comment> @moose said:Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
Nevermind. I’m an idiot. Just need the tool, nothing extra. 
Type your comment> @moose said:
@moose said:
@acidbat said:
Type your comment> @moose said:Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here.
Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.
Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.
Nevermind. I’m an idiot.
sometimes the things we need are right there in-front of us 
I’m having a difficult time trying to get the second user. Any tips?
Those who are having difficulty with the e*** tool , changing the ovpnfile to tcp and 443 works for me …
After completing this box, can someone tells me why the name and icon of the box are a hint as some people here mentioned ?
Feel free to PM me.
Rooted a few hours ago.
The box is indeed quite intuitive and straight.
The only issue is that it’s quite unstable.
The same tool that failed for the whole evening eventaully ran smooth the morning after.
Type your comment> @orespan said:
After completing this box, can someone tells me why the name and icon of the box are a hint as some people here mentioned ?
Feel free to PM me.
I’ve not seen anyone say that, and I wouldn’t say they are hints at all myself
