It is impossible for this forensic to be of high difficulty

Summary

In a high-difficulty CTF challenge, I expected the flag to be in large parts, but it turned out to be the opposite. The challenge provided a Spawn Docker environment and a PCAP file for analysis.

1. Scanning for Open Ports

• The challenge provided an IP address, so I used Nmap to identify open ports:

nmap -p- -sV <TARGET_IP>

• The scan revealed port 59031, which was running SMB (Samba).

2. Analyzing the PCAP File

• I first used Wireshark to inspect the network traffic but did not find useful information.
• I then used NetworkMiner to analyze the PCAP file, which extracted credentials:

Username: aduser1   
Password Hash: $krb5asrep$23...

3. Cracking the AS-REP Hash

• The extracted hash was of type Kerberos 5 AS-REP, which is used for authentication in Active Directory.
• This hash type is vulnerable to AS-REP Roasting, allowing password cracking.
• I used John the Ripper to crack the hash:

john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

• Successfully retrieved the plaintext password.

4. Accessing SMB and Extracting the Flag

• Using the cracked credentials, I accessed the SMB server:

smbclient -U "aduser1" -p 59031 //<TARGET_IP>

• Entered the cracked password and listed available files:

ls

• Found flag.txt, then downloaded it:

get flag.txt

• Finally, displayed the flag:

cat flag.txt

Flag obtained:

HTB{...}