 Hello everyone, my name is John Hammond and welcome back to the YouTube video today We're looking at some hack the box showcasing the remote room that retires today. It is an easy easy I guess medium. No easy. It's an easy windows box I'm just not that good because it's windows, but I wanted to showcase this walk through it with you So here it is remote and we have an IP address to work against. It's 10 10 10 180 We can fire up a command line and get to where the good stuff happens So I'm gonna head over to my hack the box folder and I'll make a directory for YouTube remote and hop over there So we could start with some good practice actually create a little read me file And I will just put in some classic notes. Hello. This is me writing this on the day Which is September 45th? And here's the IP address of the machine. Let's start off with the classic rust scan I'll pipe this into a rust scan log sort of tee that and we can see what we're up against Okay, some ports that are open. We see port 21 for FTP port 80 for HTTP 111 I think that's RPC bind. I always get that maybe wrong or something 139 135 2049, okay, so maybe some network file share stuff Five nine eight five. That's odd and peculiar. You don't see him all that often Port five nine eight five. What is that? Win RM? Win RM. Oh Okay, I mean it's Windows that makes sense Maybe end map. Yeah, Ruskin will pass it over to end map and we'll kind of get better ideas to what all those things are But since we have some things to poke at let me get started with some classic enumeration I'll do a little Nikto on that guy T that To get an output file. I'll do the same thing with some go buster HTTP and I'll use a word list from the defaults word list that comes from Durbuster. Alrighty. Now, let's go check out the web page Welcome to ACME. Allow me to introduce myself. My name is Wiley Coyote Genius, I'm not selling anything. No, am I working my way through college and check out our products? Okay, awesome a Couple of blog posts looks like all lorem ipsum text if I click on any of those Do I get an idea of a username this page loads? Nope? No No username more lorem ipsum and nonsense Products is that a real link? Yeah, it is our gorgeous selection of unicorns ping-pong balls and a jumpsuit. Okay Nice crazy people Great or these are real lengths circuit beard. Oh, yeah, these are Super cool. Great Let me just click on The source here. Let me hit control you and kind of see what it's built in in the HTML I see some HTML comments for navigation media links add links to categories a Lot of that to do HTML comment read links to categories Scripts um, Braco or um, Braco. I always pronounce that wrong. I don't know the best way to pronounce it, but that's an indicator that Umbreco might be on here and if you Google what that is it is a CMS or content management system If you haven't heard of it before I think I've kind of seen it a little bit in other capsule flags or training exercises or activities Let's see what derbuster or go busters got Pretty much the same thing as previous and what we've already just seen through the web page Need to get anything yet. Nope and map scan is done Let me try and subble that rust scan log and that's gonna have all the gross colors So if you wanted to you could less tack R that and that way you can see the colors there at least from your terminal but Scrolling through it just to get a better idea of these ports. Okay, we do have anonymous FTP We could potentially log in with that It should you pee yeah RPC bind stuff 2049 NFS network file share and maybe there's something interesting in that And That's all it's got for me. Okay. Well, if we have FTP I guess we could take a look at that 10 10 10 180 with my FTP client We did see from our end map scan was that anonymous share or anonymous access was enabled So username will be anonymous and password could just be empty. You can whack enter there. Let's see what we have Nothing Okay, and we can't go any farther than that or explore anything else. So that's not helpful fantastic What else did we have we had poor 80 which we're looking at and we had the NFS share I Don't see anything else other than that intranet that they're going on and we didn't actually poke at that intranet Page is there is there anything over there? It's still mentioning umbraco in the CSS here umbraco Someone's gonna give me flak. Someone's gonna someone's gonna hate on me for not knowing how to pronounce that Does anyone know how to pronounce that? That's the same sort of thing. You're like, how do you pronounce Radair to Radar a? Radair, I don't know red R Jif gif Starting the holy wars here if umbraco is a thing is that a Location that like it's a content management system like the same thing like WordPress might be so maybe there's a page for that and my cursory Research on it just for the showcase Content management system publishing World Wide Web content written C sharp deployed on Microsoft stuff That tracks with me because we're looking at this on a Windows machine Just doing some quick learning reading to see Documentation to be found there. It's open source Are there any like default locations that it adds? Oh, where's all this? build What does this guy Quick tutorials Creating a basic site. Oh goodness. Can I just get to content? When you hit your local host address or whatever you're setting up You should see welcome to the umbraco installation screen and then Log in to your ubraco Cms installation on slash umbraco in your browser Is that a thing? Go Buster hasn't found that yet. Nikto hasn't found that Maybe we could try some other stuff or like add it into our word list But if I just simply try to go to umbraco or umbraco. Oh I have a log in happy funky Friday Fantastic a username is usually your email and password So I can't just try like a classic admin admin or like a Stupid stupid little sequel injection. Will that get me anywhere? Who does that reflect out what I have in there, can I do like some cross-site scripting hello? Please sub that's a better one. That's a better one to throw in here. Please sub Slap that in now. Okay whatever, okay, we know though that there is a log in here and And We could do some other enumeration because there are still some other ports that we haven't looked at yet Taking a look at this. We know we have 21 was a dead end 80 was the web page obviously and 2049 NFS or network file share so if you guys aren't familiar with mounting and looking at machines that have NFS shares typically you can start with just a show mount command and tacky will Show mount. What does the tacky actually do? Oh if you like kind of the colors that I'm using within batch Excuse me. Whoa within bash In my Linux command line. I'm using Batman or bat some of the shell extensions that come with the bat a package Tacky and exports will show the NFS servers export list So the same way that I'm looking at like cat if I cat out my read me It has kind of nice color stuff. So if you're interested go ahead and take a look at that Anyway show mount tacky on our server here 10 10 10 180 and They have a site backups that everyone could access. Oh Can I try and mount that? I'm gonna make a temporary directory that just matches the same thing. Oh with the incredible typo dope Make directory back ups and I already have one of those so I'll recreate it for the sake of video And and then let's go ahead and try and mount to it So you can mount tacky NFS So mount specifying the type network file share and then what you actually want to mount So you're gonna specify the share with the IP address and a colon and then you can just specify the share That you're actually looking for so in this case It's site backups as we got that from show mount and then you need the location as to where you're actually gonna put it So I'll put it in that temporary directory site backups that I created and you do need root privileges to do that so whack a little pseudo on there and There we go, okay let's hop over there to site backups and We got a lot of stuff. Oh I'm Braco client Braco I'm just gonna like permutate all the potential possibilities of me saying that and Let's run like a find on here to see like everything that's in here and I'll put it in my Location where I'm working on this. I'll put in my notes like NFS listing dot text see what we get or anything is Find not gonna like buffer that or showcase that for me. Oh, no now there's stuff happening What do we got in here? So what we could do is we could kind of trim this down open it in like sublime text or an editor and just kind of like Remove the things that we know that we don't care about that could kind of help us Look for interesting things and prune for the potentially peculiar Stuff that we might be able to find some valuable and juicy information with Because a lot of the stuff like okay Google Maps pictures. We probably don't care about Same thing with like I don't know views Open there is Some of the binary stuff for on breakout config files will probably be useful for us Because maybe there's some more information as to how this thing is actually being put together Yeah, CSS files though. We don't need to care about media files images And there's a ton of assets and fonts in a Brecco that we probably don't care about Blah blah blah JavaScript files angular Yeah, okay Lot more javascript tiny mce or some code editing Settings views settings Mmm aspx files So this is I guess my process for like at least getting a quick snapshot of everything that's in there Obviously fine. We'll return a ton of stuff But you can kind of narrow this down and print it down and look for interesting things if you wanted to Oh Whoops, I accidentally like pasted whatever I was searching There is a web.config and that is usually something worthwhile to look at so let me go ahead and cat out that web.config and bat is giving us the nice color coded output And there is a lot of configuration stuff for on brecco and on brecco Image processor config on brecco settings config we could save that maybe took a take a look at that one if we wanted to What else do we have in here? app settings Connection strings ooh, ooh Yeah, is this thing going to use it like a database on brecco db database dsn. Whoa, what just happened? Why did it bring me to the top of the file? Did I lose that? Did I just lose what I was looking at? There we go on brecco db dsn. What is that dsn? Connection string with instance of a brecco dsn So that's definitely the database Yeah, yeah, okay, and that might be where it normally stores like a database and password So since we're looking at hack the box, right, there's no other box that it's going to like reach out and connect you This isn't going to be a full-blown network It's going to data source data directory on brecco.sdf. Ooh Is it a local file or it's storing the database? What is this on brecco sdf thing? You can see some of my previous research Is it just like a local database? sdf file Spatial data file is a single user geodatabase file format developed by autodesk. I don't know if that's I don't know if that's the same thing I'm looking at standard database format that Sounds a little bit more like what I'm looking at Do I have that file? These are variables data source data directory. I think I guess I can just look for This on brecco sdf So let me find and grep for that guy See what I have here Please get a hit Please please please Okay app data on brecco sdf. If I file that guy, what is it going to tell me? Data incredible fantastic. That's super duper useful um Just strings it dude. Let's see if we get anything interesting in that. Oh, yeah Okay Oh, this file is ginormous Oh, and these are all like the blog posts and Ooh the products Nice crazy people Heck yeah, let me let me less this see what we got. Oh right at the top administrator admin default en user or us Some guid GUID GUID Administrator admin and that looks like a hash Yeah, and then it specifies hash algorithm shaw one. Whoa Okay, and that's repeated a little bit. So this looks like a potential hash We could slap this in our readme nfs share found uh app data um brecco dot sdf Can I crack that hash? It's a shaw one hash Crack station. Yeah. Yeah, like crack crack hash online, please And that's totally the definition of crack station slap that in there fail at a captcha Bacon and cheese fantastic for The admin user right and that had That had his email in here. It's uh admin Being his username and admin at htb dot local Looks like an email address So can I log in with that? Bacon and cheese Ooh nice. Yeah. Yeah, okay logged in What can I do with this? Media settings developer developer. Does that let me do anything? Hey, wait, is there any like is there anything that like already does this if I search sploit form brecco? Am I gonna find anything? Remote code execution with metasploit metasploit Is that a thing that'll work? Oh wait authenticated remote code execution is this as easily What's that guy? neat dude didn't find anything else so Let's use metasploit to search for that see if it works upload aspx Will that do it? What do I got to know? It doesn't need like a username though. That's kind of weird to me Will it just do it? I'm gonna set my l-host to my Adapter and then I'll just set the r-host to 10 10 10 and 180 and just fire the thing off Execution failed. Okay, whatever. What was that other one? There was a there was a search sploit other one that I saw Um brecco Goodness goodness large terminal size. Make sure you guys can see this thing search sploit tack m this guy um Yeah, I'll just bring in the current directory. Yeah Yeah Yeah for this thing I'm brecco remote code execution by authenticated administrators. That's me login password host It's just forgetting a uh, that's uh closing quotation. That's funny So we have admin at hdb.local and we have bacon and cheese And our host is 10 10 10 180 Will this just do it? What is it gonna do launch the attack? What what code does it run? Am I gonna get like command execution executed calc for the poc? I don't really want that Can I like Ping myself. What's my ip address? Just to see if this thing would work ip 80 are Yeah That's me slap in my address and Let's Stop Go buster because you don't really need to do that and then let's pseudo Can I tcp dump like? Attack l i tone zero And then look for icmp. Yeah, I need to specify pseudo for that That's fine So I just want to get like a proof of concept to see if this thing will actually Execute that code. So let me python 3 that Four thing guy. Oh That needs to have the http schema It looks like yeah How about now did he do it or did I do something wrong? Okay That's fine Whatever I guess we will put that away We'll search plate one last time to see what that last thing was SEO checker plugin. Oh, it's just cross-site scripting. No, no, no. Let's do a simple umbraco exploit search Oh, no, Raj has one Authenticated remote code execution. That is the exact same thing that we just saw This one looks good Umbraco authenticated RCE Oh, and you can just pass stuff right through it. So that'd be really easy. You can specify commands What does this thing do? Some advisories on a packet storm a little bit more robust Uh Script here some arg parse This looks like a modified and better version of the thing that we were just looking at So the payload is using some xml and x sl To invoke A process Yo, yeah, it's just running c sharp through it Okay Let's try that guy It's a git repository. So I'm gonna go ahead and get clone this and Let's try to head over there and Run this exploit I need the username. So attack you admin at htb.local password was bacon and cheese IP address 10 10 10 180 And then the c for the command to run. I'll just do like a simple. Who am I your proof of concept? Oh, that also needs the http prefix. You can tell kind of just buy that python error. Like we're missing the schema See if that gets anything It does Okay, so Can I do that ping one more time just kind of like verify? Uh, I'm 1427. Is that right? Oh, what is that doing? Why did that fail? Did that fail unrecognized arguments? Oh The help says I need to specify tack a to note to note some args. Okay So let's fire that off And there's the ping awesome awesome awesome. Okay, so Now what? We have code execution, right? Uh, we should probably like take note of this simple thing in our in our In our notes here Let's see if we can get a reverse shell This is a windows box, right? I could probably run like system info Yeah, and all this output is coming through. That's awesome Windows box x64 processor It's good to know the architecture. So Can I get a reverse shell? Um on windows you might need to do a little bit more clever things because it's not as easy as just running bash If you want to do a power shell reverse shell nashang is pretty awesome to do that Nashang is a framework in collecting the scripts and payloads that enables the use of power shell for offensive security pentesting and red teaming There is a power shell reverse shell that this thing has and that is in the shells folder here And there's an invoke power shell tcp.ps 1 It's pretty decent power shell code with a lot of actual description and documentation as to what the heck the thing is doing There's an example syntax here. So we could work with that If you don't have that downloaded you can get cloned it. You can work with it. I am going to Copy that from my op directory. It's in shells and then I have that invoke power shell tcp.ps 1 I'll put that here And then I'll modify that script There's no like good I don't think there's like a power shell Display or color scheme and sublime text, which is annoying, but we have this example here So what this is going to essentially allow us to do and wow, that's just really hard to look at Can I cat that does bat know how to work with that thing? Yeah, okay good So at the end of all this all this puts together is building out the functionality to Use that syntax like you would be able to run this and it would create all these functions that you could use or bind these Commandlets for you So what we want to do is at the very very end actually execute this So we could just stage this thing to fire off the reverse shell as we need to I know my ip address was 10 10 14 27 And the port number quad 4 is totally fine to work with So let's set up a Little web server python tack m Http.server Let that go And we have our invoke power shell tcp in the same directory as we're starting the web server so I could start my netcat listener to get ready for this thing And then I can try and fumble with the syntax of actually getting This thing to start so Taxi will let me work with a command. So let's run power shell And then we have tack a to pass in arguments. I'll make this a little bit easier to read so I could simply be like echo like hello or please sub just to get a proof of concept that i'm running power shell Oh, and I need to be in that Correct directory where that exploit script actually is So, okay, we get that output good sanity check now I want to run iex or invoke expression. So I would be able to run commands from a string So if I were to try and do that once again echo please sub following the iex This echo is going to come out into kind of standard output And then ix will just execute please sub as if it were a command in this case Obviously, there is no command please sub. So That tells me that that syntax might work So now I'll go ahead and create a new object and this is going to allow me to Do some windows stuff power shell stuff to get a web client object which has the function download string And that way I could give it my ip address 10 10 10 14 27 on that port 8 000 and download and run because of this iex all that string is going to be Pulled in and then executed invoke power shell tcp dot ps1 So ideally we'll see this web server see the request for that invoke power shell tcp The victim and target will run that code and then over on the other side here I'll see my reverse shell come through. So if I whack the enter button Hopefully we'll get some magic and we do now. I am on that box Awesome. Awesome. Awesome. So I can do a little who am I? And it looks like I am this weird Iis user. That's fine. Let me go to the root of the directory root of the file system here and let's see if I could snag that User flag. Let me check public. There it is I can run cat because I'm in power shell. So there is that user flag And I can't easily clear my screen So we'll just pretend you didn't see that who cares Next We'll want to try to do some enumeration and potentially privask do our privilege escalation So a really good way to do this is to run win peas or some of the privilege escalation awesome scripts I'll just search for win peas And Carlos Paul up. I think I'm butchering pronunciation as always. So forgive me Awesome windows privilege escalation tools for windows and linux. So you see me run lin peas probably all the time on Linux stuff, but win peas is also really good to work with they have a batch script rendition of it And I've seen that fumble for me. I don't know if it's because it's just slow to return or just didn't execute but The exe file is kind of really what we would love to work with If I actually go into this here, you know, there's a solution file for like actually getting the the source code and stuff for Working with it within visual studio and compiling the thing but they do offer under bin in This path here. They also offer releases and an x80 x64 or x86 release So you literally have the executable file you could download and work with I've tried to click on this and like download it raw And then I've had my browser yell at me because chrome would be like, hey, this is dangerous or Firefox would be like, hey, this this file is potentially malicious with that in mind This reverse shell that we did trying to run that invoke power shell tcp Might get triggered by windows defender Sometimes I mean most often if that sort of thing is on right So you might not always be able to do this specific thing and in our hack the box learning environment We can totally do that. I'm just going to go ahead and download this with curl, I guess So I will copy that link address and I will Close my ceiling meterpreter session because I don't need that anymore and let's get back to my hack the box YouTube remote file folder here. Let me go ahead and download this So I'll w get winpes.exe or you probably already have that repository clone and you can just move it in here Note that this is the 64 bit version. I pulled that one down specifically because we saw in our system info command That's the same architecture for this victim. That's just kind of a good thing to do I think the 32 bit one you can usually trust but Anyway, we've got that So now I actually want to download this file So I'm going to go back into my reverse shell of the victim and actually let me Mark that as black. So you kind of know There's some distinction here. I'll move into a temporary directory. I'll move into see windows temp And there's some stuff in here now, but I don't particularly care about it. It actually probably has soul some of my remnants of previously working on it. So let's kill those Yeah, yeah, yeah removing the fourth wall And let's let's try and pull this down into this box. We still have our HTTP web server running So we could transfer files just as easily earlier. We did this download string I think there's a download file one as well But you also just have the kind of classic power shell invoke web request And my face is going to be in the way and I can't clear the screen. So let me make that go away invoke web request to download From my ip address 10 10 10 14 27 port 8 000 win peas dot exe I can pull this down, but it kind of doesn't know what to do with it. So The best thing for us to do is actually bring that to a file and you can pass that with that invoke web request tack out file argument. So HTTP 14 27 Win peas And I'll specify that tack out file location and I'll just call it like win peas dot exe keep the file name here Good. That's downloaded. Now if I ls I should have this file here fantastic So we could simply run this if we were in cmd.exe You wouldn't need to specify the dot slash since we are in power shell We should to be able to run that out of the current directory. So while Whack that win peas dot exe give that just a second and hopefully hopefully hopefully it will come back with something and it did Okay fantastic What do we got here? You could of course do this manual enumeration if you really wanted to Ooh that also isn't giving me a full Like scroll back dislike Uh Could I download this? I'm trying to think of a decent way to be able to pull this back down to the victim You know what I think a good thing to do would actually just be get a metterpter shell in here Because that would just kind of make Kind of our our control a little bit easier. So I like to just use some of the metterpter cheat sheets Or msf venom to be able to craft that and create that Netsec has a really really good one that I always reference because it helps me not think and It just will give me the quick and easy payload. I know it's easy a windows metterpter reverse tcp But I always fumble with like the architecture and whether or not I need to specify that So I will steal this command And I'll get back to my sublime text Just so I can kind of uh Have a window to tinker with this command my ip address needs to be filled in here 14 27 and we'll listen on I guess Quad six here we go and we'll call this like metterpter dot exe good good good Wack that out that we'll go ahead and create a prepackage binary and download Like actual program that we can run put on the host put on the victim And then have it call back to our own metterpter shell. So let me msf console this guy So I can prepare the handler like the listener that will be able to catch this reverse shell And then we still have our http server running down here I'll use exploit multi handler And I will show options to sanly check the things that I need to change We do need to set our l host to ourselves We do need to set our l port to our Port that we wanted to listen on and we should set the payload to the same thing that we told msf venom to use So I will set payload to that guy and now I can run and start up that listener So back over in our victim because we have just that simple metterpter dot exe File ready to download in the same directory What I'll do is I'll once again use that Invoke web request to download this guy invoke web request My ip And save that to a file We'll just call it met dot exe good Kind of zoom it out here. I do have this met dot exe good So my metterpter shell should be All set and ready to catch that so if I were to dot slash met You can see that metterpter session one opened up on the top here Fantastic now. I can upload and download things a little bit easily and that might be convenient for actually checking out the rest of that Winp is a numeration script. Let me go ahead and check out my current directory I'm still in the temporary file So I will actually use this shell to be able to run winp's dot exe one more time and I'll save it to like win out log And hopefully when I get my prompt back that will behave for me good Now I can download that win out dot log because that's in the current directory and metterpter is the one that has that Download command. I wouldn't be able to kind of easily do that on the victim without being able to like spin up an hdp server Or netcat or file transfer So metterpter just kind of makes that nice and easy for me So now let me go ahead and less tack r That uh win out file Yep, that's totally fine Yes, do I actually have content in that? Oh boy Did it just do it? It did just do it Does that not want to work? Can I cat win out dot log Okay, sure and that works just fine for me and that will handle it now I can actually read through all the stuff that the winp's gave me Uh, it would probably have just been smarter and better to have an actual scroll back on here or use tmux Or a better thing that will help me actually view the output of but That was just some quick problem solving to be able to see the rest of this and it's good to have metterpter on there Ooh windows vol search powered by watson looks like this has a lot of stuff that could potentially be vulnerable for user environment variables computer name is remote username is remote system environment variable stuff that we've seen before lsa protection No, a view is detected. That's probably why we were able to totally run Uh, metterpter and our reverse shell normally you wouldn't see that happen on a windows target Power shell stuff drives information Current token privileges Maybe we could tinker with some of those scm personally privilege. Ooh Would that be an option? Some autolog and credentials were found. Oh just that a fault username for administrator. Okay. Nothing huge Interesting processes. Yep. There's power shell I invoked that Met.exe. I invoked that that's our metterpter Windpeas I invoked that Okay, all the interesting stuff seemingly is just me services information interesting services non microsoft open ssh team viewer Oh, whoa, and that's just running. Oh come on. I don't need less. I don't need your help I was just looking at team viewer and it moved away from me I can search for it again team viewer There we go So if we did our actual like own manual enumeration like if we went over to cdc In the c drive you could probably hop over to like the program files And see if there's anything that sticks out to you any particular Programs or software that might be installed. Don't forget to take a look in the other program files directory program files x86 slap that guy in there And you should see team viewer. So that's kind of interesting and peculiar Not something that's installed by default right not native to windows So maybe A thought considering this box is called remote and team viewer is supposed to be a remote access and availability thing Tool and program and software I wonder if there are any logs or any information for that team viewer application We could hop over there and start to explore things if we really wanted to we could deep dive into it um But because we have meturpre drawn here Because we have metasploit running and I don't have a ton of shame. I don't have any issue of running metasploit Maybe there's a module that we'll be able to search and look for team viewer credentials. So team viewer metasploit There is a windows gather team viewer passwords Seemingly module this module will find an encrypt stored team viewer passwords Incredible So our meturpre session. Let's go ahead and hit back or background on that So we get back to a regular msf or msf console shell and then let's search For that team viewer and see it looks like we do have a post module post windows gather credentials team viewer passwords Let's check that out So I'll use that And show options to see what we got a supply here We do need the session for what we're actually working with and if we were to check out our sessions We have our one session of meturpre here on the victim. So let me set session to just one And then fire that off Immediately it finds this unattended password for remote awesome and I spent a decent amount of time now trying to figure out like okay. How do I connect to team viewer? With this unattended setup. Can I just connect to it as an ip address and and and do things with it? I didn't really get anywhere with that And then I eventually just kind of thought like well, this is a password right and potential password reuse is a thing So maybe this would be someone else's password, but I didn't see any other users on this box Other than really just the administrator himself And then I kind of put some of the puzzle pieces together We saw in our rust scan output or from our nmap searching that We actually have winrm on here that port that we saw earlier So maybe I could try this password for that administrator user So I could save this if I wanted to slap in or read me But let's go ahead and try to use evil winrm to connect to it If you aren't familiar with evil winrm or you haven't seen it before you can totally go download it It's the winrm shell that you could use for hacking and penetration testing Typically, it's just good to get access on a box if you see that windows remote management or winrm on a target on windows Pretty simple needs to hack i for an ip address and a user and password you could pass along It can also do some pass the hash stuff, which is very very cool And I want to get smarter on this. I need to learn and tinker with it a little bit more But let's go ahead and do it. Let's use evil winrm on that ip address with the user being administrator and with the password being tackp And i'm going to have to specify single quotes here because these exclamation points might make bash choke or wine so Let's whack that And it connected. So we are currently in the administrator's documents and we are the administrator So We could check out what we have here over in his desktop Looks like we have that root dot text Uh, can I run wc tech l? We'll we'll power show. I'll know what that means. No get Or like measure object. I think I can actually cure clear this screen. So that's handy measure object root dot text. Does that work? We could just cat the thing out, but That is uh Seriously now, I just kind of want to know measure object power shell I am earning power shell I guess I would have to cat it out Yeah, so cat root dot text and then pipe it to Measure objects. You can't just pass it the file name Incredible. Can I get the line, please? How about characters Character or car character 32 characters so we know it's a hash and i'm not spoiling anything by showcasing the root dot text What i've already showcased the user dot text. Anyway, that's that that is the remote box This was a lot of fun for me because it's windows and I need to stretch myself and do more windows boxes and windows machines I have a lot to learn there and it's all about the learning process. So this has been kind of fun I know it's an easy box and that's how it's kind of rated But that's still something that I enjoy and have a good time with and there's always some kind of cool tools and things to learn Working with that. So holy cow. I hope you enjoyed this video. We did some really nifty stuff doing some I don't know umbraco Looking for things and enumerating in ntfs shares or nfs shares. Sorry Mounting those and exploring those and pillaging even with simple strings and okay, then using some code execution to Get access to the box pulling in some wind peas to do enumeration and finding passwords with team view or metasploit So there's a lot of a lot of stuff going on, but wow Thanks so much for watching everybody. I really hope you enjoyed this video If you did, please do do the youtube algorithm thing is I would love to see maybe a quick like in the video Silly comment down at the bottom. I don't care YouTube algorithm stuff. Please subscribe Thanks so much for watching everybody. I'll see you in the next video. Take care. Love you