[UPDATED] The Complete Windows Privilege Escalation | TryHackMe Windows Privesc

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube today we're doing windows privilege escalation from tryhackme now this room has a previous version which we're focused on um much less advanced aspects of windows privileged escalation and i did a video on the previous version if you want to check it out this plus it's titled under the complete windows privilege escalation guide try hacking windows privilege escalation now the room that i did at that time was the same as this one but with different contents so basically what happened here is that and the last thing you updated the room with uh more tasks and at the same time changed couple tags a couple tasks that was that were published at the time so what we're going to do here guys we're going to go over the updates make sure guys you are covered with all of the updates of this room so that you are able to solve all the challenges now this room was part of a pathway the pathway name was let's see here so it is junior penetration tester and if you have completed the pathway now you will notice that your progress is actually now 87 or it could be like 85 if you have completed the pathway and the reason for that it went down to 85 is because of the updates that were deployed on the windows privileged escalation room which we will cover today okay guys so so what we're going to do here let's go over the tasks that need answers so we have task three we have task five six and seven so we're gonna go over these the rest of the tasks are only reading you can go over them and read them okay so let's get started so let's take this to the right and we deployed the machine i'm going to show you guys here so basically we'll deploy the machine for the task three harvesting passwords from usual spots okay so after we deploy the machine we're going to use remini remote desktop client to connect to the machine so i have the settings here gonna edit them with the respective information so the username and password are given in the challenge [Music] so i'm just gonna copy the password now and the ip address i'm waiting for the ip address to be populated so so we have around four questions so to answer these questions we have to look for hard coded passwords we have to look for files where passwords are written in clear text to be able to answer these now looking for passwords is actually a method of escalating your privileges so that i p now is live let's take it and now we will save and connect let's see here i have to connect to the vpn [Music] all right let's check this out connect and accept the warning and now we are logging in now as dhm on privilege on prev okay let me open my notes now so make everything ready um okay so the notes are ready now let's go and answer the questions so first question here a password for julia jones user has been left in the powershell history on the powershell history what is the password so you guys are looking to um reveal the powershell history the commands that have been typed in powershell so to achieve this we're going to type a single command from the command line so we go to the command line here and we can just search for it or we can spawn it from the task manager here you can right click and let's see here taskbar okay we're good going to do it from here cmd all right let's adjust the settings of this make this bigger so you guys don't need to squint and um you know be easy for viewing so font 20 let's see yeah a bit bigger we need to make this a bit bigger so properties font maker 28 yeah i think this is acceptable for now all right so let me search in my notes for power shell yeah so view powershell command history we're going to copy the command here and go back paste it here let's go over the command so we are revealing a file or the contents of a file named console host underscore history this file contains all of the commands that were typed in a partial session you can hit enter as you can see these are the commands who am i slash prev someone was trying or someone was enumerating their privileges what groups they belong to and here as you can see we have user that have been added julia jones and this is the uh their password so we're going to copy the password and provide it as an answer so the answer for here this is the answer so this is one of the places guys you would look through if you want to reveal plain text passwords which is the powershell commands history that's one a web server is running on the remote host find any interesting password on the web config files associated with iis what's the password of the db admin user now the web config is the configuration file of the web server named internet information servers so basically the iis is the web server that usually runs on windows server so if you are running a website okay that's hosted on iis you will have all the configurations under web config much like wwe config in wordpress so basically this file contains more may contain plain text passwords such as database passwords so this file is of an interest for a person who is conducting privilege escalation let's review the password in this file so normally we have to locate this file first so let's see here looking for iis so web config so we have three two locations for root config the first one is under a windows microsoft.net framework 64. and other one is under the root directory so we're going to look for both so copy that [Music] so here we revealed the contents of the file and then we employ the command find string to look for the word connection string under this word we may be able to reveal some sort of credentials let's see here so indeed we have connection string as you can see add connection string and this is the database server the username and this is the password okay let's see now the other location under the root directory of the web server [Music] so as you can see in pub www it's web config reveal um so we don't have this file in the current machine so this is the answer for the question so that's another location you would look in if you are trying to look for plain text passwords the web config of course you would only find this file if you're running windows server and iis as the web server there is a saved password on your windows credentials using cmd key and run as spawn shell for mike.cats and retrieve the flag from his desktop so basically windows credentials are the username and password now sometimes you don't have to learn them you don't have in order to escape the privileges you don't have to learn the username and password or at least the password what you have to do you have to reveal them okay using cmd key and then using the saved credentials run commands as the user so when you run commands as the user okay you are actually impersonating the user identity without the need for locating or finding their password let's see how this works so if we typed [Music] let's see here look for this [Music] so we're going to look for red great view saved credentials so we're going to take this command cmdk list [Music] so in here we see the stored credentials in this machine as you can see guys we don't have plain text password here okay we have two usernames mic to cats and we have did logical but for me the target is this one microcast as you can see i don't have a revealed password here there is no plain text password so are we able to escape our privileges yes we can are we able to reveal the password no but we don't need to since these credentials are saved and we can now run commands as migrate cuts so what we have to do we have to use the run as so with run as run as slash save grid here we're indicating that we want to use the saved credentials okay slash user will define the user sometimes you have a list of many users so you would have to determine the user that you want to use so basically here in the current command it is admin we're going to change this to migrate cats [Music] and then we define the command that we would like to execute as the user migrate cuts as you can see now if we hit enter so now as you can see we have spawned a new shell and if you look closer again i'm going to make this bigger for you guys it is under my good cats if you type who am i and you are mike.cats now you can do all sorts of operations on files and directories as migrate cats so let's see what is the question here there is a saved password on your windows credentials using cmd key and run as spawn a shell for mic and retrieve the flag from his desktop ok now we have to navigate to the desktop under mic and there you go this is the flag guys so the last one retrieve the saved password stored in the saved putty session under your profile what's the password for uh thumb smith user now putty is an ssh client you can use to connect to an ssh server so normally when you create a session the credentials are saved so basically we can find the saved credentials including the proxy credentials if applicable in your case uh in the profile so basically we're gonna reveal the location of the file that contains the credentials we're gonna look for patsy here [Music] okay so it is under registry so let's copy this command [Music] let's see here so we're revealing the contents of the key under current user software so here we're going to need to insert the username [Music] okay and we're revealing as you can see the key under putty sessions slash f and it is proxy the system was unable to find the specified registry key or value so the user is right party sessions let's see the question one more time retrieve the saved password stored in the saved putty session under under your profile what's the password for thumb that's smith uh-huh so here the user doesn't exist we're gonna have to see under user under our profile which is thm dash on priv so we're going to use the same command and switch the user again the system wasn't able to find so dir [Music] magnet cats dhm dash on prev so here i'm a bit confused what is what do they mean by under your profile which profile so basically my profile now if you type oh my is it chm on prev so i'm not sure here what to do so we have my cat's task let's look here see if we have any clue ah this is the profile si simon tatham let's try this one [Music] and now i guess it worked let's see here let's close this one indeed this is the password the proxy password for trump.smith but it wasn't clear what uh they meant or what they imply by saying under a profile it was a reveal that we have to use the profile here in this command simon tatum okay so that's it for harvesting passwords from usual spots which is one of the methods or quick methods to escalate your privileges let's look at other quick wins here what is the task user one flag so this is about i guess which task always elevated or the scheduled tasks let's see here task user one yeah so let's go over this what is the task is that one flag so here we have to understand scheduled tasks okay so basically escalating your privileges through scheduled tasks relies on understanding what kind of scheduled tasks there are on the system and what they execute and under which user [Music] so first let's re view the scheduled tasks much like chrome jobs in linux as you can see we have many scheduled tasks here so if you want to go over all of them it's going to be a bit time consuming so i'm going to use the next command here where we actually as you can see i'm going to explain the difference for you guys so here we are as you can see targeting a single task which which is vulnerable task if you go up there if you uh [Music] go back to the last command find string and then so here we are displaying all the scheduled tasks okay list all of them and we're going to filter only the task named vulnerable task as you can see we have a task called vulnerable task now if we use this command we will specify the name of the task to reveal the information about this task all the details so what matters with all these information is that the task to run here it lists or it tells you the file that it is executing or the binary or whatever the script was there that the task is executing or will execute so t as you can see it is about script and the next thing is we need to know what is the user under which the task is running or the you know the script is running so it is under as you can see task to run and we have run as user so run is a task user one so what does this mean it means that if you're able if you are able to exploit this task okay we'll be able to run commands or payloads as the user task user one okay which is the objective required under this task we need to retrieve the flag under this user so in a regular scenario it could be any other user it could be the system user so when you select or you when you aim on a specific task to exploit you have to find out or to focus on the task to run what kind of object or entity it is executing and under which user if you want to escalate to that user then you have to find out a way to instead of executing the listed payload here or the listed executable or binary or whatever guys you get it put your payload instead so let's go over this path and see if what are the permissions under the tasks directory and at the same time the script schedule task.pat if we have permissions to modify or replace this file then we are able to write our own payload instead of this binary so what what can happen next is when the task runs again it will run our own payload okay instead of the listed entity here okay so let's use a tool called icasks so in this tool we're going to be able to reveal the permissions on this script and then we're going to copy the path [Music] okay so as you can see administrators have full control system have full control and all the users have full control over this so this means this means that we are able to modify this file okay or change it all together so the objective will be adding one line to this file let's take a look at this file first what's the contents under this file so this is the contents of the file who am i c task so first it executes for my command and sends the output to this file and then it executes ib config and sends the output to this file see tasks output.text so what we're going to do here guys we're going to add a new line here okay a new line to for the fight to execute so basically this line will be um could be anything could be any page could be any command so what we're going to do we're going to get back to [Music] the attacker machine [Music] and we're going to spawn at the snow [Music] now back to the victim machine here or the windows machine echo see tools and see so under tools under the tools directory here in windows you will find many of the tools ready uh [Music] for you to use so basically c you go to tools and here you have several tools nc and you have microsoft internals tool access check process hacker ps tools normally you would need to upload you them yourself but for the sake of simplicity they have been uploaded for you so close and go back okay and then use nc or netcat to connect to my machine execute cmd now here we're going to need to put my ip address and here we forward the output to the file which is this one now the next thing is for you to wait you need to wait for the task to be executed sometimes you will have the ability to execute your the task yourself if you have permissions you can try so scheduled slash run slash tn and then we name the task that we are trying to execute so it is vulnerable task if this works if you have permissions over this task to execute it okay the command will be successful if you don't have permissions then you're going to have to wait for the task to rerun again [Music] so here it is t okay now we should have received the listener okay as you can see we received the connection okay now we are required to find the flag [Music] see the users dir so this is the user see the task one this is your flag so this is for task 4 guys task 4 and task 3. so here now let's start enumerating the services we're looking here to find a service that uses an executable which has insecure permissions so here we're looking to manipulate the executable okay that is used by one of the services so to find that executable we will have first to list the services so let's see here services okay let's list now the running services task list isn't recognized as an internal so there is no task list okay let's look for another one let's use wmic [Music] ah look what i did here [Music] okay so these are the running services so let's see here so the service in question guys is the windows scheduler which is laid down in the example in this room we're gonna have to find this okay let's see the other command [Music] so let's let's look for the windows scheduler the windows scheduler is the service that is the targeted service here but i'm trying to see if it is listed here because normally guys you would have to go through this you would have to list all of the services okay and then narrow down on the service that is in question or of interest okay nevertheless let's not make things harder on us okay let's now uh narrow down on the service that is of interest so the service name is windows scheduler and to view information about the specific service guys we're gonna have to use the sc command so basically if we go back [Music] okay so here review details about specific servers so we copy that and the service name is windows okay so this is the service name let's see if we can find this under this list find string so indeed as you can see guys we have the windows scheduler service okay system scheduler service and this is the executable it is using w servers and it is auto started okay so we narrowed down on the service okay now in order to exploit the servers we will have to look at the binary path name okay and the service start name okay the binary path name lists the executable the service is using and this is your target service start name is the user that is running the service this is the user that you will become okay or to which you will escalate the privilege if you are able to um you know exploit or just explore this binary in other in other words replace this binary with your own payload or modify it okay now next thing is to view the permissions on this binary are we able to modify it are we able to do whatever we like we would like on it so we're gonna use this tool and then we're gonna copy the path [Music] let's see here as you can see as always the authority system has full control administrators have full control and users read write execute but everyone here can modify on it okay so everyone on this computer or this domain has modified permissions on the service executable this means we can simply overwrite it with any payload of our preference and only after doing so we will be able to or the service will execute the binary or the payload of our choosing with the privileges of the configured user which is service user one okay so the next step is obvious now is to create a payload we're gonna use msf venom okay sudo msf venom sp windows x64 shell reverse tcp and boost and now we specify the as you can see it will be an executable service service executable sorry o payload v1 [Music] we wait [Music] okay let's go back and while this is running um let's go to the path here so let's see where is the path the path of the file so c system one let's copy that let's first download the error cd i think you will have to go to temp right or download this to the temp or we can download it to the current user so the current user now the confessor profile who am i okay so cd users see the task user one let's see here no thm so under this directory we will download the file so we use wget before executing the command let's make sure the web server is running and then let's pull the payload w get is not recognized as an internal [Music] so let's use powershell guys to download the file let's see this comment so we're looking at download payload [Music] okay let's see now [Music] as you can see now we have the payload v1 downloaded to the desktop the next step now guys we will cd to the path of the executable that we would like to modify take a backup and then change it [Music] so yeah move take a backup of this one in case things went south and then again back up okay now we're going to move the file or our payload which is under this path okay guys so what's gonna happen here we're gonna move the payload we created okay and rename it to w servers and lastly place it under this directory okay so what happened here guys is the original service executable got renamed to uh backup and then the payload we created has been moved to this path which is the exec server executable path and rename to match the original name so now the service will execute our own payload now before doing this since now the service is under a different user we're gonna have to give everyone the ability to access and use this executable okay so we're gonna grant access for everyone full access okay now we go back making sure the listener is running the listener now is running the last thing now guys is to restart the service okay so sc stop windows and then sd start and we should have now we must have received the listener let's see and yes we have the session now it's that we can retrieve the flag [Music] let's see who am i first as you can see we are the service user one which happens to be the user running this service as we saw earlier okay [Music] [Music] and this is your flag [Music] okay get the flag on service user 2. in service user 2 we will exploit unquoted service path which is also a common misconfiguration let's first go over the encoder service path or choose the servers that's in question so in our example here or as always you will have guys to list all of the services narrow down on the specific servers let's assume that you have narrowed down your choosing on a specific server and in this case the separate service name is disk sorter enterprise we will enable the service by using sc or we the service using scqc and then here the name of the service disk sorter enterprise this is the service that is of interest in this example so as you can see the binary path name see my programs disk sorter enterprise bin diskers and the service start name is service user 2. this is the configured user under which the servers is running and this is the executable the service is running so if you look closely on the binary path name you can easily spot the problem the problem here is that we have spaces okay in the name now spaces on its own aren't a problem okay you can use spaces but the problem here is that when we don't have double quotes okay or when we use spaces without double quotes the command line or the command probe will interpret spaces as argument separator okay that's the explanation here so what's going to happen here is guys when the service tries to execute it will look for the executable right let's take a look at the order by which the servers will look for the executable first it's going to go to c my programs disk and it encounters a space since we don't have codes here okay it will interpret the space as an argument separator which means it will say huh we have let's look for an executable name disk okay and it will interpret everything else or after the space as an argument in order to help you okay execute the service and not result in any error that's what's going to happen so first it will look for disk dot exe if this doesn't exist it will then go to disk sorter.exe exist it will then go to disk solder enterprise and look for the closest executable it confined that's the problem now an attacker can exploit this misconfiguration and creates a payload are either called or named disk.exe or disk sorter dot dxe and place it under my programs if they have permissions to do that so we have two conditions to or by which we can actually think if we can exploit this misconfiguration first we would have to check if we have permissions to write or you know store files under my programs directory and we will have to check if we if there are code double quotes here now since we don't have double quotes and we have spaces we can go about creating any payload and name it as disk or disk sorter okay now let's create a payload guys and name it as disk.exe so let's go back to okay so here we have several shells running i'm gonna exit okay use the same msf phenom command and change payload v2 to b1 to v2 now let's check the permissions on my programs let's take a look so don't bother administrators don't bother system and the owner let's take a look at the users we are part of the users group as you can see we have read execute ad and wd which means we can create subdirectories and files so that condition is met we can create files and directories under my programs now our payload is in the pipeline so it has been created let's now spawn a web server okay and now we will download the payload so cd back to an eye again i'm going to download this all right so powershell partial to the rescue now i think we can retrieve the old command the old partial command we have typed a while ago so we need to modify every single detail payload v2 v2 and now we will execute [Music] and now we have payload v2 guys so we will grant everyone now access to this payload to execute write read and so on and so forth first let's move this payload guys to the directory of the service executable which is under see my programs now we will have to choose which one so as i said earlier the flow of the execution will start as see my programs disk.exe and then see my programs disk sorter.exe so as i said earlier guys we will choose the first flow see my programs disk dot exe so we will rename our payload to disk dot dxe and move it to my programs okay [Music] so move no no no no that's not correct one okay see my programs let's see one file moved and now we will give it permissions okay now the last thing is to restart the service so we have the listener we need to make sure the listener is running [Music] okay right see and we received the shell who am i and you are service user too so see the users service user 2 and this is the flag so this is the flag for the task of this user i'm going here let's see here paste so that's correct lastly get the flag on the administrator's desktop now getting the flag on the administrator desktop relies on another aspect of privilege escalation which is insecure permissions okay let's go over this again guys as i said earlier when we exploit service misconfigurations whether it is insecure um permissions on the executable encoded service pass or the one that we will be exploiting now which is insecure safer permissions you will have to enumerate the services list them and choose a service to become of your interest okay now in the current example here or in this example we will go we will be enumerating a specific service for insecure permissions but not service pair but not the executable permissions but the service itself which we call it the discretionary access control list okay now we can enumerate discretionary access control list of any service using access check so you can find access check under let's see cd access check okay now we can use access check to enumerate the discretionary access control list of the service now miss configurations in the discretionary access control list of any servers uh are common okay so the way to enumerate them is we use access check so now access check 64 and then dash qlc and the service name the service name is thm service i'm going to agree okay so what we're looking for we're looking for a string called service all access so we have serviceable access but to whom to all users which means all users can play with the service can reconfigure the service okay now what's going to happen here guys again we're going to build a payload okay and retrieve the payload to the machine and reconfigure the service to use that payload okay going back to the machine now my machine exit okay new tab or i don't want to open a new tab because i want to use the same command so i'm going to stop this and here name it v3 while this is running let's go back and then we will check powershell to download the payload this time would be v3 before executing make sure the payload has been created and the server is running and we have payload v3 now okay now let's give everyone again access to modify on this payload by saying it and then the path to the payload okay so this is for the process one files okay now let's enumerate the surface a bit see where is the path or what is the surface executable that it is using so scpc dhm service [Music] as you can see it is using dhm service executable and it is running under svc user three so normally what's happening here is that if we are able to make the servers execute our own payload we will escalate to service user three but since we have a misconfiguration in the discretionary access control lists where everyone as you can see all the users all the users can have all sorts of access on the service what we can do here guys we can not only change the executable we can also change the user that the service is running under which means if we are able to reconfigure the service to use our own payload period v3 under binary path name and use local system or net authority system as a user we will be able to escalate to the highest privileged user on the system so how to do that we're going to use sc config and the service name so here we are configuring the binary path okay the binary path will be the path to our own payload in this case it is under desktop no need to move your payload here okay so we go to this is the path [Music] payload v3 and lastly to change the user we use the objects i'm going to use local system indicating that we would like to change the service start name to local system the user will be local system and executor will be payout v3 execute success and now we will restart the service [Music] before doing so make sure that your listener is running [Music] the specified service does not exist exactly doesn't exist there was a typo all right let's see and we received a session who am i and you are the highest privileged user and this is the last flag this is the administrator flag guys [Music] okay this is done so now we have as you can see gone over the passwords and again scheduled tasks and services configurations stop the machine now okay take a break and then we will be on to task six and seven where we'll be abusing dangerous privileges and vernal software let's start the machine here and see how many questions we have to answer get the flag on the administrator's desktop okay so we start off with enumerating the privileges of the current account who am i slash proof [Music] so we see we have say take ownership privilege take ownership of files other objects which means the current user can take ownership of any object on the system files directories subdirectories registry keys this means if we are able to find a service or a process running under a highly privileged user such as the net authority system we can take over the executable or the service or process executable replace it with with whatever object we want okay so how can we start this the first thing we now know that we have city ownership privilege let's now let me give you a look now on the executable that we will exploit so basically the executable is running under c windows system 32 which is the utility man executable the utility man is a built-in windows application used to provide ease of access options during the lock screen so if you take a look at the lock screen as you can see this is the utility man executable okay let's now log in back this is the executable that you will execute exploit so the word is mine the password okay let's first locate the path of the executable so it is under c or cd let's see it actually dir find string [Music] [Music] okay i'm not going to search for this one so normally the executable or utility man is found under system 32 okay now in order to use that privilege or advantage let's first use the take on command slash f and we indicate the path of the executable which we want to take ownership so now we have taken ownership of the file as you can see the file or folder here now owned by wizard thm take ownership now the next thing is we give ourselves full permissions over this executable our user is thm take ownership lbf and now we have given ourselves full permissions of our utilityman so what happened here guys we moved the ownership of the file of the binary to our user and then we granted our set permissions so now we are able to do whatever we want on the executable modify it change it copy it move it whatever you like so the objective here is to change the utility man with cmd okay since utility man is running under system spawning or replacing it with cmd we will be able to spawn a shell under the net authority system so the cmd is under system 32 move cmd [Music] access denied access denied now let's go back so white access is denied i don't understand let's see here the permissions so thm take ownership has full access okay but why can't we move um or why can't we replace it let's try copy yes so the copying has been successful okay let's try now now what's going to happen instead of executing the utility man the command prompt will execute so lock the screen and indeed as you can see new shell has been spawned see who you are you are the net authority system retrieve the flag and this is your flag [Music] [Music] oops i think we didn't actually copy the flag yep i think we have typed this ourselves dhm itself [Music] c ah thmc flag privilege all uppercase [Music] and it works guys okay stop the machine terminate and the last task is abusing vulnerable software which is super easy guys super easy what you're going to do here you have a program called drover in sync which is burnable okay now much like any other exploit or another vulnerability you would stumble upon when you conduct pen testing on the web application vulnerabilities you would look for a vulnerable version and then you would look for a matching exploit that's what we're going to do here a program running on the system called rova sync it is vulnerable and they have presented you with the exploit ready all you have to do is to change the command here so not only you will add a user called pawn d you will add it also to the local administrators group okay so after doing so you will be able to spawn a session under the user pawn d okay now we started the instance guys this is the vulnerable program here okay drove in sync and here we are demonstrating one of the methods to escalate your privileges on windows which is exploiting vulnerable programs or out-of-date programs okay now the exploit is ready for your convenience you go to tools and this is the drover instinct exploit you can right click open it in notepad this is the exploit okay now this exploit is ready guys much like any web exploit you would find on the internet right so what we're going to do here guys we're going to change only the cmd okay so the command now is adding is called pawn d okay we're going to change this so net user pawn d and then specify a password say try hack me slash add and execute another command which is adding that user to the administrator group net local group administrator on d slash ad okay the password i think i'm gonna make it a bit complex thm dhm the user will be let's say pawn f okay we save this and then we will open partial editor i'm gonna copy the exploit paste it here save it okay so this is the explode we'll add user called pawn f with the password dhm uppercase the html or case 133 and add the user to the administrators group upon execution now let's save one more time okay let's now check if the user has been added so net user on f indeed now the user has been added and as you can see it's part of the administrator's group the next thing now is we spawn a shell as that user so we're going to minimize this and run as user pawn f move run or spawn command prompt password [Music] okay and now we spawn as the new user let's now pick the flag so who is this user o m i slash preview okay so cd users or c [Music] so the flag isn't here let's go back [Music] the flag i guess will be under pawn c let's see pawn see ah okay so i guess to find the flag guys we will have to abide by the user created in the task it is pawn d so i'm going to minimize close this one get back to the code change this to pawn do the password stays the same save let's use okay log in now as pawn d oops [Music] we're still getting this dhm thm one more time [Music] and able to run i guess the user hasn't been added guys you can see there's only pawn f and pawn c [Music] okay however however let's log in back to log pawn feed i i think it doesn't matter if the name of the user that you have created let's now try to see to administrator most importantly is we are able to see the administrator ah no [Music] local group memberships administrators and users yet we are not able to see the administrators okay let's do this go back and change this to only adding the user to administrators group on f save okay back now let's close this shell i still i'm getting access tonight this task is weird okay let's try another method so instead of using run as if we try to run cmd as administrator and more choices we choose pawn f the password is t h m uppercase t h m lowercase 3 yes okay cdc oh it worked now okay dir cd desktop and this is guys the last flag of this room and finally this is finished i hope you guys liked the video okay if you have any opinion you can comment it in the comment box and i will see you in the next video

Info

Channel: Motasem Hamdan

Views: 22,952

Rating: undefined out of 5

Keywords: windows

Id: k_99-dXtdpc

Channel Id: undefined

Length: 77min 37sec (4657 seconds)

Published: Tue Jul 12 2022