Spoiler Removed
Type your comment> @mspreitz said:
the only username I got so far is the one of H*** S****. Any hint on how to get the mentioned service name? e4x is not giving me anything. Same is true for Get******.py
There is such thing as a corporate naming pattern john.doe and so on.
Type your comment> @Malvik said:
Type your comment> @Dreadless said:
is the password for initial user a guessing game? can’t seem to get it my usual ways. unless I am using the wrong user!
Initial user password is not a guessing game…
The password isn’t, but getting the correct username does involve some educated guessing (unless I missed something).
Spoiler Removed
Wow, I’ve found the password for the service user. Needed a lot of enum …
Now lets see what I can do with it
Spoiler Removed
Spoiler Removed
Type your comment> @VbScrub said:
I’ve got some creds that I know are allowed to Powershell in, but the powershell service seems to be down now even though it was open during port scan earlier… can’t even telnet in to that port. Might have to do a reset
EDIT: After a reset all worked fine, so I’ve got user and now on to root
I had the same problem. I had scanned the server like 8 times and the port was closed. Then out of nowhere it was open :neutral: . I had lost like two hours looking for other ways :(.
Server rooted. All of the needed techniques have been used in other machines. But it is nice to practice and refresh the knowledge 
Thanks to @egotisticalSW for the machine
alright i cant figure out privilege escalation i got in on my own but my windows skills are just horrid i know what needs to happen next i just don’t know what tools to use or where to look for the info i am missing can someone pm me a nudge maybe an article?
@martinhaller said:
Server rooted. All of the needed techniques have been used in other machines. But it is nice to practice and refresh the knowledgeThanks to @egotisticalSW for the machine
I think as well as that technique used on other machines, there is actually a fairly new exploit we can use (and if so its definitely an intentional alternate way to get root). Will be trying it in the next couple of hours and will report back
can someone confirm if the hound is the way to root once the other account has been found?
Type your comment> @VbScrub said:
@martinhaller said:
Server rooted. All of the needed techniques have been used in other machines. But it is nice to practice and refresh the knowledgeThanks to @egotisticalSW for the machine
I think as well as that technique used on other machines, there is actually a fairly new exploit we can use (and if so its definitely an intentional alternate way to get root). Will be trying it in the next couple of hours and will report back
Haven’t known about a new exploit. I will check the forum later and try it the other way if there is some .
Spoiler Removed
Rooted. Still wondering why this box is marked as CVE in the rating.
Type your comment> @alez said:
Rooted. Still wondering why this box is marked as CVE in the rating.
I guess it depends on 2 things.
- Which method you used to get root. The method I’m going to be trying shortly literally has a CVE article written about it.
- Your definition of CVE. To me even if there’s no CVE article written about what you’re doing, I’ll still mark the box as such if I had to use existing common tools like Impacket or Mimikatz etc to do the majority of the work. The opposite of that would be a machine where you have to do custom exploitation that mostly isn’t possible with off the shelf scripts etc.
Done and dusted, the pass for that second account was hidden the nasty way 
Learned a lot. Thanks to @zabogdan for the nudge!
Rooted. Similar approach to a recent box
Type your comment> @theonemcp said:
Rooted. Similar approach to a recent box
kinda like finding trees in a Forest
Type your comment> @VbScrub said:
Type your comment> @alez said:
Rooted. Still wondering why this box is marked as CVE in the rating.
I guess it depends on 2 things.
- Which method you used to get root. The method I’m going to be trying shortly literally has a CVE article written about it.
- Your definition of CVE. To me even if there’s no CVE article written about what you’re doing, I’ll still mark the box as such if I had to use existing common tools like Impacket or Mimikatz etc to do the majority of the work. The opposite of that would be a machine where you have to do custom exploitation that mostly isn’t possible with off the shelf scripts etc.
If there is another method and this was unintended I wont argue but what I understand as CVE, is basically a vulnerability that exist in a software version and that has been patched and disclosed.
I dont know if there are guidelines in htb community regarding to that (would be nice if someone paste the link in case it exist), but for me that im pretty new here it is confusing if it is right to rate this box as max CVE rating.
I’m at a complete loss here. Can’t even get user. Just started HTB last week did a bunch of Retired machines the last couple of days. Saw a new ‘easy box’ and figured it would be my foray into the active realm. Boy was I wrong. Any retired boxes I could look at that could help me brush up on the tools and skills I need for this box?