Reg Query - Remotely check if someone is logged into a Windows system

Let’s say you compromise credentials of user <username> and you want to see if they are logged into a specific machine (<hostname>). Below is how to accomplish this:

I also wrote a quick script to run through a list of hostnames. It can be found on my GitHub.

# From System (Needs to be on the network, or can use runas as domain user to spawn a CMD

PS C:\> whoami
PS C:\> hostname
PS C:\> reg query \\VM-host2\HKEY_USERS


# strSID is the SID found in the above
PS C:\> $strSID="S-1-5-21-<string>"
PS C:\> $uSid = [ADSI]"LDAP://<SID=$strSID>"
PS C:\> echo $uSid

distinguishedName : {CN=bob,OU=Technical User,OU=Managed,OU=Domain Users,DC=<domain>DC=<domainMore>}
Path              : LDAP://<SID=<SIDSTRING>>

# bob is logged into that machine

My first boot2root - SecKC

Recently I just published my first boot2root VM out on vulnhub.

This was the first boot2root that I created and quite frankly, I had a blast creating it. I learned a lot from creating this VM. To be honest, creating something vulnerable and having it be 'solvable' takes a lot of time, trial and error and testing in order for it to be successful. Now, was this successful? It is yet to be seen, but within 12 hours of publishing the VM, someone on twitter took a screen cap of the root flag. I'd like to think it was successful :)

Now, I'm waiting to publish a walkthrough (at least how I envisioned this walkthrough) until more people have had a chance to attempt it. 

But here is a sneak peak on how I envisioned this boot2root to be solved:

I made this VM with a static IP address (

We first run nmap against this IP and discover 3 open ports:

We first go to port 80 and are presented with the following redherring:

This page is nothing more than a SecKC image.

Let's look at port 8888:

Oh wow. Lots of information here. Let's check out the whole page:

Kansas City's Hacker Hive

Kansas City! The city of fountains! Did you know the Chiefs won SUPER BOWL LIV?! Oh, and the Royals won THE WORLD SERIES in 2015?! Oh manm, that's a lot of awesome. But did you know that Kansas City has the largest Monthly InfoSec meet-up? That's right! SecKC hosts the largest monthly meet-up EVERY. MONTH.

    root@kali:/rapid7/metasploit-framework:master$ MSFLOGO="data/logos/haKCers.txt" ./msfconsole

                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-			
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-			
		      :dopeAW.No.nano.o                     :is:TЯiKC.sudo-.A:			
                      :we're.all.alike'`                     The.PFYroy.No.D7:			
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:			
                      :msf:exploit -j.                       :Ns.BOB.ALICEes7:			
                      :---srwxrwx:-.`                        `MS146.52.No.Per:			
                      :.script..Ac816/                        sENbove3101.404:			
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:			
                      :hvensntSurb025N.                      dNVRGOING2GIVUUP:			
                      :#OUTHOUSE-  -s:                       /corykennedyData:			
                      :$nmap -oS                              SSo.6178306Ence:			
                      :Awsm.da:                            /shMTl#beats3o.No.:			
                      :Ring0:                             `dDestRoyREXKC3ta/M:			
                      :23d:                               sSETEC.ASTRONOMYist:			
                       /-                        /yo-    .ence.N:(){ :|:  };:			

       =[ metasploit v5.0.61-dev-618a7c9771               ]
+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 >

Destroy No Data
Maintain No Persistence
Above Else, Do No Harm

Bob and Alice


Random Name

Represent SecKC with swag!

 Kansas City, USA
Powered by HAKCERs

Lots of great information on SecKC and Kansas City! Let's run dirb to see if we can reach any other pages:

Hmm. Nothing. Let's run CeWL to build a wordlist from this page to see if there's any directories we aren't seeing due to the "common.txt" wordlist we've been using:

Alright, let's try dirb again, this time with our new wordlist:

Sweet! We found a new directory "/SecKCTheWorld/". Let's check it out