THM - Block
Hi,
This is my writeup about the TryHackMe medium room “Block”.
1. What is the username of the first person who accessed our server?
On this stage, I ignored the lsass.DMP
file and focuses on the pcap file. To get the answer to this question, I just had to open the pcap file with wireshark:
At this moment all should know, that we are working with a windows machine. More specifically, with a tcpdump of a Windows machine. So you should be familiar with ntlm. If not, read this article on NTLMv2 and/or do the Windows Fundamentaks + Windows Exploitation Basics learning module on TryHackMe.
2. What is the password of the user in question 1?
This question is simple: Bruteforce! But, what do we need to bruteforce? This is the real question here. Because to be able to bruteforce NTLMv2
, there are several parts we need to obtain.
- Username
- Domain
- NTLM Server Challenge
- NTProofStr aka HMAC-MD5
- NTLMv2 Response
All those information have to be joined together and only separated by :
, except the separation between username and domain, there has to be two colons.
Take a look at the skeleton of our hash:
1
username::domain:serverChallenge:NTProofStr:NTLMv2Response
Without leading spaces, tabs and without spaces, tabs or newlines at the end!
To obtain every part, the traffic.pcapng
is all we need.
2.1 Domain
The username is known from the previous question. And also the domain! As can be seen on the screenshot of the previous question, the domain is the WORKGROUP
right before the username.
2.2 NTLM Server Challenge
While the username and domain can be found on frame 11, the server challenge is one frame before/above on frame 10.
Just right click on that line and select copy
/value
.
2.3 NTProofStr / HMAC-MD5
If you read somewhere about HMAC-MD5 then this is the NTProofStr on wireshark. To obtain this, go back to frame 11 where the username and domain were found and search for it.
2.4 NTLMv2 Response
This one is also tricky, because the response can be copied one line above the NTProofStr line from before, but it has the NTProofStr merged into it. Gladly it is at the beginning of the response string.
Remove it manually or use a shell. As I use fish this command will do the job:
1
echo (string replace -r '^NTProofStr' '' "NTLMv2Response")
For Bash:
1
echo "${'NTProofStr'#'NTLMv2Response'}"
2.5 Get the password for mrealman
The bruteforce will not take much time, when using rockyou.txt wordlist.
1
hashcat -m 5600 -a 0 mrealman_hash /usr/share/SecLists/rockyou.txt -d 2
3. What is the flag that the first user got access to?
The flag was clearly in a file saved and the user download it over smb. To get the file content, the SMB-encrypted frame must be decrypted:
To decrypt smb3
traffic, two things are needed.
- Session ID as
HEX Stream
- Session Key
3.1 Session ID
The session id can be obtained from the frame 10:
3.2 Session Key
To get the session key more information are needed:
- Username -> Obtained in question 1.
- Domain -> Obtained in question 2.
- Password -> Obtained in question 2.
- NTProofStr -> Obtained in question 2.
- Encrypted Session Key
The encrypted session key can be found in frame 11:
Thanks to Khris Tolbert for his article “Decrypting SMB3 Traffic with just a PCAP? Absolutely (maybe.)”, where he explains all the steps in good detail.
The last piece to get the session key from all those information, is the python script, which Khris have wrote. He wrote it in python2, if you are using python2 then get it from the article. I rewrote it for Python 3 because I don’t use python2 anymore.
When running the script with all information provided, it prints out the session key.
3.3 Decrypting SMB2
I added the session id with the session key into wireshark (Preferences/Protocol/SMB2):
After that I lookup all now decrypted smb3 frames. The file which contains the flag, can be found on frame 54:
Or a much simpler way:
The flag lies inside of the clients156.csv
file.
4. What is the username of the second person who accessed our server?
As easy as question 1:
5. What is the hash of the user in question 4?
First of: The traffic.pcapng
doesn’t contain the hashes. To get hashes, I had to look into the second file. First I decided to use Ghidra, a reverse engineering tool developed by the NSA’s research directorate. But it takes to long and was not so easy to obtain hashes. After a short search, I came up with pypykatz. Perfect fitting into my needs, because to run mimikatz I had to run a windows VM.
6. What is the flag that the second user got access to?
This one takes me hours until I got it. I tried every wordlist on SecLists/Passwords/
+ rockyou.txt
until I gave up on the idea to bruteforce the password of user eshellstrop
.
At that moment, I tried to get the password by using encrypted smb3 blobs and all other information available at that moment. The tool I tried, was dpapick3. After hours of try and errors, I gave up and took a day break. This break saved me hours of frustration, because I came up with the idea to reread everything up to that point. I also reread the article mentioned in 3.2 and saw something, which solved my problem quickly:
So the script was not written to support ntlm hash beside plain passwords, and because of that, I missed this little phrase. Now, beside I rewrote the script from python2 to python3, I also extended it a bit to support NTLM hashes, by adding those options and change some lines:
1
2
3
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-p", "--password", help="Plain password of User")
group.add_argument("-a", "--ntlmhash", help="NTLM Hash of User")
Now I executed the script with all needed information which can be found in the traffic.pcapng
and instead of the password, I used the -a ESHELLSTROP_NTLM_HASH
option.
After I got the session key, I added it to Wireshark as in 3.3 for the first user and was able to obtain the clients978.csv
file, which contains the second flag.
Good luck! :)