Tangled Heist
Challenge
- CTF: HTB Business CTF 2024: The Vault of Hope
- Name: Tangled Heist
- Category: Forensics
- Difficulty: Easy
- Points: 325
- Description: The survivors’ group has meticulously planned the mission ‘Tangled Heist’ for months. In the desolate wasteland, what appears to be an abandoned facility is, in reality, the headquarters of a rebel faction. This faction guards valuable data that could be useful in reaching the vault. Kaila, acting as an undercover agent, successfully infiltrates the facility using a rebel faction member’s account and gains access to a critical asset containing invaluable information. This data holds the key to both understanding the rebel faction’s organization and advancing the survivors’ mission to reach the vault. To get the flag, spawn the docker instance and asnwer the questions!
Writeup
Question 1
[1/11] Which is the username of the compromised user used to conduct the attack? (for example: username)
> copper
[+] Correct!
As shown above, rebcorp.htb\copper was used to conduct the attack.
Question 2
[2/11] What is the Distinguished Name (DN) of the Domain Controller? Don't put spaces between commas. (for example: CN=...,CN=...,DC=...,DC=...)
> CN=SRV195,OU=Domain Controllers,DC=rebcorp,DC=htb
[+] Correct!
Filter Wireshark: ldap.protocolOp
Question 3
[3/11] Which is the Domain managed by the Domain Controller? (for example: corp.domain)
> rebcorp.htb
[+] Correct!
See above.
Question 4
[4/11] How many failed login attempts are recorded on the user account named 'Ranger'? (for example: 6)
> 14
[+] Correct!
Question 5
[5/11] Which LDAP query was executed to find all groups? (for example: (object=value))
> (objectClass=group)
[+] Correct!
$ tshark -r capture.pcap -2 -Y 'ldap and ldap.protocolOp == 3' -T json -J ldap
$ tshark -r capture.pcap -2 -Y 'ldap and ldap.protocolOp == 3' -O ldap
Frame 309: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits) on interface \Device\NPF_{EAA86EC9-DB17-4E28-A68A-13782E3225D2}, id 0
Ethernet II, Src: PCSSystemtec_45:29:04 (08:00:27:45:29:04), Dst: PCSSystemtec_6e:f1:3b (08:00:27:6e:f1:3b)
Internet Protocol Version 4, Src: 10.10.10.43, Dst: 10.10.10.100
Transmission Control Protocol, Src Port: 49941, Dst Port: 389, Seq: 1215, Ack: 344668, Len: 106
Lightweight Directory Access Protocol
LDAPMessage searchRequest(8) "DC=rebcorp,DC=htb" wholeSubtree
messageID: 8
protocolOp: searchRequest (3)
searchRequest
baseObject: DC=rebcorp,DC=htb
scope: wholeSubtree (2)
derefAliases: derefAlways (3)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (objectClass=group)
filter: equalityMatch (3)
equalityMatch
attributeDesc: objectClass
assertionValue: group
attributes: 1 item
AttributeDescription: *
[Response In: 310]
controls: 1 item
Control
controlType: 1.2.840.113556.1.4.319 (LDAP_PAGED_RESULT_OID_STRING)
SearchControlValue
size: 500
cookie: <MISSING>
Question 6
[6/11] How many non-standard groups exist? (for example: 1)
> 5
[+] Correct!
5 Groups …
tshark -r capture.pcap -2 -Y 'ldap' -O ldap | grep 'CN='
LDAPMessage searchResEntry(8) "CN=Raiders,CN=Users,DC=rebcorp,DC=htb" [80 results]
objectName: CN=Raiders,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Shadow,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Fox,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Tiger,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Owl,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Radiation,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Raiders,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Enclave,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Group,CN=Schema,CN=Configuration,DC=rebcorp,DC=htb
LDAPMessage searchResEntry(8) "CN=Scavengers,CN=Users,DC=rebcorp,DC=htb" [80 results]
objectName: CN=Scavengers,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Hurricane,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Silver,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Wraith,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Blade,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Viper,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Steel,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Wolf,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Mutant,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Scavenger,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Striker,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Rust,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Siren,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Scavengers,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Group,CN=Schema,CN=Configuration,DC=rebcorp,DC=htb
LDAPMessage searchResEntry(8) "CN=Agents,CN=Users,DC=rebcorp,DC=htb" [80 results]
objectName: CN=Agents,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Hawk,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Agents,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Group,CN=Schema,CN=Configuration,DC=rebcorp,DC=htb
LDAPMessage searchResEntry(8) "CN=Watchers,CN=Users,DC=rebcorp,DC=htb" [80 results]
objectName: CN=Watchers,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Ranger,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Watchers,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Group,CN=Schema,CN=Configuration,DC=rebcorp,DC=htb
LDAPMessage searchResEntry(8) "CN=Enclave,CN=Users,DC=rebcorp,DC=htb" [80 results]
objectName: CN=Enclave,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Gold,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Enclave,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Raiders,CN=Users,DC=rebcorp,DC=htb
AttributeValue: CN=Group,CN=Schema,CN=Configuration,DC=rebcorp,DC=htb
Question 7
[7/11] One of the non-standard users is flagged as 'disabled', which is it? (for example: username)
> radiation
[+] Correct!
In Active Directory, a userAccountControl value of 514 (512 + 2) indicates that the account is disabled. The userAccountControl attribute is a bit field where each bit represents a different property of the user account. The 2nd bit represents the ACCOUNTDISABLE flag, which is set to 1 when the account is disabled.
$ tshark -r capture.pcap -2 -Y 'ldap' -O ldap | grep -i ' 514' -B100 -A10
PartialAttributeList item memberOf
type: memberOf
vals: 1 item
AttributeValue: CN=Raiders,CN=Users,DC=rebcorp,DC=htb
PartialAttributeList item uSNChanged
type: uSNChanged
vals: 1 item
AttributeValue: 13535
PartialAttributeList item name
type: name
vals: 1 item
AttributeValue: Radiation
PartialAttributeList item objectGUID
type: objectGUID
vals: 1 item
GUID: 725f7427-9a2d-4d3b-af4a-d3e399600010
PartialAttributeList item userAccountControl
type: userAccountControl
vals: 1 item
AttributeValue: 514
Question 8
[8/11] The attacker targeted one user writing some data inside a specific field. Which is the field name? (for example: field_name)
> wWWHomePage
[+] Correct!
Question 9
[9/11] Which is the new value written in it? (for example: value123)
> http://rebcorp.htb/qPvAdQ.php
[+] Correct!
Question 10
[10/11] The attacker created a new user for persistence. Which is the username and the assigned group? Don't put spaces in the answer (for example: username,group)
> B4ck,Enclave
[+] Correct!
Question 11
[11/11] The attacker obtained an hash for the user 'Hurricane' that has the UF_DONT_REQUIRE_PREAUTH flag set. Which is the correspondent plaintext for that hash? (for example: plaintext_password)
> april18
[+] Correct!
[+] Here is the flag: HTB{1nf0rm4t10n_g4th3r3d_e896c1c775389c1e1cad5aa1198ec929}
Convert to pcap:
tshark -F pcap -r {pcapng file} -w {pcap file}
tshark -F pcap -r ./capture.pcap -w capture-nonng.pcap
Network Miner:
networkminer capture-nonng.pcap
10.10.10.43 (Windows) 10.10.10.43 (Windows) 10.10.10.100 (Windows) Kerberos Hurricane $krb5asrep$23$d87559a87bea8bebe93b5c067909dbeb$fa371e535597c50cbd0e92b26d2d58a733e0d92b950621dc37a7523611888da6ce0266518cdd5c08b13e050e5487d678feaa30e2910275a1e70912c011b6e408ce448ccc070946089413e9750b7a9685534742f3e43066154a7d06c343b9fc2560da668b9d1dff2cdf9d9fe6791c09c65e3a3064fa128315f3f76cf185d905bdad08acf48a14bfd2ddd5bb8c63f7785b7195ac28f607e2bad049aee6d257cfc0d2f19094c3a9c484145a1949e5fdfb64618b0a61f9b754b50855ab69ba2f48db614eeafebdacab14b4f50e883ef9e78db8be8240461c861e543606358be0ce24982237baaf0d99cc5580 Unknown 2024-04-28 18:55:27 UTC
Put user/domain:
[email protected]:d87559a87bea8bebe93b5c067909dbeb$fa371e535597c50cbd0e92b26d2d58a733e0d92b950621dc37a7523611888da6ce0266518cdd5c08b13e050e5487d678feaa30e2910275a1e70912c011b6e408ce448ccc070946089413e9750b7a9685534742f3e43066154a7d06c343b9fc2560da668b9d1dff2cdf9d9fe6791c09c65e3a3064fa128315f3f76cf185d905bdad08acf48a14bfd2ddd5bb8c63f7785b7195ac28f607e2bad049aee6d257cfc0d2f19094c3a9c484145a1949e5fdfb64618b0a61f9b754b50855ab69ba2f48db614eeafebdacab14b4f50e883ef9e78db8be8240461c861e543606358be0ce24982237baaf0d99cc5580
Crack:
HASHCAT -m 18200 -f hash.txt
[email protected]:d87559a87bea8bebe93b5c067909dbeb$fa371e535597c50cbd0e92b26d2d58a733e0d92b950621dc37a7523611888da6ce0266518cdd5c08b13e050e5487d678feaa30e2910275a1e70912c011b6e408ce448ccc070946089413e9750b7a9685534742f3e43066154a7d06c343b9fc2560da668b9d1dff2cdf9d9fe6791c09c65e3a3064fa128315f3f76cf185d905bdad08acf48a14bfd2ddd5bb8c63f7785b7195ac28f607e2bad049aee6d257cfc0d2f19094c3a9c484145a1949e5fdfb64618b0a61f9b754b50855ab69ba2f48db614eeafebdacab14b4f50e883ef9e78db8be8240461c861e543606358be0ce24982237baaf0d99cc5580:april18