$$ \text {An iCSI CTF (RED16)} $$

Preface:

• If you are not familiar with the Kerberos Pre-Authentication Process, it is recommended you work through the activity here.
  • Although you will be able to complete this lab by following the steps, Kerberos authentication is explained in much more detail in the lab linked above.
  • The purpose of this lab is to demonstrate is to recognize when NTLM is disabled and utilize Kerberos tickets on Kali Linux.

Setup:

• The VM needed for this challenge can be downloaded here.
  • THE UNZIP DECRYPT PASSWORD is RED16
• You’ll need Kali Linux as well.
• The final flag for this machine will be in the compromised user’s desktop.

First Steps:

• You will not have the login credentials to the machine.

• Before you power it on, go to the machine settings and give the network adapter a custom MAC address.

  • This way you will be able to locate it with the arp-scan utility within Kali.
  • Don’t use the MAC address I have below. Everyone in the class needs something different.
    • Manually randomize the MAC Address you give your machine!

  

Once you have started the CTF machine, launch a root shell in Kali and do the following:

• use the *arp-scan* utility to scan the entire subnet and report back on MAC addresses that are present.
  • Your Kali Linux machine must be on the same subnet as the CTF machine.
• Use grep to filter for the MAC address that you gave the CTF Machine.
• NOTE: I only grep for the OUI of the MAC address. You should grep for the entire MAC Address!
  • Use all 6 Hex characters in your grep

Start with an Nmap:

nmap -sC -sV IP_ADDRESS_OF_TARGET

Here we see:

• This is most likely a Windows server hosting a webpage.