TryHackMe: DeadPixelSec Challenge

·6 mins

Background #

This was another challenged posted in the DeadPixelSec discord! Once again there were some super dope prizes for folks who solved the challenge.

This time around we are given a TryHackMe room:

It provides a PCAP file and the following prompt

A man by the name of Tom had his travel plans stolen by someone, help identify the hacker and find Tom’s travel plans!

Preliminary Analysis #

Ok honesty time, the reason I knew that this challenge revolved around SMB was just from sorting by protocol, scrollin' a lil and noticing weird traffic.

SMB Investigation #

From the breakdown of the protocol we can see that there are a decent amount of SMB packets being sent. This piqued my interest because it’s sort of odd to see alongside what looks like normal HTTP traffic.

Applying the smb2 filter in wireshark, we can see that there is a conversation between and The PCAP captured the entire exchange, including the login, file transfers, browsing, etc. Let’s start examining this interaction from the top.

Authentication Interaction #

With the smb2 filter applied in wireshark, this interaction takes place between packets number 43219 and 49171. The following is a screenshot of the wireshark view:


In this screenshot fails to login to as User: \ and then successfully logs in as User: WORKGROUP\tom_fedder. At this point it seems clear that is acting as a hacker, and is the victim. Moving forward I’ll just address the IP’s accordingly.

Since we have captured the interaction of the hacker logging in, we should be able to extract the NTLMv2 hash for the user tom_fedder. The important packets to note here are: 49169 and 49171.

Let’s examine the packet 49171 in more depth…


There is a lot of information here which is incredibly vital to answering the questions. When examining the packet in Wireshark the first thing that stands out is the “Security Blob” section. This contains information regarding the authentication process for SMB.

Working from the top down, we can see that the NTLMv2 Reponse and the NTProofStr are present. This is important as we can use them to derive the hash for tom_fedder.

Next, we can see that the Domain Name, User Name, and Host Name are listed. The domain name is also used in deriving the hash for Tom. The second important note is the Host Name… it’s listed as KALI. From this it can be assumed that the Hacker is using Kali Linux, answering question 5: What is the name of the Linux distribution used by the attacker?

Now let’s look at packet 49169

The critical part of this packet is the NTLM Server Challenge field as this is another part of the NTLM hash…


Finding Tom Fedder’s Password #

For this section, the following article was an immense help:

To extract a password for this authentication we need 5 things…

  • User-name: WORKSPACE
  • Domain-name: TOM_FEDDER
  • NTProofStr: ed93b7d3ed61c510d74d98fb688476e0
  • NTLM Server Challenge: 497bb71c637c055b
  • NTLMv2 Response:

We have all of these from just examining just two packets! Now we can piece it all together and try to crack Tom’s password. The format for an NTLM hash is as follows…

Username::Domain Name:NTLM Server Challenge:NTProofStr:NTLMv2 Response - NTProofStr

To explain this format quickly, the start of the NTLMv2 Reponse is the same as the NTProofStr, so when concatenating the parts, we can remove the NTProofStr from the beginning of the NTLMv2 Response. This results in the following blob…


We can throw this into a file (in my case passhash.txt) and then attempt to crack the password using a tool like john or hashcat. I used hashcat.

To break down the command

  • hashcat calling the tool
  • -m 5600 specify which hash type we are trying to crack
  • passhash.txt the file containing the NTLM hash
  • ~/programming/tools/rockyou.txt specifying the wordlist to use
  • --force ignore warnings
[email protected]  ~/tryhackme/dpschallenge  hashcat -m 5600 passhash.txt ~/programming/tools/rockyou.txt --force
hashcat (v5.1.0) starting...

Dictionary cache hit:
* Filename..: /home/birch/programming/tools/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

300030002e00350000000000:castlepark93 <------ PASSWORD WOOOOOo
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: TOM_FEDDER::WORKGROUP:497bb71c637c055b:ed93b7d3ed61...000000
Time.Started.....: Tue Jun 15 12:12:17 2021 (1 sec)
Time.Estimated...: Tue Jun 15 12:12:18 2021 (0 secs)
Guess.Base.......: File (/home/birch/programming/tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13413.7 kH/s (7.60ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10485760/14344384 (73.10%)
Rejected.........: 0/10485760 (0.00%)
Restore.Point....: 9175040/14344384 (63.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: chautip -> XiaoNianNian
Hardware.Mon.#1..: Temp: 60c Fan: 27% Util: 49% Core:1987MHz Mem:5005MHz Bus:16

Started: Tue Jun 15 12:12:15 2021
Stopped: Tue Jun 15 12:12:19 2021

Hashcat was able to find the password very fast and thus we have answered the question What is Tom’s account password?

Extracting SMB file transfers #

If we scroll down in the SMB conversation, we can see that the hacker requests a few different files…

  • data.png
  • Flight Info.pdf
  • Wireshark-win64.3.0.6.exe

The arrows in this photo point to the actual requests made to initiate this transfer.


Wireshark has the functionality built in to export objects, in our case SMB objects. Heading to the top menu and then File -> Export Objects -> SMB the following menu should pop up. This allows you to save the files transferred in the pcap to your machine!


In this case there were just 2 files…

Examining the SMB files #

Flight Info.pdf #

Looking at the flight info pdf we can answer Questions 2 and 3.

  • Where is Tom flying to? -> Phoenix
  • How much did Tom pay (in USD) in total for the flight? -> 219.30


data.png #

This image answers Question 4. Nothing else to it.

  • What is the flag on Tom’s computer? (format: @@@[email protected]@@-####)
    • SKY-LEAK-2304


Wireshark-win64-3.0.6.exe #

While this file wasn’t extracted with wireshark it still answers the remaining question

  • Tom had an executable file in his data volume, what is the name of that file?
    • Wireshark-win64-3.0.6.exe

Summary #

Now we have solved all of the questions! In summary

  • We determined the IP address of the hacker by examining the behavior of the address interacting with SMB.
  • We determined the version of Linux used from the Host Name in packet number 49171.
  • We found Tom Fedder’s password by extracting fields from the SMB authentication packets and running hashcat against it.
  • We exported SMB objects using Wireshark and examined their contents.

Neat box! :)