Windows

Box info | OS: Windows 10 Pro Build 19042 (XAMPP / Apache 2.4.52) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: LFI, PHP include, UNC SMB path, Responder, NetNTLMv2, hashcat Pwned: 2026-04-28 TL;DR Responder is a Windows box running PHP on XAMPP. The web application at unika.htb uses include($_GET['page']) without any input sanitization — a textbook LFI. Reading the source code via php://filter confirms the vulnerability. HTTP RFI is blocked (allow_url_include=0), but SMB RFI works: PHP on Windows handles UNC paths (\\attacker\share\file) natively via include(). Setting up the Responder tool as a rogue SMB server and triggering the UNC include forces the target machine to authenticate with its NTLM credentials. The captured NetNTLMv2 hash for RESPONDER\Administrator cracks in under a second with hashcat against a common wordlist: badminton. WinRM on port 5985 grants a full PowerShell session. The flag is on mike’s desktop. ...

Box info | OS: Windows Server 2019 Standard Build 17763 x64 | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: SMB enumeration, RDP basics, WinRM, blank-password credential testing Pwned: 2026-04-27 TL;DR Explosion is a Windows Server 2019 box with a single critical misconfiguration: the built-in Administrator account has a blank password. A port scan reveals SMB (445), RDP (3389), and WinRM (5985). SMB guest login enumerates the machine name and RID-cycles the Administrator account. Testing Administrator with a blank password via nxc immediately returns Pwn3d! over both SMB and WinRM. The flag sits on the Administrator’s desktop at C:\Users\Administrator\Desktop\flag.txt. The lesson: always test default and blank credentials before reaching for a wordlist. ...

Box info | OS: Windows 10 / Server 2019 Build 17763 x64 | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: SMB enumeration, null/guest session, smbclient, RID cycling Pwned: 2026-04-27 TL;DR Dancing is a Windows Server 2019 box with SMB null authentication enabled. A port scan reveals the usual Windows fingerprint: 135 (RPC), 139 (NetBIOS), 445 (SMB), and 5985 (WinRM). Guest login to SMB is accepted, and listing shares uncovers a non-standard share called WorkShares. Inside it, James.P/flag.txt contains the flag. Attempts to leverage the guest session further — WinRM, psexec, wmiexec — all fail cleanly. The lesson: null-session SMB gives you lateral information even when it can’t give you code execution. ...