Hi, half year ago I finished Module “Windows Privilege Escalation”. Now this module is updated with the section “Citrix Breakout”. Very interesting lesson and well explained how to achieve window privilege escalation in a restricted environment. However, to answer the questions you have to RDP and results in a linux os machine (Ubuntu). Admittedly in a “windows-like” environment (Xfce4 installed). So it is reachable by RDP, but still remains linux. I tried everything but can’t get the windows powershell etc.
1 Like
facing same issue
have you solved?
Nop
I got it,
After you loggedin via rdp
in the rdp machine, open browser and visit On the Internet: Be Cautious When Connected — FBI
then use the following credential
Username: pmorgan
Password: Summer1Summer!
Domain: htb.local
2 Likes
Thanks. Actually it was written in the lesson. I tried the link earlier in my own browser and that yielded the FBI website (redirecting to https site). In the RDP environment it worked as was told in the text…
Thanks again!!!
1 Like
Can’t run any .ps1 files on target system. I have got the pmorgan flag.txt but can’t escalate privileges. Help would be great 
1 Like
Setting the execution policy to ‘Bypass’ at the process level is a decision that should be made with caution, as it allows the execution of scripts without restrictions with ‘Set-ExecutionPolicy Bypass -Scope Process’.
3 Likes
Hi were you able to resolve it?
Yes, we need to ‘Set-ExecutionPolicy Bypass -Scope Process’ before trying to run any .ps1.
2 Likes
Hi, I’m trying to repeat “Accessing SMB share from restricted environment” in this task, but when trying to run "smbserver.py " an error is being issued, how did you manage to do this action?
It looks like you have no permission to run it. You are htb-student at this moment.
Try to be root!!!
I was not given the password from “root”, unless of course it is the same as that of “htb-student”
As a result, in order not to waste time, I transferred the file in another way to the machine.
Hmm, it’s true, in the task this command was executed under “root”, it’s true. I didn’t pay attention at first.
You could use “sudo -s” and then you are asked…
[sudo] password for htb-student:
and then you were root
root@ubuntu:/home/htb-student/Tools# …
2 Likes
run it as root.
su -s
hi please help me I’m stuck at this point I don’t have the file .\PowerUp.ps1 and I don’t understand how to raise privileges, give me a hint pls
You have to upload PowerUp.ps1.
First start PS and use SMB share to upload.
See “Accessing SMB share from restricted environment”.
Success.