This was another challenged posted in the DeadPixelSec discord! Once again there were some super dope prizes for folks who solved the challenge.
This time around we are given a TryHackMe room: https://tryhackme.com/room/dpschallenge
It provides a PCAP file and the following prompt
A man by the name of Tom had his travel plans stolen by someone, help identify the hacker and find Tom’s travel plans!
Ok honesty time, the reason I knew that this challenge revolved around SMB was just from sorting by protocol, scrollin' a lil and noticing weird traffic.
From the breakdown of the protocol we can see that there are a decent amount of SMB packets being sent. This piqued my interest because it’s sort of odd to see alongside what looks like normal HTTP traffic.
smb2 filter in wireshark, we can see that there is a conversation between
192.168.200.7. The PCAP captured the entire exchange, including the login, file transfers, browsing, etc. Let’s start examining this interaction from the top.
smb2 filter applied in wireshark, this interaction takes place between packets number 43219 and 49171. The following is a screenshot of the wireshark view:
In this screenshot
192.168.200.7 fails to login to
User: \ and then successfully logs in as
User: WORKGROUP\tom_fedder. At this point it seems clear that
192.168.200.7 is acting as a hacker, and
192.168.200.5 is the victim. Moving forward I’ll just address the IP’s accordingly.
Since we have captured the interaction of the hacker logging in, we should be able to extract the NTLMv2 hash for the user
tom_fedder. The important packets to note here are:
Let’s examine the packet
49171 in more depth…
There is a lot of information here which is incredibly vital to answering the questions. When examining the packet in Wireshark the first thing that stands out is the “Security Blob” section. This contains information regarding the authentication process for SMB.
Working from the top down, we can see that the NTLMv2 Reponse and the NTProofStr are present. This is important as we can use them to derive the hash for
Next, we can see that the Domain Name, User Name, and Host Name are listed. The domain name is also used in deriving the hash for Tom. The second important note is the Host Name… it’s listed as KALI. From this it can be assumed that the Hacker is using Kali Linux, answering question 5: What is the name of the Linux distribution used by the attacker?
Now let’s look at packet
The critical part of this packet is the NTLM Server Challenge field as this is another part of the NTLM hash…
Finding Tom Fedder’s Password#
For this section, the following article was an immense help: https://research.801labs.org/cracking-an-ntlmv2-hash/
To extract a password for this authentication we need 5 things…
- NTLM Server Challenge:
- NTLMv2 Response:
ed93b7d3ed61c510d74d98fb688476e001010000000000006201533f649bd501e17dd2637b53d5b80000000002001e004400450053004b0054004f0050002d 0045004a003800310047004e004a0001001e004400450053004b0054004f0050002d0045004a003800310047004e004a0004001e004400450053004b005400 4f0050002d0045004a003800310047004e004a0003001e004400450053004b0054004f0050002d0045004a003800310047004e004a00070008006201533f64 9bd501060004000200000008003000300000000000000000000000000000005b7c87cb37c89eb064a9e7faca6bcf8b7f59aca797b867c2c20a8ff0a559ebfb 0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003200300030002e003500000000 00
We have all of these from just examining just two packets! Now we can piece it all together and try to crack Tom’s password. The format for an NTLM hash is as follows…
Username::Domain Name:NTLM Server Challenge:NTProofStr:NTLMv2 Response - NTProofStr
To explain this format quickly, the start of the NTLMv2 Reponse is the same as the NTProofStr, so when concatenating the parts, we can remove the NTProofStr from the beginning of the NTLMv2 Response. This results in the following blob…
TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61c5 10d74d98fb688476e0:01010000000000006201533f649bd501e1 7dd2637b53d5b80000000002001e004400450053004b0054004f0 050002d0045004a003800310047004e004a0001001e0044004500 53004b0054004f0050002d0045004a003800310047004e004a000 4001e004400450053004b0054004f0050002d0045004a00380031 0047004e004a0003001e004400450053004b0054004f0050002d0 045004a003800310047004e004a00070008006201533f649bd501 06000400020000000800300030000000000000000000000000000 0005b7c87cb37c89eb064a9e7faca6bcf8b7f59aca797b867c2c2 0a8ff0a559ebfb0a0010000000000000000000000000000000000 00900240063006900660073002f003100390032002e0031003600 38002e003200300030002e00350000000000
We can throw this into a file (in my case passhash.txt) and then attempt to crack the password using a tool like john or hashcat. I used hashcat.
To break down the command
hashcatcalling the tool
-m 5600specify which hash type we are trying to crack
passhash.txtthe file containing the NTLM hash
~/programming/tools/rockyou.txtspecifying the wordlist to use
[email protected] ~/tryhackme/dpschallenge hashcat -m 5600 passhash.txt ~/programming/tools/rockyou.txt --force hashcat (v5.1.0) starting... Dictionary cache hit: * Filename..: /home/birch/programming/tools/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61c510d74d98fb688476e0: 01010000000000006201533f649bd501e17dd2637b53d5b80000000002001e0044004500 53004b0054004f0050002d0045004a003800310047004e004a0001001e00440045005300 4b0054004f0050002d0045004a003800310047004e004a0004001e004400450053004b00 54004f0050002d0045004a003800310047004e004a0003001e004400450053004b005400 4f0050002d0045004a003800310047004e004a00070008006201533f649bd50106000400 0200000008003000300000000000000000000000000000005b7c87cb37c89eb064a9e7fa ca6bcf8b7f59aca797b867c2c20a8ff0a559ebfb0a001000000000000000000000000000 000000000900240063006900660073002f003100390032002e003100360038002e003200 300030002e00350000000000:castlepark93 <------ PASSWORD WOOOOOo Session..........: hashcat Status...........: Cracked Hash.Type........: NetNTLMv2 Hash.Target......: TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61...000000 Time.Started.....: Tue Jun 15 12:12:17 2021 (1 sec) Time.Estimated...: Tue Jun 15 12:12:18 2021 (0 secs) Guess.Base.......: File (/home/birch/programming/tools/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 13413.7 kH/s (7.60ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10485760/14344384 (73.10%) Rejected.........: 0/10485760 (0.00%) Restore.Point....: 9175040/14344384 (63.96%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: chautip -> XiaoNianNian Hardware.Mon.#1..: Temp: 60c Fan: 27% Util: 49% Core:1987MHz Mem:5005MHz Bus:16 Started: Tue Jun 15 12:12:15 2021 Stopped: Tue Jun 15 12:12:19 2021
Hashcat was able to find the password very fast and thus we have answered the question What is Tom’s account password?
Extracting SMB file transfers#
If we scroll down in the SMB conversation, we can see that the hacker requests a few different files…
- Flight Info.pdf
The arrows in this photo point to the actual requests made to initiate this transfer.
Wireshark has the functionality built in to export objects, in our case SMB objects. Heading to the top menu and then
File -> Export Objects -> SMB the following menu should pop up. This allows you to save the files transferred in the pcap to your machine!
In this case there were just 2 files…
Examining the SMB files#
Looking at the flight info pdf we can answer Questions 2 and 3.
- Where is Tom flying to? -> Phoenix
- How much did Tom pay (in USD) in total for the flight? -> 219.30
This image answers Question 4. Nothing else to it.
- What is the flag on Tom’s computer? (format: @@@[email protected]@@-####)
While this file wasn’t extracted with wireshark it still answers the remaining question
- Tom had an executable file in his data volume, what is the name of that file?
Now we have solved all of the questions! In summary
- We determined the IP address of the hacker by examining the behavior of the address interacting with SMB.
- We determined the version of Linux used from the Host Name in packet number
- We found Tom Fedder’s password by extracting fields from the SMB authentication packets and running hashcat against it.
- We exported SMB objects using Wireshark and examined their contents.
Great box! Thanks @DPS for running this competition and @c1ph0r for creating the room!