TryHackMe: Advent of Cyber 2023 (Day 23) Relay All the Way

Samantha
3 min readDec 29, 2023

“McSkidy is unable to authenticate to her server! It seems that McGreedy has struck again and changed the password! We know it’s him since Log McBlue confirmed in the logs that there were authentication attempts from his laptop. Online brute-force attacks don’t seem to be working, so it’s time to get creative. We know that the server has a network file share, so if we can trick McGreedy, perhaps we can get him to disclose the new password to us. Let’s get to work!”

Q1: What is the name of the AD authentication protocol that makes use of tickets?

Kerberos is the main authentication mechanism which uses tickets. It is widely used in enterprise environments, especially with Microsoft Active Directory.

Q2: What is the name of the AD authentication protocol that makes use of the NTLM hash?

This is NetNTLM.

Q3: What is the name of the tool that can intercept these authentication challenges?

If you read through the included learning materials, you will see that the tool you can use for this is called Responder, but that’s not what we will be using today.

Instead, we are going to be coercing McGreedy to authenticate to us using some light trickery and the ntlm_theft tool.

Q4: What is the password that McGreedy set for the Administrator account?

I set up the operation using the ntlm_theft tool by creating a .lnk file. We will then add that file to the network share and hope that McGreedy will try to authenticate with it.

This is me putting it into the network share:

I then switched to a different terminal and started up responder to watch the trap.

While I’m waiting for that, I see that he apparently left us a clue back on the network share.

Looks like it’s a wordlist to help crack his password later.

I checked back and saw that McGreedy fell for it and we now have his NTLM hash.

In that same “stealthy” directory I created a file with the hash.

John the Ripper was then able to quickly crack the password.

Q5: What is the value of the flag that is placed on the Administrator’s desktop?

I used Remina to connect via RDP (press cancel if the keyring thing pops ups)

I can now explore around.

--

--

Samantha

CTF writeups to facilitate cyber education and help me earn CPEs