Challenge Description:
We caught a threat actor, called MuddyWater, bruteforcing a login for our Domain Controller. We have a packet capture of the intrustion. Can you figure out which account they logged in to and what the password is?
Flag format is
swampCTF{<username>:<password>}
Solution
tshark -nr muddywater.pcap -Y "smb2" -T fields -e ip.src -e ip.dst | sort | uniq -c
13670 192.168.122.1 192.168.122.73
18223 192.168.122.73 192.168.122.1tshark -nr muddywater.pcap -Y "((ip.src == 192.168.122.1 || ip.src == 192.168.122.73) && (ip.dst == 192.168.122.1 || ip.dst == 192.168.122.73)) && smb2.cmd == 1 && smb2.nt_status == 0x0"
72074 65.224622 192.168.122.73 → 192.168.122.1 SMB2 139 Session Setup Responseget the stream index from:
tshark -nr muddywater.pcap -Y "frame.number == 72069" -V -T json > frame-72069.json tcp.stream eq 6670
❯ tshark -nr muddywater.pcap -Y "tcp.stream eq 6670"
72050 65.208522 192.168.122.1 → 192.168.122.73 TCP 74 [TCP Port numbers reused] 50580 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3317613623 TSecr=0 WS=128
72051 65.208595 192.168.122.73 → 192.168.122.1 TCP 66 445 → 50580 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM
72052 65.208610 192.168.122.1 → 192.168.122.73 TCP 54 50580 → 445 [ACK] Seq=1 Ack=1 Win=64256 Len=0
72054 65.209197 192.168.122.1 → 192.168.122.73 SMB 127 Negotiate Protocol Request
72057 65.209616 192.168.122.73 → 192.168.122.1 SMB2 506 Negotiate Protocol Response
72058 65.209630 192.168.122.1 → 192.168.122.73 TCP 54 50580 → 445 [ACK] Seq=74 Ack=453 Win=64128 Len=0
72060 65.212034 192.168.122.1 → 192.168.122.73 SMB2 164 Negotiate Protocol Request
72062 65.212807 192.168.122.73 → 192.168.122.1 SMB2 506 Negotiate Protocol Response
72064 65.215194 192.168.122.1 → 192.168.122.73 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
72065 65.215719 192.168.122.73 → 192.168.122.1 SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
72069 65.220368 192.168.122.1 → 192.168.122.73 SMB2 546 Session Setup Request, NTLMSSP_AUTH, User: DESKTOP-0TNOE4V\hackbackzip
72074 65.224622 192.168.122.73 → 192.168.122.1 SMB2 139 Session Setup Response
72081 65.227694 192.168.122.1 → 192.168.122.73 SMB2 224 Encrypted SMB3
72084 65.228082 192.168.122.73 → 192.168.122.1 SMB2 190 Encrypted SMB3
72086 65.231298 192.168.122.1 → 192.168.122.73 SMB2 242 Encrypted SMB3
72091 65.238258 192.168.122.73 → 192.168.122.1 SMB2 262 Encrypted SMB3
72094 65.242236 192.168.122.1 → 192.168.122.73 SMB2 294 Encrypted SMB3
72095 65.242890 192.168.122.73 → 192.168.122.1 SMB2 190 Encrypted SMB3
72098 65.245536 192.168.122.1 → 192.168.122.73 SMB2 223 Encrypted SMB3
72100 65.246138 192.168.122.73 → 192.168.122.1 SMB2 258 Encrypted SMB3
72111 65.251933 192.168.122.1 → 192.168.122.73 SMB2 346 Encrypted SMB3
72112 65.252228 192.168.122.73 → 192.168.122.1 SMB2 190 Encrypted SMB3
72114 65.254279 192.168.122.1 → 192.168.122.73 SMB2 223 Encrypted SMB3
72115 65.254594 192.168.122.73 → 192.168.122.1 SMB2 238 Encrypted SMB3
72154 65.302618 192.168.122.1 → 192.168.122.73 TCP 54 50580 → 445 [ACK] Seq=2062 Ack=2341 Win=64128 Len=0
72189 65.333408 192.168.122.1 → 192.168.122.73 TCP 54 50580 → 445 [FIN, ACK] Seq=2062 Ack=2341 Win=64128 Len=0
72190 65.333536 192.168.122.73 → 192.168.122.1 TCP 54 445 → 50580 [ACK] Seq=2341 Ack=2063 Win=2101760 Len=0
72191 65.333991 192.168.122.73 → 192.168.122.1 TCP 54 445 → 50580 [RST, ACK] Seq=2341 Ack=2063 Win=0 Len=0interested in the following NTLM authentication flow
72064 65.215194 192.168.122.1 → 192.168.122.73 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
72065 65.215719 192.168.122.73 → 192.168.122.1 SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
72069 65.220368 192.168.122.1 → 192.168.122.73 SMB2 546 Session Setup Request, NTLMSSP_AUTH, User: DESKTOP-0TNOE4V\hackbackziptshark -nr muddywater.pcap -Y "frame.number == 72064 || frame.number == 72065 || frame.number == 72069" -O smb2,ntlmssp -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmserverchallenge -e ntlmssp.ntlmv2_response.ntproofstr -e ntlmssp.ntlmv2_response
d102444d56e078f4
hackbackzip DESKTOP-0TNOE4V eb1b0afc1eef819c1dccd514c9623201 eb1b0afc1eef819c1dccd514c962320101010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000build a hashcat compatible ntlm hash
username::domain:challenge:NTLM_response
hackbackzip::DESKTOP-0TNOE4V:d102444d56e078f4:eb1b0afc1eef819c1dccd514c9623201:01010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000crack the hash using hashcat
hashcat -a 0 -m 5600 ntlm.hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt
HACKBACKZIP::DESKTOP-0TNOE4V:d102444d56e078f4:eb1b0afc1eef819c1dccd514c9623201:01010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000:pikeplaceReferences / Related
Checkout: