MFAtigue

For any of these challenges where there’s a download and an online component, I’ll usually start with the files.

OK. So how can we get a password if we have access to the ntds.dit and the SYSTEM registry hive?

The iredteam.com article looks like a good place to start.

There’s a reference to dumping hashes using impacket.

I don’t have the SECURITY hive, but I do have the ntds.dit and the SYSTEM hive.

From here we’ll copy out all the hashes for user accounts. The accounts ending with $ are computer accounts so we won’t bother with those.

With the hashes isolated in a text file, we can run hashcat on the hashes using the rockyou wordlist.

…output continues…

We’ve got a match on the hash ending ..cadab42a.

Referencing that against our account information, we see that found hash is the password for JILLIAN_DOTSON.

Now for the url in the challenge. It brings us to a Microsoft sign-in page. We’ll use the account huntressctf\JILLIAN_DOTSON

And the cracked password of katlyn99…

Oh but wait. The account has MFA?!!

Hit the Send Push Notification

Then again ,

And again

After a mildly obnoxious number of repeated attempts….

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.