TryHackMe: DeadPixelSec Challenge

Background#

This was another challenged posted in the DeadPixelSec discord! Once again there were some super dope prizes for folks who solved the challenge.

This time around we are given a TryHackMe room: https://tryhackme.com/room/dpschallenge

It provides a PCAP file and the following prompt

A man by the name of Tom had his travel plans stolen by someone, help identify the hacker and find Tom’s travel plans!

Preliminary Analysis#

Ok honesty time, the reason I knew that this challenge revolved around SMB was just from sorting by protocol, scrollin' a lil and noticing weird traffic.

SMB Investigation#

From the breakdown of the protocol we can see that there are a decent amount of SMB packets being sent. This piqued my interest because it’s sort of odd to see alongside what looks like normal HTTP traffic.

Applying the smb2 filter in wireshark, we can see that there is a conversation between 192.168.200.5 and 192.168.200.7. The PCAP captured the entire exchange, including the login, file transfers, browsing, etc. Let’s start examining this interaction from the top.

Authentication Interaction#

With the smb2 filter applied in wireshark, this interaction takes place between packets number 43219 and 49171. The following is a screenshot of the wireshark view:

/img/authentication-screenshot.png

In this screenshot 192.168.200.7 fails to login to 192.168.200.5 as User: \ and then successfully logs in as User: WORKGROUP\tom_fedder. At this point it seems clear that 192.168.200.7 is acting as a hacker, and 192.168.200.5 is the victim. Moving forward I’ll just address the IP’s accordingly.

Since we have captured the interaction of the hacker logging in, we should be able to extract the NTLMv2 hash for the user tom_fedder. The important packets to note here are: 49169 and 49171.

Let’s examine the packet 49171 in more depth…

/img/analysis-authentication.png

There is a lot of information here which is incredibly vital to answering the questions. When examining the packet in Wireshark the first thing that stands out is the “Security Blob” section. This contains information regarding the authentication process for SMB.

Working from the top down, we can see that the NTLMv2 Reponse and the NTProofStr are present. This is important as we can use them to derive the hash for tom_fedder.

Next, we can see that the Domain Name, User Name, and Host Name are listed. The domain name is also used in deriving the hash for Tom. The second important note is the Host Name… it’s listed as KALI. From this it can be assumed that the Hacker is using Kali Linux, answering question 5: What is the name of the Linux distribution used by the attacker?

Now let’s look at packet 49169

The critical part of this packet is the NTLM Server Challenge field as this is another part of the NTLM hash…

/img/try-hack-me-dps-challenge-images/ntlm-server-challenge.png

Finding Tom Fedder’s Password#

For this section, the following article was an immense help: https://research.801labs.org/cracking-an-ntlmv2-hash/

To extract a password for this authentication we need 5 things…

  • User-name: WORKSPACE
  • Domain-name: TOM_FEDDER
  • NTProofStr: ed93b7d3ed61c510d74d98fb688476e0
  • NTLM Server Challenge: 497bb71c637c055b
  • NTLMv2 Response:
ed93b7d3ed61c510d74d98fb688476e001010000000000006201533f649bd501e17dd2637b53d5b80000000002001e004400450053004b0054004f0050002d
0045004a003800310047004e004a0001001e004400450053004b0054004f0050002d0045004a003800310047004e004a0004001e004400450053004b005400
4f0050002d0045004a003800310047004e004a0003001e004400450053004b0054004f0050002d0045004a003800310047004e004a00070008006201533f64
9bd501060004000200000008003000300000000000000000000000000000005b7c87cb37c89eb064a9e7faca6bcf8b7f59aca797b867c2c20a8ff0a559ebfb
0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003200300030002e003500000000
00

We have all of these from just examining just two packets! Now we can piece it all together and try to crack Tom’s password. The format for an NTLM hash is as follows…

Username::Domain Name:NTLM Server Challenge:NTProofStr:NTLMv2 Response - NTProofStr

To explain this format quickly, the start of the NTLMv2 Reponse is the same as the NTProofStr, so when concatenating the parts, we can remove the NTProofStr from the beginning of the NTLMv2 Response. This results in the following blob…

TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61c5
10d74d98fb688476e0:01010000000000006201533f649bd501e1
7dd2637b53d5b80000000002001e004400450053004b0054004f0
050002d0045004a003800310047004e004a0001001e0044004500
53004b0054004f0050002d0045004a003800310047004e004a000
4001e004400450053004b0054004f0050002d0045004a00380031
0047004e004a0003001e004400450053004b0054004f0050002d0
045004a003800310047004e004a00070008006201533f649bd501
06000400020000000800300030000000000000000000000000000
0005b7c87cb37c89eb064a9e7faca6bcf8b7f59aca797b867c2c2
0a8ff0a559ebfb0a0010000000000000000000000000000000000
00900240063006900660073002f003100390032002e0031003600
38002e003200300030002e00350000000000

We can throw this into a file (in my case passhash.txt) and then attempt to crack the password using a tool like john or hashcat. I used hashcat.

To break down the command

  • hashcat calling the tool
  • -m 5600 specify which hash type we are trying to crack
  • passhash.txt the file containing the NTLM hash
  • ~/programming/tools/rockyou.txt specifying the wordlist to use
  • --force ignore warnings
[email protected]  ~/tryhackme/dpschallenge  hashcat -m 5600 passhash.txt ~/programming/tools/rockyou.txt --force
hashcat (v5.1.0) starting...

Dictionary cache hit:
* Filename..: /home/birch/programming/tools/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61c510d74d98fb688476e0:
01010000000000006201533f649bd501e17dd2637b53d5b80000000002001e0044004500
53004b0054004f0050002d0045004a003800310047004e004a0001001e00440045005300
4b0054004f0050002d0045004a003800310047004e004a0004001e004400450053004b00
54004f0050002d0045004a003800310047004e004a0003001e004400450053004b005400
4f0050002d0045004a003800310047004e004a00070008006201533f649bd50106000400
0200000008003000300000000000000000000000000000005b7c87cb37c89eb064a9e7fa
ca6bcf8b7f59aca797b867c2c20a8ff0a559ebfb0a001000000000000000000000000000
000000000900240063006900660073002f003100390032002e003100360038002e003200
300030002e00350000000000:castlepark93 <------ PASSWORD WOOOOOo
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61...000000
Time.Started.....: Tue Jun 15 12:12:17 2021 (1 sec)
Time.Estimated...: Tue Jun 15 12:12:18 2021 (0 secs)
Guess.Base.......: File (/home/birch/programming/tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13413.7 kH/s (7.60ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10485760/14344384 (73.10%)
Rejected.........: 0/10485760 (0.00%)
Restore.Point....: 9175040/14344384 (63.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: chautip -> XiaoNianNian
Hardware.Mon.#1..: Temp: 60c Fan: 27% Util: 49% Core:1987MHz Mem:5005MHz Bus:16

Started: Tue Jun 15 12:12:15 2021
Stopped: Tue Jun 15 12:12:19 2021

Hashcat was able to find the password very fast and thus we have answered the question What is Tom’s account password?

Extracting SMB file transfers#

If we scroll down in the SMB conversation, we can see that the hacker requests a few different files…

  • data.png
  • Flight Info.pdf
  • Wireshark-win64.3.0.6.exe

The arrows in this photo point to the actual requests made to initiate this transfer.

/img/file-pcap.png

Wireshark has the functionality built in to export objects, in our case SMB objects. Heading to the top menu and then File -> Export Objects -> SMB the following menu should pop up. This allows you to save the files transferred in the pcap to your machine!

/img/export-window.png

In this case there were just 2 files…

Examining the SMB files#

Flight Info.pdf#

Looking at the flight info pdf we can answer Questions 2 and 3.

  • Where is Tom flying to? -> Phoenix
  • How much did Tom pay (in USD) in total for the flight? -> 219.30

/img/flight-info-annotated.png

data.png#

This image answers Question 4. Nothing else to it.

  • What is the flag on Tom’s computer? (format: @@@[email protected]@@-####)
    • SKY-LEAK-2304

/img/honk.png

Wireshark-win64-3.0.6.exe#

While this file wasn’t extracted with wireshark it still answers the remaining question

  • Tom had an executable file in his data volume, what is the name of that file?
    • Wireshark-win64-3.0.6.exe

Summary#

Now we have solved all of the questions! In summary

  • We determined the IP address of the hacker by examining the behavior of the address interacting with SMB.
  • We determined the version of Linux used from the Host Name in packet number 49171.
  • We found Tom Fedder’s password by extracting fields from the SMB authentication packets and running hashcat against it.
  • We exported SMB objects using Wireshark and examined their contents.

Great box! Thanks @DPS for running this competition and @c1ph0r for creating the room!