Below you will find pages that utilize the taxonomy term “Windows”

Hack The Box - Machines

Administrator

Administrator

Summary

  1. using netexec to find we have PSRemote permissions on the box
  2. run bloodhound via evil-winrm
  3. abuse GenericAll permissions on Michael
  4. abuse ForceChangePassword on Benjamin
  5. Find pwsafe vault in FTP
  6. crack the vault and find Emily’s password
  7. Abuse Targeted Kerberoasting to get Ethan’s hash
  8. Crack the hash of Ethan
  9. perform the DCSync Attack

USER

Initial Enumeration

This machine is a bit different from other HTB Machines. we receive some info at the beginning and start the box with a username and password. olivia / ichliebedich are the valid credentials we start with. This looks like an Assume Breach Scenario. cool!

read more
Hack The Box - Machines

EscapeTwo

EscapeTwo.png

Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

  1. found juicy file in SMB share
  2. extracted passwords from unzipped xlsx file
  3. reverse shell as sql_svc using mssql and xp_cmdshell
  4. password spray to find credential reuse
  5. writeowner abuse using impacket
  6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.

read more
Hack The Box - Machines

Certified

Certified

Note: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Summary

  1. AD Enumeration using netexec and bloodhound
  2. abuse WriteOwner permissions to become member of Management Group
  3. ShadowCredential attack to get hash for management_svc
  4. Lateral Movement to CA_Operator by changing password
  5. ADCS-ESC9 to become Administrator

Initial Enumeration

As usual I start with a simple full port scan followed by a more detailed targetted port scan

read more
Hack The Box - Machines

Cicada

Cicada.png

Summary

  1. use anonymous sessions to find txt in HR share
  2. use RID-bruteforcing to find usernames
  3. password spray password on found user to find valid credentials
  4. read AD user info using rpcclient and find new password
  5. winrm into the box with new credentials (user)
  6. abuse SeBackupPrivilege to escalate to Administrator (root)

Initial Enumeration

As always I start with a port scan using nmap to find running services.

First I find all open ports using a simple port scan:

read more