MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

SAM I AM

by sealldev
🚩 CTFs DownUnderCTF 2024 forensics
Suggested: #hash-cracking
SAM I AM / DownUnderCTF 2024
SAM I AM

Description

The attacker managed to gain Domain Admin on our rebels Domain Controller! Looks like they managed to log on with an account using WMI and dumped some files. Can you reproduce how they got the Administrator's Password with the artifacts provided?
Place the Administrator Account's Password in DUCTF{}, e.g. DUCTF{password123!}

Original Writeup on seall.dev

We are given a sam.bak and a system.bak which are backups of the registry hives, we can use Impackets secretsdump.py to extract the passwords.

$ python3 /usr/bin/secretsdump.py -sam sam.bak -system system.bak LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0xa88f47504785ba029e8fa532c4c9e27b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:476b4dddbbffde29e739b618580adb1e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

We can then use the output of Administrator as a hash for hashcat:

$ hashcat -a 0 -m 1000 admin-hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
...
476b4dddbbffde29e739b618580adb1e:!checkerboard1

The password is !checkerboard1!

Flag: DUCTF{!checkerboard1}

Related Writeups

Information

Files can always be changed in a secret way. Can you find the flag? Hint: Look at the details of the file Hint: Make su ...

#easy

Mob psycho

Can you handle APKs?

#medium

Secret of the Polyglot

The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting i ...

#easy

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub