Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our twenty-fourth challenge, we’re presented with a scenario where McSkidy wants to perform the same attacks Grinch Enterprises employed on the elves network to learn more about the attack. McSkidy will use the same machine that Grinch Enterprises compromised to understand the Grinch better.
The topic(s) explored in this challenge are post exploitation, hashing, how passwords are stored in the Windows operating system, the mimikatz tool, and how to crack a password hash using the tool John The Ripper. Hashing is a one-way function that is used to change text into an unrecognized form. There are many hashing algorithms such as MD5, SHA1, SHA256, etc.
Post-Exploitation is the process after the attacker has gained access to the system. In this stage, the attacker wants to keep persistence to the machine – meaning they do not want to lose their connection and they also want to escalate their privileges from a standard user to an Administrator/root user.
Hashing is important as it leads into the next topic of how passwords are stored in the Windows operating system. Windows passwords are stored in the Security Accounts Database (SAM). When a user types in a password, that password hash is compared to the hash in the SAM database by way of the Local Security Authority Subsystem Service (LSASS) service. If the passwords match, then the user successful logs in. If the passwords do not match, the user will receive an error message “incorrect password.”
Now that we know how passwords are stored and retrieved in Windows, we can dump them using the mimikatz tool. This tool allows us to dump the hashes from memory that comes from the LSASS service. Finally, once we have a password hash, we can use the tool John The Ripper to crack it. With John The Ripper, we can specify the hashing algorithm we want to use in the process.
Can McSkidy use the Grinch’s nefarious activities to learn more about his attacks? Find out below!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007