This is one of the easiest boxes out there. Almost no enumeration is required and we get direct root.
This also did not work right out of the box so I was looking for people manually doing the exploit on YouTube.
After watching a few videos, I figured out that I needed a name pipe which had open permissions, in this box there were none for unauthenticated users, but “guest”:”” was technically authenticated so I tried the exploit with these credentials.
Made a stage-less reverse tcp shell “root.exe” with msfvenom and used send_and_execute.py to get a reverse shell.
The reverse shell that spawned has system permissions so basically the box is Pwned!!!