Block: TryHackMe Walkthrough
One of your junior system administrators forgot to deactivate two accounts from a pair of recently fired employees.
We believe these employees used the credentials they were given in order to access some of the many private files from our server, but we need concrete proof.
The junior system administrator only has a small network capture of the incident and a memory dump of the Local Security Authority Subsystem Service process.
Fortunately, for your company, that is all you need.
Click on the Download Task Files button at the top in the task. You will be provided with an evidence.zip file.
Extract the zip file’s contents and recover the information in order to answer the questions.
In this room, we tackle two primary tasks: dumping hashes from the Local Security Authority Subsystem Service (LSASS) and decrypting encrypted packets to extract flags.
To begin, we’re given an LSASS dump file and a captured packet file “traffic.pcap”. Our goal is to decrypt the captured file and uncover the necessary flags.
To solve this, I used Wireshark to analyze the packet content. By applying the filter `smb2.cmd == 0x01`, which targets successful SMB connections, I identified two users. The first user, “mrealman,” is the answer, although we do get another user called “eshellstrop”.
#1. What is the username of the first person who accessed our server?
Answer: mrealman
Next, we needed to extract the password of “mrealman” from the LSASS dump file. Using the Python tool, pypykatz, I extracted the NT hash of the user from the `lsass.DMP` file. After cracking the NT hash with John the Ripper, I found the password to be “Blockbuster1.” So find the NT hash and store it in a new file and feed it to john it is show in image 2 below:
#2. What is the password of the first user?
Answer: Blockbuster1
This step required decrypting the captured packet file. Wireshark initially showed the file as encrypted, so I researched SMB3 decryption techniques. After researching, I used a Python script to decrypt the traffic, which involved providing session IDs, user passwords, and other details found in Wireshark. The code is give below:
import hashlib
import hmac
import argparse
# stolen from impacket. Thank you all for your wonderful contributions to the community
try:
from Cryptodome.Cipher import ARC4
from Cryptodome.Cipher import DES
from Cryptodome.Hash import MD4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
cipher = ARC4.new(keyExchangeKey)
cipher_encrypt = cipher.encrypt
sessionKey = cipher_encrypt(exportedSessionKey)
return sessionKey
###
parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u", "--user", required=True, help="User name")
parser.add_argument("-d", "--domain", required=True, help="Domain name")
parser.add_argument("-p", "--password", required=True, help="Password of User")
parser.add_argument("-n", "--ntproofstr", required=True, help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k", "--key", required=True, help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")
args = parser.parse_args()
# Upper Case User and Domain
user = str(args.user).upper().encode('utf-16le')
domain = str(args.domain).upper().encode('utf-16le')
# Create 'NTLM' Hash of password
passw = args.password.encode('utf-16le')
hash1 = hashlib.new('md4', passw)
password = hash1.digest()
# Calculate the ResponseNTKey
h = hmac.new(password, digestmod=hashlib.md5)
h.update(user + domain)
respNTKey = h.digest()
# Use NTProofSTR and ResponseNTKey to calculate Key Exchange Key
NTproofStr = bytes.fromhex(args.ntproofstr)
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()
# Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey, bytes.fromhex(args.key))
if args.verbose:
print("USER WORK: " + user.decode('utf-16le') + domain.decode('utf-16le'))
print("PASS HASH: " + password.hex())
print("RESP NT: " + respNTKey.hex())
print("NT PROOF: " + NTproofStr.hex())
print("KeyExKey: " + KeyExchKey.hex())
print("Random SK: " + RsessKey.hex())Give the arguments that are shown below and where to find them:
python2 script.py -u mrealman -d WORKGROUP -p Blockbuster1 -n 16e816dead16d4ca7d5d6dee4a015c14 -k fde53b54cb676b9bbf0fb1fbef384698And we get the Random SK:
Next go to wireshark and click on the Edit bar -> preferences -> select smb2 as protocol and enter the session id (copy as hex stream) and the Random SK that we got:
After decrypting, I exported an SMB object file by selecting the row that contains the file as shown in the image below:
After selecting click on File -> Export object as smb and then download the file named `clients156.csv`. Within this file was the flag:
#3. What is the flag that the first user got access to?
Answer: THM{SmB_DeCrypTing_who_Could_Have_Th0ughT}
In the first task we got 2 users already, so the second user is “eshellstrop” who accessed the server after “mrealman.”
#4. What is the username of the second person who accessed our server?
Answer: eshellstrop
Similar to the first user, I used pypykatz to extract the NT hash from the LSASS dump file, in the terminal press “ctrl+shift+f” to find the user. The hash for “eshelltsrop” was:
#5. What is the hash of the second user?
Answer: 3f29138a04aadc19214e9c04028bf381
For this task, I followed the same decryption process as before. Since “eshelltsrop’s” password could not be cracked, I modified the script to use the NT hash instead of the password. After decrypting the connection, I exported another file in CSV format and uncovered the second flag:
The modified script is given below:
import hashlib
import hmac
import argparse
# stolen from impacket. Thank you all for your wonderful contributions to the community
try:
from Cryptodome.Cipher import ARC4
from Cryptodome.Cipher import DES
from Cryptodome.Hash import MD4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
cipher = ARC4.new(keyExchangeKey)
cipher_encrypt = cipher.encrypt
sessionKey = cipher_encrypt(exportedSessionKey)
return sessionKey
###
parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u", "--user", required=True, help="User name")
parser.add_argument("-d", "--domain", required=True, help="Domain name")
parser.add_argument("-n", "--ntproofstr", required=True, help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k", "--key", required=True, help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("--ntlmhash", required=True, help="NTLM Hash of the User's password (provide Hex String)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")
args = parser.parse_args()
# Upper Case User and Domain
user = str(args.user).upper().encode('utf-16le')
domain = str(args.domain).upper().encode('utf-16le')
# Use the provided NTLM hash directly
password = bytes.fromhex(args.ntlmhash)
# Calculate the ResponseNTKey
h = hmac.new(password, digestmod=hashlib.md5)
h.update(user + domain)
respNTKey = h.digest()
# Use NTProofSTR and ResponseNTKey to calculate Key Exchange Key
NTproofStr = bytes.fromhex(args.ntproofstr)
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()
# Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey, bytes.fromhex(args.key))
if args.verbose:
print("USER WORK: " + user.decode('utf-16le') + domain.decode('utf-16le'))
print("NTLM HASH: " + password.hex())
print("RESP NT: " + respNTKey.hex())
print("NT PROOF: " + NTproofStr.hex())
print("KeyExKey: " + KeyExchKey.hex())
print("Random SK: " + RsessKey.hex())└─$ python3 script.py -u eshellstrop -d WORKGROUP -n 0ca6227a4f00b9654a48908c4801a0ac -k c24f5102a22d286336aac2dfa4dc2e04 --ntlmhash 3f29138a04aadc19214e9c04028bf381
add the session id and the Random SK key like before in wireshark to get:
#6. What is the flag that the second user got access to?
Answer: THM{No_PasSw0Rd?_No_Pr0bl3m}
