MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

SAM I AM

by sealldev
🚩 CTFs DownUnderCTF 2024 forensics
Suggested: #hash-cracking
SAM I AM / DownUnderCTF 2024
SAM I AM

Description

The attacker managed to gain Domain Admin on our rebels Domain Controller! Looks like they managed to log on with an account using WMI and dumped some files. Can you reproduce how they got the Administrator's Password with the artifacts provided?
Place the Administrator Account's Password in DUCTF{}, e.g. DUCTF{password123!}

Original Writeup on seall.dev

We are given a sam.bak and a system.bak which are backups of the registry hives, we can use impacket’s secretsdump.py to extract the passwords.

$ python3 /usr/bin/secretsdump.py -sam sam.bak -system system.bak LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0xa88f47504785ba029e8fa532c4c9e27b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:476b4dddbbffde29e739b618580adb1e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

We can then use the output of Administrator as a hash for hashcat:

$ hashcat -a 0 -m 1000 admin-hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
...
476b4dddbbffde29e739b618580adb1e:!checkerboard1

The password is !checkerboard1!

Flag: DUCTF{!checkerboard1}

Related Writeups

Chunked Integrity

This is one of my favorite images! Unfortunately something has gone wrong and I cant see the whole thing, can you help f ...

Just Packets

Here pcap. Find flag.

Keeping on Schedule

One of our computers on the company network had some malware on it. We think we cleared of the main payload however it c ...

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub