Winja CTF | Nullcon Goa 2022

Winja CTF ran from 9th September 10:30 AM IST to 17:00 PM IST, it had a lot of fun challenges and categories but I was only able touch Active Directory and in this category there were only 3 challenges. I wish I could have attempted the rest of the challenges by anyway here’s how I solved them


This challenge is related to Active Directory in which we are given these files, admins.txt , hosts and nmap.txt

admins.txt contains a list of usernames

nmap.txt contains result of nmap of the domain controller

and hosts contains the IP and domain name of the target

Now to start solving this, we have a list of usernames of the domain,we need to verify which users are valid on the domain for that we can use kerbrute

We can try performing AS-REP roasting using GetNPUsers from impacket in which the user shreya doesn’t have pre-authentication set so without providing a valid password for the user we can request for his TGT -usersfile ./admins.txt -request

To crack this we can use hashcat with mode 18200

hashcat -a 0 -m 18200 ./hash.txt /usr/share/wordlists/rockyou.txt --force

This will crack the hash with password $anturce77RioGr@ndePR

Now having the credentials we can login through WinRM which is running on port 5985 using evil-winrm

evil-winrm -i -u 'shreya' -p '$anturce77RioGr@ndePR'

After logging in we can get the flag for this challenge


This challenge is continuation from the first one, we have a valid set of credential, we can try using kerberoasting, if there’s a SPN tied to an account we can request for TGS and later crack it -request

Runing hashcat to crack this hash

Now logging with mirage user

evil-winrm -i -u 'mirage' -p '!@#New_Life87!@#'

DAB-389 b

This challenge is the last part of AD category where we need to find the third flag through the user mirage

From the description the number 389 is referenced as LDAP which is the port number for that service, we need to enumerate LDAP, there’s a tool called ldapdomaindump

ldapdomaindump -u 'mirage' -p '!@#New_Life87!@#' ldap://

This will generate some html files for users, groups and computers in the domain, going through the domain_users.html file we’ll get the first part of the flag

The second part will be found from domain_computers.html

And the third one from domain_groups.html

We can get the flag through grep as well by using regular expression

Which makes the final flag


There were good challenges and a lot of categories including web3, cloud and source code review which I haven’t done before, due to me doing “real world assessments” I wasn’t able to touch the rest of the challenges




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store