i’m doing the Sherlock Latus, i’m trying to resolve it but i cannot follow all the steps in RDP, because the opponent destroy all the logs, i’m little stucked, can someone help me?
I’m stucked with questions 5, 7, 8, 9, 10 and 11.
I have the rest flags but i cannot find the way to see more steps in the RDP sessions.
I’m stuck in the same part, I got flag 10 (you need to look for a file related to rdp) and 11 (found it on an image).
In question 5 I managed to dump the account hashes, I’m not being able to crack the account used to login (I cracked the others correctly) so I’m not sure if the solution follows this path.
For Q11 is not an image itself you need to parse it first, I dont want to be so straight forward but the files you need to parse are Cache files.
In Q5 did you manage to crack the user account used to access 192.168.70.133? The hash i got is: 699**************b72b and it’s the unique hash i couldn’t crack.
I did the same steps for the Q5, the hash is exactly this and i cracked it with hashcat, but the password is not. Maybe is the SAM of the host, not the SAM of the AD so maybe is not working for this reason.
Did you added the domain prefix to the user name? *\Administrator when answering? I’m trying to crack it with hashcat too, but it gives me a single number as the password, I’m using rockyou dic btw.
I did exactly the same, and give me the same single number, even in crackstation give me the same number, but maybe is the administrator account of the host, not the domain… i don’t know
Actually i reviewed all the rdp logins that will come on ur mind , localmanager,sessionmanager and all the rdp other stuff , and also check the bitmap and parse it and also check the mstsc.exe and parset it and also all the hives keys nothing