Winja CTF ran from 9th September 10:30 AM IST to 17:00 PM IST, it had a lot of fun challenges and categories but I was only able touch Active Directory and in this category there were only 3 challenges. I wish I could have attempted the rest of the challenges by anyway here’s how I solved them
Blemflarck
This challenge is related to Active Directory in which we are given these files, admins.txt , hosts and nmap.txt
admins.txt contains a list of usernames
nmap.txt contains result of nmap of the domain controller
and hosts contains the IP and domain name of the target
Now to start solving this, we have a list of usernames of the domain,we need to verify which users are valid on the domain for that we can use kerbrute
We can try performing AS-REP roasting using GetNPUsers from impacket in which the user shreya doesn’t have pre-authentication set so without providing a valid password for the user we can request for his TGT
GetNPUsers.py vindicators.space/ -usersfile ./admins.txt -requestTo crack this we can use hashcat with mode 18200
hashcat -a 0 -m 18200 ./hash.txt /usr/share/wordlists/rockyou.txt --forceThis will crack the hash with password $anturce77RioGr@ndePR
Now having the credentials we can login through WinRM which is running on port 5985 using evil-winrm
evil-winrm -i 34.218.188.252 -u 'shreya' -p '$anturce77RioGr@ndePR'After logging in we can get the flag for this challenge
PhoenixPerson
This challenge is continuation from the first one, we have a valid set of credential, we can try using kerberoasting, if there’s a SPN tied to an account we can request for TGS and later crack it
GetUserSPNs.py vindicators.space/shreya -requestRuning hashcat to crack this hash
Now logging with mirage user
evil-winrm -i 34.218.188.252 -u 'mirage' -p '!@#New_Life87!@#'DAB-389 b
This challenge is the last part of AD category where we need to find the third flag through the user mirage
From the description the number 389 is referenced as LDAP which is the port number for that service, we need to enumerate LDAP, there’s a tool called ldapdomaindump
ldapdomaindump -u 'mirage' -p '!@#New_Life87!@#' ldap://34.218.188.252This will generate some html files for users, groups and computers in the domain, going through the domain_users.html file we’ll get the first part of the flag
The second part will be found from domain_computers.html
And the third one from domain_groups.html
We can get the flag through grep as well by using regular expression
Which makes the final flag
flag{3fe05494a09ac38bb5199698b475c48c_LD4P_3num3r4t10n_FTW_:)}There were good challenges and a lot of categories including web3, cloud and source code review which I haven’t done before, due to me doing “real world assessments” I wasn’t able to touch the rest of the challenges
