🛑
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.
Clicking the Subscribe button below WILL NOT get you access to this article (although I would be grateful for your subscription otherwise).
Clicking the Subscribe button below WILL NOT get you access to this article (although I would be grateful for your subscription otherwise).
Initial Foothold Hint:
- The target is a domain controller
- Which service might allow you to enumerate usernames?
- The CMS on the web server should have a file with a version number
- Any CVEs? Can you use the information to log into any services?
- Did you find and analyze the interesting file?
- This should allow you to log into one of the services and get a shell.
Privilege Escalation Hint:
- Have you checked for password re-use?
- Look for interesting files, what file extensions might be consumed by a script running on the host that might lead to another user?
- Can you find credentials cached anywhere?
- As you're looking for next hops to escalate privileges, keep in mind which groups certain users are in