MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

Bad Policies

by sealldev
🚩 CTFs DownUnderCTF 2024 forensics
Bad Policies / DownUnderCTF 2024
Bad Policies

Description

Looks like the attacker managed to access the rebels Domain Controller. Can you figure out how they got access after pulling these artifacts from one of our Outpost machines?

Original Writeup on seall.dev

We are given a folder of artifacts which looks like policies and various other configuration files from a DC.

The one that catches my eye is the Groups.xml. I see a cpassword value and look it up. I find an article from InfoSecWriteups that mentions the utility gpp-decrypt to decrypt the hash.

$ gpp-decrypt "B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2"
DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

Flag: DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

Related Writeups

Information

Files can always be changed in a secret way. Can you find the flag? Hint: Look at the details of the file Hint: Make su ...

#easy

Mob psycho

Can you handle APKs?

#medium

Secret of the Polyglot

The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting i ...

#easy

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub