🛑
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.
Clicking the Subscribe button below WILL NOT get you access to this article (although I would be grateful for your subscription otherwise).
Clicking the Subscribe button below WILL NOT get you access to this article (although I would be grateful for your subscription otherwise).
Initial Foothold Hint:
- The target is a domain controller. Which services might allow you to enumerate usernames?
- How can you enumerate other DNS names the server uses?
- Enumerate different directories and files on the web server. Can you find any files that take user input as a query parameter?
- If you find an input point, test it for different injection types (not just SQLi)
- How might you be able to extract different information to get a username and password?
- Once logged in, it should be pretty trivial to find a way to get a reverse shell
Privilege Escalation Hint:
- Did you find any services running on the target that might be running at the highest integrity level?
- Did you enumerate the file system for any writable directories this services uses that might lead to a particular injection type?
