SMB, NTLM, & Google: SecDSM January MiniCTF Solution
SecDSM meets every third Thursday of the month at The Forge.
SecDSM has a mini-CTF challenge for the attendees to complete during their monthly meetups.
MiniCTF Challenge! To win, be the first to tweet the secdsm user's password from the pcap found here https://t.co/LleEBmnUqv
— SecDSM (@SecDSM) January 19, 2018
This month was a forensics challenge. The challenge site is still up so feel free to download the pcap and follow along in Wireshark.
Opening up the pcap and just looking through it, you can see that this is traffic from the user connecting to an SMB share and maybe doing other stuff. Full disclosure, I don't (or didn't, I know more now) know much about the inner workings of SMB or how to even begin to crack an SMB password using a pcap. Enter Google. I'm fairly certain the exact terms I typed in were "NTLM SMBv2 password cracking". Anyway, I found this handy article by shellgam3 with step-by-step instructions detailing exactly what I needed to do. You should read the article for more details on the steps I take here.
First, I'm going to filter down Wireshark to show me only the packets I need by filtering using "ntlmssp"
Let's begin by looking packet #15 and taking note of a few things: NTLM Response, User name, and Domain name.
NTLM Response (Copied as hex stream):
7a334cbeef274be92b992ff826e546fc010100000000000058115b33698dd301085c084956b3bb3400000000020014004d00520048005500470045004400490053004b00010014004d00520048005500470045004400490053004b00040002000000030014006d00720068007500670065006400690073006b000700080058115b33698dd30100000000
User Name:
secdsm
Domain Name:
NULL
Move to packet #14 and get the NTLM Server Challenge (Copied as value)
7d:91:12:f3:f7:e3:a3:d0
Putting this all together to create the NTLM hash, we end up with:
secdsm:::7d9112f3f7e3a3d0:7a334cbeef274be92b992ff826e546fc:010100000000000058115b33698dd301085c084956b3bb3400000000020014004d00520048005500470045004400490053004b00010014004d00520048005500470045004400490053004b00040002000000030014006d00720068007500670065006400690073006b000700080058115b33698dd30100000000
Notice that the spot where the Domain Name should go (between the 2nd and 3rd colons) is blank because Domain Name is NULL.
The next step is to run the hash through hashcat using a wordlist, but I didn't have a wordlist and the wordlist I tried (randomly from the internet) didn't work. That's when "This is a forensics challenge" clicked for me. There must be something else in the pcap to tell me what wordlist to use. So let's clear the 'ntlmssp' filter and take a look. Scrolling down the pcap, we see mention of a file called 00passwordlist.zip being created. In Wireshark, we can easily export files that are seen in the traffic.
File > Export Objects > SMB
Now that we have the password list we need (after unzipping it), we can use it for hashcat. See the final result below.
@SecDSM agl15051989lkmdvsdg
— Antoinette Maria (@_TheyCallMeToni) January 19, 2018
#Winning or Nah.
Very exciting to be the first one to solve the challenge and pick up a nice Palo Alto pull over in the process. However, that excitement was short lived because moments later there was another tweet.
Is there an "Easter egg" in the .pcap? You tell me!
— SecDSM (@SecDSM) January 19, 2018
Some people just want to watch the world burn. Back to work we go.
Looking through the same pcap, we really need to pay attention to what we're seeing in the traffic. What is the user doing? If we filter on the 'smb2' traffic and begin going through the packets, we see 'SMB2_FIND_ID_FULL_DIRECTORY_INFO Pattern: *'. A quick Google search will tell you that this command will list all of the files in a directory and their associated file ids. Looking at the Find Response, we noticed a familiar name -- 00passwordlist.
Let's convert that hex to ascii to get a better idea of what we're seeing.
X!q.
eÓÁÒJ
eÓ!q.
eÓ!q.
eÓÀ.XHÎ;ÓHÎ;Óù.ncÓù.ncÓ..`I'{cÓOýcÓI'{cÓI'{cÓÀ@RecyclehØ45dÓ§¦dÓÆÉç¡dÓÆÉç¡dÓ "À.DS_Storepà
dÓ<T¿<T¿<T¿
Àfbi_files_ZV9ixÿpíldÓ<T¿<T¿<T¿$Àzapruder_film_dXN9xÁübdÓ<T¿<T¿<T¿$Àufo_documents_Ym9ux¦dÓ<T¿<T¿<T¿"
Àcia_missions_Z3tmx¦ÕdÓX@GgÓ¦ÕdÓ¦ÕdÓr $À00passwordlist.zippRcdÓ<T¿<T¿<T¿
Ànsa_toolz_dXRfßo¹dÓ<T¿<T¿<T¿2
Àbitcoin_private_keys_ZmxhN%±\eÓ<T¿<T¿<T¿.
Àdirt_on_zoomequipd_YWxz
This is the point I got to before the first people got it. The rest is their solution
Now we can see the filenames and that they are follow by an underscore and 4 characters:
fbi_files_ZV9i
zapruder_film_dXN9
ufo_documents_Ym9u
cia_missions_Z3tm
nsa_toolz_dXRf
bitcoin_private_keys_Zmxh
dirt_on_zoomequipd_YWxz
If you put the files in alphabetical order and then combine the trailing 4 characters you get a long string.
ZmxhZ3tmYWxzZV9idXRfYm9udXN9
I put this in a file and used the command line to base64 decode the string to find the flag.
$ base64 -D -i base64hash.txt
flag{false_but_bonus}
Tools
Wireshark (https://www.wireshark.org/)
HashCat (https://github.com/hashcat/hashcat)
References
Capturing And Cracking NTLMv2 Hashes On The LAN by shellgam3
