MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

Bad Policies

by sealldev
🚩 CTFs DownUnderCTF 2024 forensics
Bad Policies / DownUnderCTF 2024
Bad Policies

Description

Looks like the attacker managed to access the rebels Domain Controller. Can you figure out how they got access after pulling these artifacts from one of our Outpost machines?

Original Writeup on seall.dev

We are given a folder of artifacts which looks like policies and various other configuration files from a DC.

The one that catches my eye is the Groups.xml. I see a cpassword value and look it up. I find an article from InfoSecWriteups that mentions the utility gpp-decrypt to decrypt the hash.

$ gpp-decrypt "B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2"
DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

Flag: DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

Related Writeups

Chunked Integrity

This is one of my favorite images! Unfortunately something has gone wrong and I cant see the whole thing, can you help f ...

Just Packets

Here pcap. Find flag.

Keeping on Schedule

One of our computers on the company network had some malware on it. We think we cleared of the main payload however it c ...

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub