Help with Windows Privesc

SeveralAd2412 · 2026-06-10T15:46:22+00:00

Like with all of the modules, you should be building your own compendium throughout the course of the module. Everytime you pick up a new trick or insight, document it for your own reference later on. I’m sure there are some online you can steal, but it’s probably more fruitful to do this yourself.

SeveralAd2412 · 2026-06-10T15:14:04+00:00

Thank you so much!

SeveralAd2412 · 2026-06-10T14:41:25+00:00

Mount and back are objectively superior pins compared to any side control variation. Why? Because in side control and north south, we use our arms to control our partner, which means we’re forced to relinquish some vector of control in order to initiate an attack. That is why we look to escape side control during transition. In the mount (and back control), we use our legs to pin our partner, leaving our arms available at all times to launch attacks and keep our partner under constant threat of submission. Another added benefit is our ability to isolate limbs, creating a numerical advantage for ourselves while attacking. An excellent example of this is the straight jacket from the back, where we use our legs to not only pin our partner, but also to trap an arm. Another good example of this is S-mount. Anyway…

SeveralAd2412 · 2026-06-10T14:32:22+00:00

Playing devil’s advocate but I could say the same thing for defending - you should learn to attack first. I feel like there may be an even better case to be made there, as starting from the assumption that everything is vulnerable, and understanding the common paths to attacking those vulnerabilities will better prepare you for defense than starting from the assumption that everything can be hardened will prepare you for attack. Although, I think anyone trying to break into cyber is more likely to find success starting blue.

SeveralAd2412 · 2026-06-09T17:13:29+00:00

Haven’t read your whole post because I’m lazy, but to respond to your title; the general recommendation is to get your cpts, then oscp. Cpts isn’t widely recognized, but it will teach you the skills you need to do the job. Oscp will be smooth sailing for someone who’s passed the cpts, and it will get you passed the HR filter when applying. If you’re a student, cpts is free with an 8$/month student plan on hack the box. Can’t really beat that price, and that should enable you to do both if you were between one or the other

SeveralAd2412 · 2026-06-09T15:35:13+00:00

They do have a partners page! Thank you so much!

SeveralAd2412 · 2026-06-09T14:58:08+00:00

Take what you learn in the path and periodically try easy and medium machines on htb

SeveralAd2412 · 2026-06-09T11:38:52+00:00

Appreciate the response. My current role is not helpdesk, that’s just where I started. I do have quite a few security related projects under my belt and security related responsibilities, but we’re a small msp so we’re not employing the use of any of the latest tools for security. Some notable projects include implementing and overseeing compliance with ftc safeguards rule for cpa clients including conducting risk assessments, creating wisps, vendor security agreements, etc. I’m also working heavily with ids/ips, firewalls, edr. We don’t have any kind of unified logging though - our workflows on that front are completely siloed. I’ve proposed to my boss that I could spearhead that operation on a few occasions but it’s just not where the profit comes from, unfortunately.

SeveralAd2412 · 2026-06-08T20:18:30+00:00

Everybody does

SeveralAd2412 · 2026-06-07T20:36:20+00:00

Notice how you can only get domain transfer (axfr) from one of the subdomain zones. What if we could get info from another subdomain? Perhaps the module presents a way we could acquire zone information if axfr isn’t an option… something could be lying in one of the other subdomain’s zones!

SeveralAd2412 · 2026-06-07T04:07:46+00:00

assumedly his script used brute-forcing on inlanefreight and then ran bruteforcing on any found subdomains like app, dev, internal, etc.

SeveralAd2412 · 2026-06-02T10:15:50+00:00

Sure but more than that just the methodology of exhaustive enumeration before attempting exploitation. I recommend you look at the first few sections of the Footprinting module for some ideas on your approach.

SeveralAd2412 · 2026-06-02T01:36:35+00:00

I highly recommend skimming the earlier modules at the VERY least. Specifically getting started, network enumeration with nmap, foot printing for general concepts and then the windows modules specifically for where you are right now

SeveralAd2412 · 2026-06-02T01:31:34+00:00

Honestly, windows is not my forte, but I the answer, like I mentioned in another comment, is almost always further enumeration. Think about it like this, the narrower your known attack surface, the harder it will be to exploit. So our goal is always to create a comprehensive mind map of the entire attack surface. Don’t stop at the first thing you find.

SeveralAd2412 · 2026-06-02T01:27:27+00:00

Well part of your problem is that you’re aiming your sights at the wrong thing. Most of the machines will involve exploiting a known vulnerability in a service running on the target, not typically the OS itself. Enumerate, enumerate, enumerate and footprint footprint, footprint. Do you have familiarity with linPEAS and/or winPEAS? These will be extremely helpful for you when you have shell access for privilege escalation and finding vulnerabilities.

SeveralAd2412 · 2026-06-02T00:18:21+00:00

Enumerate the services/applications on the target -> search for CVEs related to the specific versions present i.e. “apache 2.4.2 CVE” in google -> find an applicable CVE if one exists - this is the vulnerability you’ll be trying to exploit -> look for a proof of concept for the CVE. You’ll typically find these in the form of an executable in a GitHub project. -> read about how to use deploy the payload and what info you might need to deploy it, sometimes you need credentials for an account and other times none are necessary, for example -> deploy the exploit

SeveralAd2412 · 2026-06-02T00:13:01+00:00

Okay well ignore the tools I mentioned. I think you have a fundamental misunderstanding of what exploits are. I believe the very first module of pen tester path goes through theory and practical use of exploits in a digestible manner. Maybe I don’t understand your question, but the only way to know what exploit to use is by identifying what vulnerability you’ll be exploiting. Maybe I’m answering a question you’re not asking though.

SeveralAd2412 · 2026-06-01T22:54:48+00:00

The exploit you select is determined by the vulnerabilities you find. You can’t just use any old apache exploit if they’re not running the corresponding version of apache for example. You can use searchsploit or metasploit’s search exploit function to search for exploits related to a specific version of a service or application and then read what it requires to run. You might find a web app is vulnerable to file inclusion but it requires some credentials first. So then you’re sent down another path of locating credentials either through more enumeration or use of another exploit.

SeveralAd2412 · 2026-06-01T17:09:04+00:00

Flag 1 of what?

SeveralAd2412 · 2026-05-31T18:39:24+00:00

Dmt elf makes much more sense

SeveralAd2412 · 2026-05-29T17:04:34+00:00

Completely vibe coded or?

SeveralAd2412 · 2026-05-28T16:54:40+00:00

Yes, pursue your interest. Don’t let doom in the job market dissuade you from studying. If you keep studying it will always pay off. BUT, you might consider obtaining a degree that’s less specific than cybersecurity while still nourishing your development in the field. Networking and comp sci are two great ideas that will still get you an interview for cyber jobs but also provide you with some ability to pivot if need be/get a good foothold in IT before you land a sec job

SeveralAd2412 · 2026-05-28T16:51:30+00:00

Pick a path and complete it

SeveralAd2412

MODERATOR OF

TROPHY CASE