Throwback - [THM]
![Cover Image for Throwback - [THM]](/assets/images/blog/Throwback-thm/Throwback.png)
Introduction
In this post I show the commands, links or files you need to use in order to gather the information required to answer all the questions in the Throwback lab.
Note: The flags change dynamically so do not bother copying and pasting my flags.
Task 7 - Entering the Breach
- 10.200.XXX.138 -> Firewall (PFsense)
- 10.200.XXX.219 -> Windows IIS
- 10.200.XXX.232 -> Linux MAIL
What is the domain name?
THROWBACK.local
What is the HTTP title of the web server running on THROWBACK-PROD?
Throwback Hacks
How many ports are open on THROWBACK-MAIL?
4
What service is running on THROWBACK-FW01?
pfSense
What version of Apache is running on THROWBACK-MAIL?
Apache/2.4.29
Task 8 - Exploring the Caverns
Who is the CEO of Throwback Hacks?
http://10.200.XXX.219/#team -> Summers Winters
Where is the company located?
http://10.200.XXX.219/#contact -> Great Britain
What is the guest username on the mail server?
http://10.200.XXX.232/src/login.php -> tbhguest
What is the guest password on the mail server?
http://10.200.XXX.232/src/login.php -> WelcomeTBH1!
What flag is found within the guest inbox?
TBH{ede543c628d365ab772078b0f6880677}
What flag is found in the guest contacts page?
TBH{4060a70860f0a1648e5a991de1739888}
Task 9 - Web Shells and You!
Source: Link
What username was used to access the configuration portal?
admin
What password was used to access the configuration portal?
pfsense
What menu tab contains a command prompt tab in the PFSense Configuration panel?
Diagnostics/Command Promtp
Task - 10 First Contact
What log file was found that is not a default log?
What user was found within the log?
HumphreyW
What is the hash of the user?
1c13639dba96c7b53d26f7d00956a364 -> securitycenter
What is the root flag on THROWBACK-FW01?
TBH{4060a70860f0a1648e5a991de1739888}
What is the log flag on THROWBACK-FW01?
Task 11 - Wait, just you mean just one this time?
Command:
What is the username parameter in the POST request?
login_username
What is the password parameter in the POST request?
secretkey
What username found with hydra starts with an M?
MurphyF
What is the password found with hydra?
Summer2020
Task 12 - Gone Phishing
What User was compromised via Phishing?
BlaireJ
What Machine was compromised during Phishing?
THROWBACK-WS01
What is the root flag on THROWBACK-WS01?
What is the user flag on THROWBACK-WS01?
Task 13 - Just a Drop Will Do
What User fell victim to LLMNR Poisoning?
PetersJ
What is the 4th octet of the IP Address the LLMNR request came from?
219
What is the hostname of the device?
THROWBACK-PROD
Task 14 - We Will, We Will, Rockyou
What is the cracked password from the pfSense hash?
What is the cracked password from LLMNR poisoning?
Task 18 - SEATBELT CHECK!
What user was found from seatbelt?
admin-petersj
Submit flag for THROWBACK-PROD in Task 4
Executing the following command through an RDP session we can obtain all the flags in the machine.
What is the flag from the poisoned user on THROWBACK-PROD?
What is the second user flag on THROWBACK-PROD?
What is the root flag on THROWBACK-PROD?
Task 20 - Not the soft and fluffy kind
What domain user was logged in?
BlaireJ
What is the user's hash?
c374ecb7c2ccac1df3a82bce4f80bb5b
What is the administrator's NTLM hash?
a06e58d15a2585235d18598788b8147a
Task 22 - Good Intentions, Courtesy of Microsoft
Task 23 - Wallace and Gromit
We need to disable the windows firewall in order to upload SharpHound.ps1 and we can do it because we are member of the Administrators group.
What service account is kerberoastable?
On bloodhound use "List all Kerberoastable Accounts".
SQLSERVICE
What domain does the trust connect to?
On bloodhound use "Map Domain Trusts".
corporate.local
What normal user account is a domain admin?
On bloodhound use "Find all Domain Admins".
Mercerh
Task 24 - With three heads you'd think they'd at least agree once
Cracking the hash.
What account was compromised by kerberoasting?
SQLService
What password was cracked from the retrieved ticket?
mysql337570
Task 25 - You're Five Minutes Late...
What is the hostname of the device?
THROWBACK-TIME
What is the title of the web page?
Throwback Hacks Timekeep
What user was the password reset for?
murphyf
What is the password reset flag on THROWBACK-TIME?
Task 26 - Word to your Mother
What web server accepts XLSMs as a file upload?
THROWBACK-TIME
what page is the file upload in?
timesheet.php
What is the name of the XLSMs that you can upload?
Timesheet.xlsm
Task 27 - Meterpreter session 1 closed. Reason: World-Domination
Which user's hashes were we able to dump?
Timekeeper
What is the user's hash starting from the third colon?
901682b1433fdf0b04ef42b13e343486
What is the administrator's hash starting from the third colon?
43d73c6a52e8626eabc5eb77148dca0b
What is the user's cracked password?
keeperoftime
Task 28 - We gotta drop the load!
What database are the timekeep login users located?
timekeepusers
What database are the domain users located in?
domain_users
What table was located in the domain users database?
users
What is the first username in the table?
ClemonsD
What is the root flag on THROWBACK-TIME?
Using the meterpreter's session we used for dumping the hashes.
What is the SQL flag on THROWBACK-TIME?
TBH{ac3f61048236fd398da9e2289622157e}
Task 29 - So we're doing this again...
What user was successfully password sprayed?
JeffersD
What was the password for the user?
Throwback2020
Task 30 - SYNCHRONIZE
What user has dcsync rights?
backup
What user can we dump credentials for and is an administrator?
Mercerh
Submit flags for THROWBACK-DC01 in Task 4.
What is the user flag on THROWBACK-DC01?
What is the root flag on THROWBACK-DC01?
What is the account description flag on THROWBACK-DC01?
Task 31 - This forest has trust issues
What domain has a trust relationship with THROWBACK.local?
corporate.local
What is the hostname of the machine that has a forest trust with the domain controller?
CORP-DC01
What is the Administrator account we can use to access the second forest?
mercerh
What is the name of the file in the Administrator's Documents folder?
server_update.txt
Submit flags for CORP-DC01 in Task 4
Run a cmd as root
What is the user flag on CORP-DC01?
What is the root flag on CORP-DC01?
Task 32 - r/badcode would like a word
Git Hub repository: Link
What User has a Github Account?
Rikka Foxx
What was the user found in github?
DaviesJ
What password was found in github?
Management2018
What machine can you access with the credentials?
CORP-ADT01
What is the flag on GitHub?
TBH{19fa56ead6f82d8c4abc664e2e56f0b1}
What is the flag on Twitter?
https://twitter.com/tbhSecurity/status/1292594165855981568
TBH{ca57861454b195f6a5c951a634e05f9e}
Task 33 - Identity Theft is not a Joke Jim
What file is on the Administrator's Documents folder?
email_update.txt
Who wrote the email?
Karen Dosier
What is her official title in the company?
Human Relations Consulatant
Submit flags for CORP-ADT01 in Task 4
What is the user flag on CORP-ADT01?
What is the root flag on CORP-ADT01?
What is the flag on LinkedIn?
Link -> TBH{2913c22315f3ce3c873a14e4862dd717}
Task 35 - Lost and Found
You need to use foxy proxy with proxychains in order to get access to the web.
What is the Users email who has been affected by the Databreach?
What was the Users password?
aqAwM53cW8AgRbfr
What credentials could be found in the Email?
TBSEC_GUEST:WelcomeTBSEC1!
Submit flags for reconnaissance in Task 4
What is the flag in the source code of Breach || GTFO?
TBH{53f3a6cb77f633edd9749926b9a9217b}
What is the flag on the Corporate Mail server?
Using the email address and the password at http://mail.corporate.local/mailbox.php we can get the flag.
TBH{19b6ca4281bbef3ee060aaf1c2eb4021}
Task 36 - Kerberoasting II Electric Boogaloo
What User was vulnerable to Kerberoasting?
TBService
What password could be cracked from the Kerberos Ticket?
securityadmin284650
Submit flags for TBSEC-DC01 in Task 4
What is the user flag on TBSEC-DC01?
What is the root flag on TBSEC-DC01?