Blockroom and Triacme Cybersecurity Challenge

Sep 4, 2024

Lecture Notes: Blockroom and Triacme Challenge

Overview

  • Host: Hiddy
  • Focus: Blockroom and Triacme tools released recently.
  • Scenario: A junior system administrator forgot to deactivate accounts of former employees, leading to unauthorized access to private files.

Key Components

LSAS (Local Security Authority Subsystem Service)

  • Responsible for enforcing security policies on Microsoft Windows.
  • Commonly targeted by adversaries for credential dumping due to sensitive information stored in memory.

Initial Inputs

  • Files Provided:
    • Network capture file (traffic.pcapng)
    • Memory dump file (lsas.dump)

Analysis Process

Step 1: Examine LSAS Dump File

  • The dump file is a mini crash report of the LSAS process.
  • Contains sensitive data such as usernames, passwords, and hashes.

Step 2: Analyze PCAP File in Wireshark

  • Identified encrypted SMB traffic.
  • Users found:
    • eshellstrop
    • mrealman

Step 3: Extracting Passwords from LSAS Dump

  • Tools used: Mimikatz, PyPikatz.
  • Executed PyPikatz to get password hashes for identified users.
  • Successfully retrieved NTLM hash for mrealman and eshellstrop.

Flag Retrieval

User mrealman

  1. Password Cracking:
    • Used hashcat to crack the NTLM hash.
    • Password found: blockbuster1.
  2. Decrypting SMB Traffic:
    • Needed to decrypt SMB3 traffic using session key and session ID from Wireshark.
    • Required scripting to extract session keys and proof strings from captured packets.
  3. Exporting Flags:
    • Exported objects from decrypted SMB traffic to find the first flag: "THM SMB decrypting who would have thought".

User eshellstrop

  1. Challenges:
    • Lacked direct password; only had the NTLM hash.
  2. Scripting Adjustments:
    • Modified scripts to accept NTLM hash directly instead of needing the password.
  3. Decrypting Traffic:
    • Successfully decrypted SMB traffic for eshellstrop after gathering necessary session keys and IDs.
  4. Exporting Flags:
    • Exported objects to find the second flag: "THM no password no problem".

Conclusion

  • The challenge provided an engaging way to learn about network analysis and credential extraction.
  • Emphasized the utility of tools like Wireshark, Mimikatz, and scripting for cybersecurity tasks.
  • Encouraged the use of platforms like ChatGPT for assistance in scripting and troubleshooting.