THM - Block

Hi,

This is my writeup about the TryHackMe medium room “Block”.

1. What is the username of the first person who accessed our server?

On this stage, I ignored the lsass.DMP file and focusses on the pcap file. To get the answer to this question, I just had to open the pcap file with wireshark:

At this moment all should know, that we are working with a windows machine. Better say, with a tcpdump of a windows machine. So you should be familier with ntlm. If not, read this article about NTLMv2 and/or do the Windows Fundamentaks + Windows Exploitation Basics learning module on TryHackMe.

2. What is the password of the user in question 1?

This question is simple: Bruteforce! But, what do we need to bruteforce? This is the real question here. Because to be able to bruteforce NTLMv2, there are several parts we need to obtain.

1. Username
2. Domain
3. NTLM Server Challenge
4. NTProofStr aka HMAC-MD5
5. NTLMv2 Response

All those informations have to be joined together and only separated by :, except the separation between username and domain, there has to be two colons.

Take a look at the skeleton of our hash:

username::domain:serverChallenge:NTProofStr:NTLMv2Response

Without leading spaces, tabs and without spaces, tabs or newlines at the end!

To obtain every part, the traffic.pcapng is all we need.

2.1 Domain

The username is known form the previous question. And also the domain! As can be seen on the screenshot of the previous question, the domain is the WORKGROUP right before the username.

2.2 NTLM Server Challenge

While the username and domain can be found on frame 11, the server challenge is one frame before/above on frame 10.

Just right click on that line and select copy/value.

2.3 NTProofStr / HMAC-MD5

If you read somewhere about HMAC-MD5 then this is the NTProofStr on wireshark. To obtain this, go back to frame 11 where the username and domain was found and search for it.

2.4 NTLMv2 Response

This one is also tricky, because the response can be copied one line above the NTProofStr line from before, but it has the NTProofStr merged into it. Gladly it is at the beginning of the response string.

Remove it by hand or use shell. As I use fish this command will do the job:

echo (string replace -r '^NTProofStr' '' "NTLMv2Response")

For bash:

echo "${'NTProofStr'#'NTLMv2Response'}"

2.5 Get the password for mrealman

The bruteforce will not take much time, when using rockyou.txt wordlist.

hashcat -m 5600 -a 0 mrealman_hash /usr/share/SecLists/rockyou.txt -d 2

3. What is the flag that the first user got access to?

The flag was clearly in a file saved and the user download it over smb. To get the file content, the smb encrypted frame has to be decrypted:

To decrypt smb3 traffic, two things are needed.

1. Session ID as HEX Stream
2. Session Key

3.1 Session ID

The session id can be obtained from the frame 10:

3.2 Session Key

To get the session key more informations are needed:

1. Username -> Obtained in question 1.
2. Domain -> Obtained in question 2.
3. Password -> Obtained in question 2.
4. NTProofStr -> Obtained in question 2.
5. Encrypted Session Key

The encrypted session key can be found in frame 11:

Thanks to Khris Tolbert for his articel “Decrypting SMB3 Traffic with just a PCAP? Absolutely (maybe.)”, where he explains all the steps in good detail.

The last piece to get the session key from all those informations, is the python script, which Khris have wrote. He wrote it in python2, if you are using python2 then get it from the article. I rewrote it for python3 because I don’t use python2 anymore.

When running the script with all informations provided, it prints out the session key.

3.3 Decrypting SMB2

I added the session id with the session key into wireshark (Preferences/Protocol/SMB2):

After that I lookup all now decrypted smb3 frames. The file which contains the flag, can be found on frame 54:

Or a much simpler way:

The flag lays inside of the clients156.csv file.

4. What is the username of the second person who accessed our server?

As easy as question 1:

5. What is the hash of the user in question 4?

First of: The traffic.pcapng doesn’t contain the hashes. To get hashes, I had to look into the second file. First I decided to use Ghidra, a reverse engineering tool developed by the NSA’s research directorate. But it takes to long and was not so easy to obtain hashes. After a short search, I came up with pypykatz. Perfect fitting into my needs, because to run mimikatz I had to run a windows VM.

6. What is the flag that the second user got access to?

This one takes me hours until I got it. I tried every wordlist on SecLists/Passwords/ + rockyou.txt until I gave up on the idea to bruteforce the password of user eshellstrop.

At that moment, I tried to get the password by using encrypted smb3 blobs and all other informations available at that moment. The tool I tried, was dpapick3. After hours of try and errors, I gave up and took a day break. This break safe me hours of frustration, because I came up with the idea to reread everything until then. I also reread the article mentioned at 3.2 and saw something, which solved my problem quickly:

So the script was not written to support ntlm hash beside plain passwords, and because of that, I missed this little phrase. Now, beside I rewrote the script from python2 to python3, I also extend it a bit to support ntlm hashes, by adding those options and change some lines:

group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-p", "--password", help="Plain password of User")
group.add_argument("-a", "--ntlmhash", help="NTLM Hash of User")

Now I executed the script with all needed informations which can be found in the traffic.pcapng and instead of the password, I ran it with -a ESHELLSTROP_NTLM_HASH.

After I got the session key, I add it to wireshark as in 3.3 for the first user and was able to obtain the clients978.csv file, which contains the second flag.

Good luck! :)

---