Sherlock LATUS Help

Hi!

i’m doing the Sherlock Latus, i’m trying to resolve it but i cannot follow all the steps in RDP, because the opponent destroy all the logs, i’m little stucked, can someone help me?

I’m stucked with questions 5, 7, 8, 9, 10 and 11.

I have the rest flags but i cannot find the way to see more steps in the RDP sessions.

Can someone give me a hint? Thanks!

Hello,

I’m stuck in the same part, I got flag 10 (you need to look for a file related to rdp) and 11 (found it on an image).

In question 5 I managed to dump the account hashes, I’m not being able to crack the account used to login (I cracked the others correctly) so I’m not sure if the solution follows this path.

For questions 7,8 and 9 I have no clue.

For the Q11 i saw images in the Image directory of the emman.t directory. But maybe have steganography? I’m little lost.

In question 5 i stracted the SAM, i saw emman.t connect via RDP to 192.168.70.133 with Administrator user, i cracked the hash ntlm but is not this.

For Q11 is not an image itself you need to parse it first, I dont want to be so straight forward but the files you need to parse are Cache files.

In Q5 did you manage to crack the user account used to access 192.168.70.133? The hash i got is: 699**************b72b and it’s the unique hash i couldn’t crack.

I did the same steps for the Q5, the hash is exactly this and i cracked it with hashcat, but the password is not. Maybe is the SAM of the host, not the SAM of the AD so maybe is not working for this reason.

Did you added the domain prefix to the user name? *\Administrator when answering? I’m trying to crack it with hashcat too, but it gives me a single number as the password, I’m using rockyou dic btw.

I did exactly the same, and give me the same single number, even in crackstation give me the same number, but maybe is the administrator account of the host, not the domain… i don’t know

There is an important 2 artifacts realted to RDP u missed dig more

Iam stucking on q1 actually and on the password question

The question 1 is little tricky, if you need information, send me a DM

I can give you the hint, it’s not necessary a RDP login.

Which question u mean .?

1

Actually i reviewed all the rdp logins that will come on ur mind , localmanager,sessionmanager and all the rdp other stuff , and also check the bitmap and parse it and also check the mstsc.exe and parset it and also all the hives keys nothing

I know its very easy but there is something erorr wimme

The info is in a hive and as I said, it’s not necessary an RDP related event.

I’m also stuck on Task 5.
I cracked the NTLM hash and have the username, but it’s not the answer.
Any hints, anyone?

which ones?

I did the same but i’m still stuck even with the questions of hours in RDP Q7,Q8,Q9 and Q13

You refer to that we are missing 2 RDP related artifacts than can give us the answer to questions Q7,Q8 and Q9? Or to question Q5?