What's up everybody this is Hiddy and today we're looking at Blockroom and Triacme. It just got released yesterday and let's take a look at it. So junior system administrator forgets to deactivate two accounts from former employees and these employees use the credentials they were given in order to access some of the many private files from our server but they need some concrete proof. The junior system administrator provided us with a small network capture file and a memory dump of the local security authority subsystem service process. So let's just take a look at what's lsas right.
So lsas is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. And let's check what can one do with lsas dump file right. Let's take a look at it.
So Adversaries commonly abuse the local security authority subsystem service to dump credentials for previous escalation data theft and later moment. This process is a fruitful target for adversaries because of the sheer amount of sensitive information stored in the memory. So we got something right off the hat.
We got password, username, hash. So we know where we're looking at. So I'll walk you guys through the challenge. Let's take a look at it. I'll connect to the triagmevpn.
You can go ahead and download the files from here. I've already downloaded it. Let's extract and there we go.
We got traffic.pcapng file and lsas.dump file. Let's just take a look at dump file first. So it's just a mini crash, a mini dump crash report of the lsas process on windows and let's take a look at pcap file in the wireshark.
So there we go. We see some SMB traffic. that's encrypted so we probably need to decrypt it to get the flags and let's just go ahead and click on one and we see let's expand subtrees and there we go it is of user eshellstrop and we got the domain whatsoever and if we go above and check these encrypted traffics it's of user mrealman and i think these are only the two users we found using you wireshark so let's mrealman there we go and our second user is eshellstrop there we go so now we need the password for the user in question one okay let me close this and should i make it a little bigger there we go so we got lsas.dumb file and let's see we can use chat gpd for most of this stuff or we can just how to dump credits from lsas dump file uh dumping lsas with without mimikatz so let's see what it got for us we can even ask chat gpd how to dump credits from lsas.dmp file and there we go so this is how you use Mimikatch and there is also PyPikatch and I think this is exactly what we're looking for let's take PyPikatch, LSA, MiniDump and before executing this let's just take a look at help so there we go we get LSA option which will get us the secrets from memory dump so we can use that let's use help again so we need to specify a memory dump file and positional arguments as minidump, recall and info.
So I think we need minidump to dump the hashes, minidump and that's all. I think, yep. So let's click enter and let's see what we get.
Oh, there we go. We got password hashes for multiple users and let me go above. Let me just do four, three, two, three.
Yeah, there you go. There you go, we got the mreal man and it's ntlm hash. Let's just take the hash and let's correct it using hashcat. I'll just specify the hash to auto detect the hash mod so it's ntlm. So we can use hyphen amp 10 000 and let's just use uh rockey.txt and I think I've already cracked it so there we go blockbuster run.
This is the user password for user one. I think we could get it even using crackstation. So no worries for that. come on i'm not a robot there you go there we go we got the password for user run and we can close this and oh we can even we need the profile for volatility uh we can dump using mimi cats on windows and there we go it can even tell us like how to dump using pypycats so no worries so what is the hash of the user in question for so we need hash for uh eshell strop user so let's see where where is it let me just uh rip grab eshell strop it's a i think no uh how do we print lines before that hold up grab help print number of lines leading context and oh it's capital okay let's do this and there we go we got ntlm hash for the second user and i think that's what it needed yep and we can just let's just go ahead and store it in eshellstrop hash there we go so now we just need the flags for the mrealman user and the flag eshellstrop access okay so I think we need to decrypt the SMB traffic here so in wireshark you can actually go ahead and go to statistics and statistic uh how do we even spell it statistics okay okay so there we go we got SMB traffic and UDP then we get TCP and that's all like just wanted to show you guys so here uh let's go ahead and Use our best friend Google. Analyze SMB traffic in Wireshark.
Or let's just do decrypt SMB traffic. And we got a first link for our Medium blog post. Decrypt SMB3 traffic with just a PCAP? Absolutely.
And maybe. So I'll mention the link in the description. You can go ahead and read it. But we're going to focus on the main part here. So.
Initial observation of the PCAP shows that the players of this wonderful CTF are provided with the capture of setup and execution of an encrypted SMB3 session and so on to this quest where to start. Was it even possible to decrypt SMB3 traffic? Varsha V. Key suggests that it was indeed possible with the session key and the session ID. Okay so we can find the session ID into the packet information and even the session key and when you go to the preferences and smb2 traffic you can edit it here and specify them here but it's still encrypted right so looks like the session key in the packet is not able to decrypt smb3 traffic so the user mentioned here essentially what wireshot displays in the capture as the session key is not equal to the session key needed to decrypt smb3 traffic and that i would have the real session key okay so I think the session key is even encrypted too so we need to decrypt this session key required to decrypt this smb traffic okay so I think they gave us a python script to do that and let's go ahead and use this let's just copy there we go let's just store it in a file get session key now pi and I think it's python too yep it's python2 because of how the print statements look like uh where is it there we go there are no parentheses so and let's go above so what do we need we need the user's password or the ntlm hash we got both we need user's domain the username and something called nt proof string and we need the key exchange key also known as the NTLM version 2 session base key so that's the session key we found and a wireshark capture file and encrypted session key okay okay that's that's fine let's use this we got user mreal man let's go back to wireshark mreal man domain is work group work group we got its password i think it was blockbuster one and we need the NT proof string so you can actually find the NT proof string in the NTLM SSP auth packet if you go if we go below and wait let me just filter out NTLM SSP we go there let's do this you got the session id session set up session setup and where is it can we find it which of these packet have the ntlm security blob simple oh there we go we have it in here nag token dark ntlm secure service provider and we have where is ntlm ssp challenge there we go in the oath packet i think we have it we got the session key and ntlm response there we go we got the nt proof string we can just right click and copy the value and there we go and we need the session key we have it here right click copy and value there we go and let's run the script and it says unsupported hash type md4 so that's why you don't use python2 nowadays so let's just go ahead and ask chad gpd to make the script uh to work with python3 i think that's it it will do the work for us pycryptodome benesky and There we go. We have our print statements figured out to work with.
Let's remove this and vi get session key, make this file again, copy paste this. There we go. Now just change Python 3 and let's run it. There we go.
We got the random session key and I think this is the right one. We can go ahead and remove the filter. We need to go to edit preferences. protocols search for smb smb2 and secret session keys for decryption edit we can add a session key here and my bad we even needed the uh let's go back and let's just copy the session id first where is the session id there we go session id for embryo man user And if you go back to the blog post once again and take a look at the screenshot here you see It's the session key. There we go.
Session ID is this and it's in the hex and but here it's completely reversed So you need to copy the session ID Using hex stream so it will copy like the right way so we can go again in preferences protocols SMB2 so we can decrypt the smb traffic copy it here we need the session key there you go session key press ok ok and if you look at the wireshark capture file again we see the decrypted smb3 traffic right so uh let's follow tcp stream we see something it's still gibberish right but if you go to file again and go to export objects and SMB so we can export objects that were users accessing using SMB so now we can export it successfully so it's a CSV file clients 156 let's go ahead and save it there we go let's close this one out and let's see client there we go we got our first flag THM SMB decrypting who would have thought so Now we just need the flag for second user and let's take a look at yshark again. Where is it? So it's decrypted traffic for this user but if you take a look at uh go below it's still encrypted for eshell's drop user so we need to decrypt this traffic and so we need the session key and session id there we go we have the session id for here uh extreme and we need the session key for this user right so let's go above where it's authenticating there we go and tlm ssb authenticate and let's take its nt proof string where is it ntlm response nt proof string there we go we got it value and go back to the python we don't we need to update this key and tlm proof string we don't have oh so here we have some another problem here right we don't actually have the password for eshell stop user we can try brute forcing it but we are not able to track it using row queue right so what can we do let's take a look at the block post again and go below uh look at here we can either specify users password or even ntlm hash but in the script if you take a look at the script get session key it's actually hash encoding it into mt4 so we just don't need to do that and we just directly need our password to just take it from like from our input and use that so we don't need these three lines here let's comment them out and you can use chat gpd for it so let's use password is equal to we can use binasky.unexclify because it's hexifying it in the last so we can so we have to do an xlify it will just uh take the ntlm string uh like the hash string and it will just convert it into row binary like row byte format right so we just need a rx password and just that we just need to change that line and we can wq it here or we can just go ahead and copy this and let's also take help from chat gpt if it can do this for us so let's remove these remove the comments and let's ask chadgpd to make changes in this script to directly accept the ntlm hash instead of encoding it and encoding the password in md4 or using hashlib instead of using hashlib on the password, whatever. You can just specify it.
It will do the work for you. So accepting the NTLM hash directly removes the part where password is hashed to get the NTLM hash and using the provided NTLM hash in the subsequent calculations. So there we go.
It just un-exclipy, drag the NTLM hash and here it just changed the keywords we needed and we can even use this script. So let's go ahead and use this gs.py. there we go python3 we just need to change the script and we know the username eshellstrop the domain is same we don't have the password we just need to copy eshellstrop hash there we go and we need to change the anti-proof string we found the capture file copy value and we also need to change the session key there we go copy value and let's see okay oh we need to specify the hash using hyphen h let's use ntlm hash because i think h is for help and still chat your pity you're me over bro Let's just comment this out. Oh, no, we don't need to comment this. Let's just change it to hyphen P.
Let's see. There we go. There we go.
We got it. So. random session key we got the session key for eshell strop user using its ntlm hash you can use chat jpd or you can just manually edit the three lines and add the unexplified so now we can just go ahead and decrypt the traffic for this user we need the session id copy as hex stream go to edit preferences protocols smb2 edit let's add another session id we need the session key there we go click ok ok and now i think you can see all the traffic is decrypted in the wireshark capture file so we can just go ahead and file export objects and smb so we see so another file clients 978 let's go ahead and save that and let's read it there we go we found the second flag we needed to solve the challenge dhm no password no problem so it was a fun little challenge you can use chat jpd to understand things better and figure out some new things, new ways, and make some minor changes in your script and complete the challenge. I hope you guys learned something new and it was quite fun like Wireshark is always fun just like decrypting SSL, TLS traffic or even HTTP as traffic and stuff like that and I'll see you till next time.