I was held up on user due to the fact that my initial Nmap ended prematurely.

Got root! It was quick and easy once i realized what was going on, and thanks to the hints in this thread.

I think I got root in a slightly different way, based on the writeups. At least, I used a different file, one that seems to be a more generic part of this Windows feature, and probably required less digging on the system.

I cannot believe how many different shells I’ve tried getting an initial shell. asp, aspx, nishang, empire, etc. Nothing is working, the only different thing I ever get is a 500 error. Anyone with any insight, please PM me.

@beginner2010 said:
Very nice machine. Was overthinking too much for priv esc:)

Me too. Whenever I see a setup like this, I somehow always assume the worst and focus on more difficult ways of compromise. Nice box.

Hi everyone, I finally managed to get the root.txt file (really cool box, had a lot of fun!) but I’m still not satisfied. I got it by logging into a certain service with elevated rights. I still don’t feel I’ve properly rooted the machine though, even if I have the the flag, because I only have high privileges when logged into that specific service. Is there a way to get a proper system shell? I feel like I’m missing something… If anyone wants to DM me with pointers I would really appreciate it :slight_smile:

Any hints for entry point? Im seeing secnotes page, but nothing for now.

@9999volts said:
Any hints for entry point? Im seeing secnotes page, but nothing for now.

You might want to re-scan the target host. You should find somewhere that accepts user input

On privesc, I am getting “Error: 0x8XX7XXX” when running the command. Is that normal?

Nevermind :slight_smile:

Great machine, usually I am not so familiar with windows. Once you have your stuff together, its pretty straight forward. PM if you need help.

ping me if you struggle :slight_smile:

@royc3r said:
I’ve been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

finally got user. as always more enumeration was required.

Stuck getting a shell :confused: tried the ways i know and searched a bit more but got nothing …
any hint ? :slight_smile:
Edit: got user and root, was easier than I thought… don’t get bored of enumerating and looking at details… feel free to pm me if you need help

I learned a lot even when i was in the wrong way :slight_smile:
Thank you @0xdf .


Rooted, wow a long way to get the flag :slight_smile: Trying harder things than the easy way.

Need help with initial foothold. Dumped the users with hashes. Can someone please pm me?

EDIT 1: got through! Thanks @Kadi
EDIT 2: just got root. Thanks to all who helped me out. It is easy if you know what to do.

Great box @0xdf . A sweet experience once you get there.

Can somebody PM me ? i’m totally lost with privesc

I get root !
PM me if needed

I got root.txt. Has anyone root shelled this box?

@x0xxin said:
I got root.txt. Has anyone root shelled this box?

I just manage to get it. Very fun box, root shell not needed but popped for fun. It’s probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell it’s a two stage process…

500 - Internal server error :astonished: :anguished:

Edit: Get user :sleepy:

@Ju577Ry said:
500 - Internal server error :astonished: :anguished:

Correct your query