It is a great box from Hackthebox it starts with rpc enumeration followed by the brute forcing of smb login.For the privilege escalation DC sync attack was the easy way.
It is centered around Smb service .We get creds of temp user after little enumeration on smb.Through that user we get another user password hash.Which we decrypt through a custom vb script..........
It is a medium level box which has smb ports open .And on little enumeration we get creds for a user.Which in real are correct for other user.Then we get Another creds in a hidden script .Followed by the Using Dnsadmin Privileges to set our malicious .dll payload to get the root.
It involves directory enumeration followed by finding new site.Then exploiting openerm followed by getting creds with Memcached.Then a simple privilege escalation by docker
This machine is currently active on hackthebox wait until it gets retired or if you have owned it then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file