MFAtigue
For any of these challenges where there’s a download and an online component, I’ll usually start with the files.
OK. So how can we get a password if we have access to the ntds.dit and the SYSTEM registry hive?
The iredteam.com article looks like a good place to start.
There’s a reference to dumping hashes using impacket.
I don’t have the SECURITY hive, but I do have the ntds.dit and the SYSTEM hive.
From here we’ll copy out all the hashes for user accounts. The accounts ending with $ are computer accounts so we won’t bother with those.
With the hashes isolated in a text file, we can run hashcat on the hashes using the rockyou wordlist.
…output continues…
We’ve got a match on the hash ending ..cadab42a.
Referencing that against our account information, we see that found hash is the password for JILLIAN_DOTSON.
Now for the url in the challenge. It brings us to a Microsoft sign-in page. We’ll use the account huntressctf\JILLIAN_DOTSON
And the cracked password of katlyn99…
Oh but wait. The account has MFA?!!
Hit the Send Push Notification
Then again,
And again…
After a mildly obnoxious number of repeated attempts….
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 