From 25702b850427b4bb918e8f41f4c4e469a8d332d2 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 15 Sep 2024 22:18:51 +0300
Subject: [PATCH] Update Tengu.md

---
 Vulnlab/Tengu.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/Vulnlab/Tengu.md b/Vulnlab/Tengu.md
index d59aad8..94eec7e 100644
--- a/Vulnlab/Tengu.md
+++ b/Vulnlab/Tengu.md
@@ -105,6 +105,25 @@ Dev didn't had anything interesting while there was one set of credential from D
 
 <img src="https://i.imgur.com/001siDc.png"/>
 
+Attempting to crack this with rockyou.txt didn't work as the password wasn't present there however crackstation came in handy here
+
+<img src="https://i.imgur.com/fLZciwp.png"/>
+
+<img src="https://i.imgur.com/62buPKb.png"/>
+
+Having the credentials, we can verify if this is a valid domain user
+
+<img src="https://i.imgur.com/e6T9dEw.png"/>
+
+With `bloodhound-python`, the domain can be enumerated
+
+```bash
+proxychains bloodhound-python -d tengu.vl -u t2_m.winters -p 'Tengu123' -c all -ns 10.10.183.37 
+```
+
+<img src="https://i.imgur.com/EwzmEoc.png"/>
+
+
 # References
 
 - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/
@@ -113,4 +132,6 @@ Dev didn't had anything interesting while there was one set of credential from D
 ```
 nodered_connector:DreamPuppyOverall25
 t2_m.winters:af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147
+t2_m.winters:Tengu123
+
 ```