No Place To Hide

Name: No Place To Hide
Hint: We found evidence of a password spray attack against the Domain Controller, and identified a suspicious RDP session. We'll provide you with our RDP logs and other files. Can you see what they were up to?
Base Points: Easy - Retired [0]
Rated Difficulty:
HTB-Bot
Creator: felamos

Download and unzip the file and check the hint:

 

Hint: We found evidence of a password spray attack against the Domain Controller, and identified a suspicious RDP session. We'll provide you with our RDP logs and other files. Can you see what they were up to?

 

Files: bcache24.bmc and Cache0000.bin

 

The bcache24.bmc file is empty currently. Cache0000.bin is a "data" file that is not human readable. Well, this should be fun. While looking for a way to parse out a cache0000.bin file, we come across this GitHub repo that seems like it will do what we need. https://github.com/ANSSI-FR/bmc-tools. So, clone into it and run it using:

 

┌──(kali㉿kali)-[~/Desktop/HTB/NoPlaceToGo/bmc-tools]
└─$ python3 bmc-tools.py -s ../Cache0000.bin -d ../                                                                                                                                                                                                                                                                      2 ⨯
[+++] Processing a single file: '../Cache0000.bin'.
[===] 1162 tiles successfully extracted in the end.
[===] Successfully exported 1162 files.
 

1162 files...WOW this might take a bit. Just at a glace though 1126, 1128, 1149 and 1151 seem interesting. If we put them next to each other (see below) the flag appears.

HTB{w47ch_y0ur_c0Nn3C71} is our flag. BMC Tools to the rescue on this one!