👨‍💻
CTFs
HomePlaygroundOSCPBuy Me a Flag 🚩
  • 🚩Zeyu's CTF Writeups
  • Home
  • Playground
  • OSCP
  • My Challenges
    • SEETF 2023
    • The InfoSecurity Challenge 2022
    • SEETF 2022
    • Cyber League Major 1
    • STANDCON CTF 2021
      • Space Station
      • Star Cereal
      • Star Cereal 2
      • Mission Control
      • Rocket Science
      • Space University of Interior Design
      • Rocket Ship Academy
      • Space Noise
  • 2023
    • DEF CON CTF 2023 Qualifiers
    • hxp CTF
      • true_web_assembly
    • HackTM CTF Qualifiers
      • Crocodilu
      • secrets
      • Hades
  • 2022
    • niteCTF 2022
      • Undocumented js-api
      • js-api
    • STACK the Flags 2022
      • Secret of Meow Olympurr
      • The Blacksmith
      • GutHib Actions
      • Electrogrid
      • BeautyCare
    • LakeCTF Qualifiers
      • People
      • Clob-Mate
      • So What? Revenge
    • The InfoSecurity Challenge 2022
      • Level 1 - Slay The Dragon
      • Level 2 - Leaky Matrices
      • Level 3 - PATIENT0
      • Level 4B - CloudyNekos
      • Level 5B - PALINDROME's Secret (Author Writeup)
    • BalsnCTF 2022
      • 2linenodejs
      • Health Check
    • BSidesTLV 2022 CTF
      • Smuggler
      • Wild DevTools
      • Tropical API
    • Grey Cat The Flag 2022
    • DEF CON CTF 2022 Qualifiers
    • Securinets CTF Finals 2022
      • StrUggLe
      • XwaSS ftw?
      • Strong
      • Artist
    • NahamCon CTF 2022
      • Flaskmetal Alchemist
      • Hacker TS
      • Two For One
      • Deafcon
      • OTP Vault
      • Click Me
      • Geezip
      • Ostrich
      • No Space Between Us
    • Securinets CTF Quals 2022
      • Document-Converter
      • PlanetSheet
      • NarutoKeeper
    • CTF.SG CTF
      • Asuna Waffles
      • Senpai
      • We know this all too well
      • Don't Touch My Flag
      • Wildest Dreams Part 2
      • Chopsticks
    • YaCTF 2022
      • Shiba
      • Flag Market
      • Pasteless
      • Secretive
      • MetaPDF
      • Crackme
    • DiceCTF 2022
      • knock-knock
      • blazingfast
    • TetCTF 2022
      • 2X-Service
      • Animals
      • Ezflag Level 1
  • 2021
    • hxp CTF 2021
    • HTX Investigator's Challenge 2021
    • Metasploit Community CTF
    • MetaCTF CyberGames
      • Look, if you had one shot
      • Custom Blog
      • Yummy Vegetables
      • Ransomware Patch
      • I Hate Python
      • Interception
    • CyberSecurityRumble CTF
      • Lukas App
      • Finance Calculat0r 2021
      • Personal Encryptor with Nonbreakable Inforation-theoretic Security
      • Enterprice File Sharing
      • Payback
      • Stonks Street Journal
    • The InfoSecurity Challenge (TISC) 2021
      • Level 4 - The Magician's Den
      • Level 3 - Needle in a Greystack
      • Level 2 - Dee Na Saw as a need
      • Level 1 - Scratching the Surface
    • SPbCTF's Student CTF Quals
      • 31 Line PHP
      • BLT
      • CatStep
    • Asian Cyber Security Challenge (ACSC) 2021
      • Cowsay As A Service
      • Favorite Emojis
      • Baby Developer
      • API
      • RSA Stream
      • Filtered
      • NYONG Coin
    • CSAW CTF Qualification Round 2021
      • Save the Tristate
      • securinotes
      • no pass needed
      • Gatekeeping
      • Ninja
    • YauzaCTF 2021
      • Yauzacraft Pt. 2
      • Yauzabomber
      • RISC 8bit CPU
      • ARC6969 Pt. 1
      • ARC6969 Pt. 2
      • Back in 1986 - User
      • Lorem-Ipsum
    • InCTF 2021
      • Notepad 1 - Snakehole's Secret
      • RaaS
      • MD Notes
      • Shell Boi
      • Listen
      • Ermittlung
      • Alpha Pie
    • UIUCTF 2021
      • pwnies_please
      • yana
      • ponydb
      • SUPER
      • Q-Rious Transmissions
      • capture the :flag:
      • back_to_basics
      • buy_buy_buy
    • Google CTF 2021
      • CPP
      • Filestore
    • TyphoonCon CTF 2021
      • Clubmouse
      • Impasse
    • DSTA BrainHack CDDC21
      • File It Away (Pwn)
      • Linux Rules the World! (Linux)
      • Going Active (Reconnaissance)
      • Behind the Mask (Windows)
      • Web Takedown Episode 2 (Web)
      • Break it Down (Crypto)
    • BCACTF 2.0
      • L10N Poll
      • Challenge Checker
      • Discrete Mathematics
      • Advanced Math Analysis
      • Math Analysis
      • American Literature
      • More Than Meets the Eye
      • 􃗁􌲔􇺟􊸉􁫞􄺷􄧻􃄏􊸉
    • Zh3ro CTF V2
      • Chaos
      • Twist and Shout
      • 1n_jection
      • alice_bob_dave
      • Baby SSRF
      • bxxs
      • Sparta
    • Pwn2Win CTF 2021
      • C'mon See My Vulns
      • Illusion
    • NorzhCTF 2021
      • Leet Computer
      • Secure Auth v0
      • Triskel 3: Dead End
      • Triskel 2: Going In
      • Triskel 1: First Contact
      • Discovery
    • DawgCTF 2021
      • Bofit
      • Jellyspotters
      • No Step On Snek
      • Back to the Lab 2
      • MDL Considered Harmful
      • Really Secure Algorithm
      • The Obligatory RSA Challenge
      • Trash Chain
      • What the Flip?!
      • Back to the Lab 1
      • Back to the Lab 3
      • Dr. Hrabowski's Great Adventure
      • Just a Comment
      • Baby's First Modulation
      • Two Truths and a Fib
    • UMDCTF 2021
      • Advantageous Adventures
      • Roy's Randomness
      • Whose Base Is It Anyway
      • Cards Galore
      • Pretty Dumb File
      • Minetest
      • Donnie Docker
      • Subway
      • Jump Not Easy
      • To Be XOR Not To Be
      • Office Secrets
      • L33t M4th
      • Bomb 2 - Mix Up
      • Jay
    • Midnight Sun CTF 2021
      • Corporate MFA
      • Gurkburk
      • Backups
    • picoCTF 2021
      • It Is My Birthday (100)
      • Super Serial (130)
      • Most Cookies (150)
      • Startup Company (180)
      • X marks the spot (250)
      • Web Gauntlet (170 + 300)
      • Easy Peasy (40)
      • Mini RSA (70)
      • Dachshund Attacks (80)
      • No Padding, No Problem (90)
      • Trivial Flag Transfer Protocol (90)
      • Wireshark twoo twooo two twoo... (100)
      • Disk, Disk, Sleuth! (110 + 130)
      • Stonks (20)
    • DSO-NUS CTF 2021
      • Insecure (100)
      • Easy SQL (200)
Powered by GitBook
On this page
  • Hello Guest
  • SMB Shares
  • Old Memories
  • Register
  • Last Note

Was this helpful?

  1. 2021
  2. DSTA BrainHack CDDC21

Behind the Mask (Windows)

Hello Guest

Port scan:

└─# nmap -sC -sV -v -Pn 54.255.213.169
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-06-24 02:10:15Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: GDC)
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: GDC
|   NetBIOS_Domain_Name: GDC
|   NetBIOS_Computer_Name: GDC-DC-J
|   DNS_Domain_Name: gdc.local
|   DNS_Computer_Name: GDC-DC-J.gdc.local
|   DNS_Tree_Name: gdc.local
|   Product_Version: 10.0.14393
|_  System_Time: 2021-06-24T02:10:15+00:00
| ssl-cert: Subject: commonName=GDC-DC-J.gdc.local
| Issuer: commonName=GDC-DC-J.gdc.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-16T15:44:01
| Not valid after:  2021-12-16T15:44:01
| MD5:   4af0 4092 e460 3e66 22e0 bfd2 201d ab7a
|_SHA-1: 7c57 5c74 5cc7 ea3e a9ee 0d19 159f 4638 6bcf b1ec
|_ssl-date: 2021-06-24T02:10:55+00:00; 0s from scanner time.
Service Info: Host: GDC-DC-J; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results: 
|_clock-skew: mean: 0s, deviation: 1s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
|   Computer name: GDC-DC-J
|   NetBIOS computer name: GDC-DC-J\x00
|   Domain name: gdc.local
|   Forest name: gdc.local
|   FQDN: GDC-DC-J.gdc.local
|_  System time: 2021-06-24T02:10:18+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-06-24T02:10:19
|_  start_date: 2021-06-22T10:01:52

SMB Shares

└─# smbclient -U '' -L \\\\54.255.213.169
Enter WORKGROUP\'s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backup          Disk      
        C$              Disk      Default share
        Forensics1      Disk      
        Forensics2      Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available

Connect to Backup share with no username.

CDDC21{0LLHE_Gue$T}

Old Memories

Credentials: alexander.p:v#X1nOLqPZ

Access Forensics1 using these credentials. There is an LSASS dump, which we can use Mimikatz to interpret. This gives us the credentials John:#johnIStheBEST!.

        == MSV ==
                Username: Flag
                Domain: DESKTOP-2QFHHML
                LM: NA
                NT: 596c4994f88d93d0718bdea487092f11
                SHA1: 45b9d6c67c871a7c763e3a062c8e0684415e6834
        == WDIGEST [e0b3a]==
                username Flag
                domainname DESKTOP-2QFHHML
                password CDDC21{lsa$$_DUMP_password}
        == Kerberos ==
                Username: Flag
                Domain: DESKTOP-2QFHHML
                Password: None
        == WDIGEST [e0b3a]==
                username Flag
                domainname DESKTOP-2QFHHML
                password CDDC21{lsa$$_DUMP_password}
        == DPAPI [e0b3a]==
                luid 920378
                key_guid 9c3ff7d7-c6c0-4d8d-8c0d-7dc7428f80a1
                masterkey 6e95c4172045ea74162063f33065449b683b612d2c52b8db502b8ece05311ff16e18b4a1d737e5fc93eb0882576bc17f85f2f70e0344b6db49600e9a461a2a8f
                sha1_masterkey 06cdbed57b14937ac2008d24a56a423f919a1eb7

== LogonSession ==
authentication_id 195058 (2f9f2)
session_id 1
username John
domainname DESKTOP-2QFHHML
logon_server DESKTOP-2QFHHML
logon_time 2021-06-10T06:44:43.890166+00:00
sid S-1-5-21-2198713953-2006436724-2838398043-1001
luid 195058
        == MSV ==
                Username: John
                Domain: DESKTOP-2QFHHML
                LM: NA
                NT: 53bb900f229aa32d546f54523a96de67 
                SHA1: 1075eeefce15aa2008f2e0594babccc09cdf5d4b
        == WDIGEST [2f9f2]==
                username John
                domainname DESKTOP-2QFHHML
                password #johnIStheBEST!
        == Kerberos ==
                Username: John
                Domain: DESKTOP-2QFHHML
                Password: None
        == WDIGEST [2f9f2]==
                username John
                domainname DESKTOP-2QFHHML
                password #johnIStheBEST!
        == DPAPI [2f9f2]==
                luid 195058
                key_guid 44b05868-2d03-4f04-a2ba-fedd6e3b08f5
                masterkey 359eee0b2409c2d331ece3c70d71b8987d27a6ecf3e08848efeea3eda14c05a044f6efd3201a30cbd7e7c64fdcbb500453b22dd8cc322b2e0c3b0ff7b2850877
                sha1_masterkey 68e0bf11f62251c47a0fa84869946e72224930f5

Accessing Forensics2 as John gives us the flag.

CDDC21{lsa$$_DUMP_password}

Register

We are given a registry dump. There is a PuTTy password stored in the registry.

[HKEY_USERS\S-1-5-21-2198713953-2006436724-2838398043-1001\SOFTWARE\SimonTatham\PuTTY\Sessions\flag]

...

"ProxyPassword"="iS_Putty_s3cure?!"

...

The flag is CDDC21{iS_Putty_s3cure?!}

Last Note

Listing all the domain users, we find the flag in the description of henry.s.

└─$ enum4linux -u alexander.p -p "v#X1nOLqPZ" -U 54.255.213.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 24 00:22:40 2021

 ==========================
|    Target Information    |
 ==========================
Target ........... 54.255.213.169
RID Range ........ 500-550,1000-1050
Username ......... 'alexander.p'
Password ......... 'v#X1nOLqPZ'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

...

 =============================== 
|    Users on 54.255.213.169    |
 =============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10ab RID: 0x461 acb: 0x00000010 Account: adrian.c      Name: Collins, Adrian   Desc: Programer at GDC
index: 0x10ae RID: 0x464 acb: 0x00000010 Account: alexander.p   Name: Perry, Alexander  Desc: Help Desk
index: 0x10a9 RID: 0x45f acb: 0x00000010 Account: andy.g        Name: Goode, Andrew     Desc: Algorithms at GDC
index: 0x10a8 RID: 0x45e acb: 0x00000010 Account: ci_admin      Name: Admin, CI Desc: Continuous Integration Admin
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000214 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10a2 RID: 0x458 acb: 0x00000010 Account: henry.s       Name: Stewart, Henry    Desc: CDDC21{We!!_D0NE}
index: 0x10a3 RID: 0x459 acb: 0x00000010 Account: jacob.c       Name: Coleman, Jacob    Desc: Customer Success Manager
index: 0x10b3 RID: 0x468 acb: 0x00000210 Account: john  Name: john      Desc: (null)
index: 0x10ac RID: 0x462 acb: 0x00000010 Account: john.m        Name: Miller, John      Desc: Programer at GDC
index: 0x10aa RID: 0x460 acb: 0x00000010 Account: justin.t      Name: Tuck, Justin      Desc: Programer at GDC
index: 0xff5 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10a5 RID: 0x45b acb: 0x00000010 Account: marcus.w      Name: Wright, Marcus    Desc: Researcher at GDC
index: 0xfbf RID: 0x3f0 acb: 0x00000210 Account: root   Name: root      Desc: (null)
index: 0x10ad RID: 0x463 acb: 0x00000010 Account: ryan.b        Name: Butler, Ryan      Desc: Help Desk Manager
index: 0x10a4 RID: 0x45a acb: 0x00000010 Account: serena.k      Name: Kagan, Serena     Desc: Researcher at GDC
index: 0x10af RID: 0x465 acb: 0x00000010 Account: svc_admin     Name: , SVC     Desc: Service admin account
index: 0x10a6 RID: 0x45c acb: 0x00000010 Account: thomas.p      Name: Parnell, Thomas   Desc: Researcher at GDC
index: 0x10a7 RID: 0x45d acb: 0x00000010 Account: vick.c        Name: Chamberlain, Vick Desc: Researcher at GDC

...

The flag is CDDC21{We!!_D0NE}

PreviousGoing Active (Reconnaissance)NextWeb Takedown Episode 2 (Web)

Last updated 3 years ago

Was this helpful?