Cracking NTLM

Challenge:

DEADFACE member lilith got into our Domain Controller and dumped our hashes and claims she got an accounts credentials! Can you figure out what username and password she may have gotten?

Submit the flag as flag{username_password}.

Solution:

The provided challenge files were two Windows registry hives, specifically the SAM(Security Account Manager) hive, which stores the password hashes for local accounts, and the SYSTEM hive which holds, among other data, the decryption key needed to extract the NTLM hashes from the SAM hive.

NOTE: Changes were made to the SAM structure in the Window10 "Anniversary Update" (10.0.14393 or v1607). There are tools that haven't been updated to accommodate the changes and thus are unable to extract the NTLM hashes. Instead, you'll typically see the account names but with hashes for an "empty" password, e.g. 31d6cfe0d16ae931b73c59d7e0c089c0.

We used the secretsdump.py utility that is part of Impacket to extract the NTLM hashes:

$ secretsdump.py  -system system -sam sam LOCAL -outputfile df2022
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x459aedd0315724a80fd06b3201777178
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:beb9dfc9d0b45e617729d8a2cc08b237:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:133e8be11041398e29afe761caa03c09:::
itadmin:1001:aad3b435b51404eeaad3b435b51404ee:3e126da93e034356d4e8cc3e0dd24357:::
vludi:1002:aad3b435b51404eeaad3b435b51404ee:f5f96e15e692ee8221a6a572a0c42302:::
atevlin:1003:aad3b435b51404eeaad3b435b51404ee:d1431666adfed36a06c1b5ab78cb9893:::
adminguy:1004:aad3b435b51404eeaad3b435b51404ee:ec703dd09482fc2697461b1ad737f3f9:::
[*] Cleaning up...

We then kicked-off a cracking session with Hashcat, combined with the "RockYou" password list, which made short work of one of the hashes:

$ hashcat -w4 -O -m1000 -a0 df2022.sam /data/wrdlists/rockyou.txt

3e126da93e034356d4e8cc3e0dd24357:adminadmin

Using HashCat's --show command shows us that the 'itadmin' account had a weak password and is likely the account that lilith gained access to:

$ hashcat -m 1000 --username --show --outfile-format 2 df2022.sam
Administrator:
Guest:
DefaultAccount:
itadmin:adminadmin

The accepted flag was: flag{itadmin_adminadmin}

Published:

Updated:

Leave a comment