This is a two machine challenge where we have an Active Directory environment:
- Domain Controller: 172.25.0.245
- Domain Client: 172.25.0.244
If you haven’t done FLAG_Y yet, you should walk that one first. In this case we have a user with pre-authentication disabled and you’ll need to know the steps involved with obtaining credentials when this is the case.
The page at http://172.25.0.244 tells us that all usernames will have the following format:
- (first initial)(last name)
Let’s start with an nmap and get the domain name.
nmap -sC -sV 172.25.0.245
We know that:
- Domain Name: vuln-net.icsi
- ComputerName: WIN-RBKD8NQIO4M
This challenge is more of a realistic enumeration scenario. First initial and Last name isn’t a lot to go on. The user we are looking for could be anything. Let’s create a wordlist that contains first initials followed by thousands of common last names.
Daniel Meissler for the win whenever we need to pull together wordlists like this. Here is a list of common surnames. (Last Names)
<https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/security-question-answers/common-surnames.txt>
On our Kali machine, let’s use curl to fetch this.
curl <https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/security-question-answers/common-surnames.txt> -o names.txt
A line count shows that there are 81,000 last names there. That’s a good start!
We need to put an initial in front of each of these last names. For example, if we have the last name ‘smith’ in the common-surnames.txt file, we would want to have a wordlist that looks like this: