#rooted
ping me if you struggle 
@royc3r said:
Iāve been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.
finally got user. as always more enumeration was required.
Stuck getting a shell 
tried the ways i know and searched a bit more but got nothing ā¦
any hint ?
Edit: got user and root, was easier than I thoughtā¦ donāt get bored of enumerating and looking at detailsā¦ feel free to pm me if you need help
Rooted, wow a long way to get the flag Trying harder things than the easy way.
Need help with initial foothold. Dumped the users with hashes. Can someone please pm me?
EDIT 1: got through! Thanks @Kadi
EDIT 2: just got root. Thanks to all who helped me out. It is easy if you know what to do.
Great box @0xdf . A sweet experience once you get there.
Can somebody PM me ? iām totally lost with privesc
EDIT :
I get root !
PM me if needed
I got root.txt. Has anyone root shelled this box?
@x0xxin said:
I got root.txt. Has anyone root shelled this box?
I just manage to get it. Very fun box, root shell not needed but popped for fun. Itās probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell itās a two stage processā¦
500 - Internal server error 
Edit: Get user 
@Ju577Ry said:
500 - Internal server error
Correct your query
Getting the basic info was pretty easy. But after that I was stuck for hours when I forgot an option in the first thing I do in my basic enumeration. After that it was very straight forward to get user, but Iām still stuck at the privesc. Spend hours on it, trying multiple things. Some hints are very welcome!
Can someone help me with a hint by pm, is secnotes app vulnerable? Where to focus?
Nice machine. For privesc hintā¦ donāt overthink it, there is pretty easy way of getting it. Just think about two things - not that old windows feature which wasnāt available in earlier windows versions + basic enumeration you do once you figure out first thing
As mentioned before, root is pretty strait forward, once you discover the feature, which was just added to Windows 10. You donāt have to execute it - think about itā¦
I got a nc reverse shell but with this shell I canāt execute interactive commands (as the one I think I need to run to privesc). So, how could I upgrade it to a interactive shell ?
@RawTables said:
I got a nc reverse shell but with this shell I canāt execute interactive commands (as the one I think I need to run to privesc). So, how could I upgrade it to a interactive shell ?
I think this is basically one of the problems I encounter getting privesc. Almost everything I try is not functioning.
Edit: Iām a bit further with this, you have to find a certain exe. Just basically run it from anywhere. It might throw an error but just ignore, it wonāt give any feedback and will look like it hangs.
EDIT: Finally got it after hoursā¦ pfff what a box. Weird way to get the flag tho. Basic Linux enumeration but you have to think outside the box.
The user flag was easy but rooting this is a pain. Iām root on the box but cannot get to the flag. I feel Iām really close and Iām missing one thing. Can anyone PM some pointers?
@jbob said:
The user flag was easy but rooting this is a pain. Iām root on the box but cannot get to the flag. I feel Iām really close and Iām missing one thing. Can anyone PM some pointers?
Rooted! That was a not a Priv Esc I was expecting . Thanks @lun3r and thanks @0xdf for creating this fun yet frustrating box. Learnt a lot of ways in how not to get the flag.
Maybe someone can give me a hint for the *** Inj****n on the login page. I think there is a little mistake in the syntax. Please PM or iām on the wrong path?