Network

I actually found out the password used to authenticate the user. However, when I submit the flag in the requested format (i.e: RM{userPrincipalName:password}), it doesn’t work. How can this be?

The user name is something like `user.name`, I even tried submitting as `userName`, or prepending a underscore to the flag (RM_{userPrincipalName:password}) or interpretting "userPrincipalName" as the user’s first/last name only: no success in any case.

I feel like I must be doing something really dumb, since I got the "hard part" but can’t finish it.

Spent some time on this too, finally found the right flag, try the following entry:

RM{userPrincipalName@domain:password}

The domain must be written in lower case letters. The username does not change in any way, i.e. as you wrote “user.name”

worked, thank you very much!

idk if i found the password or not, i do know the username and @domaine but the password idk, i’ve been trying to solve it since two days but nothing new, i even understood the concept of kerberos

Can any one give me a hint please. I was inspecting the AS-REP packet and I tried to crack the hash that in the packet using hashcat but I always get "empty output" message similar to John the ripper tool!

Any help/hint would appreciated. I can see the packets, see the type, username, etc, but no luck in using john/hashcat to retrieve the password. Driving me crazy... :)

TIA

Update: found it. :)