TryHackMe-Block

Encryption? What encryption?

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

TryHackMe | Cyber Security Training

Block

Find This Room: Block

One of your junior system administrators forgot to deactivate two accounts from a pair of recently fired employees.
We believe these employees used the credentials they were given in order to access some of the many private files from our server, but we need concrete proof.
The junior system administrator only has a small network capture of the incident and a memory dump of the Local Security Authority Subsystem Service process.
Fortunately, for your company, that is all you need.

Task 1 Server Message Block

Q: What is the username of the first person who accessed our server?

Ans:

Q: What is the password of the user in question 1?

in this question it asking us to find the user password so we should look up the dump file means the lsass dump (lsass.DMP) file basically this file contain credentials and other useful stuff

i use pypykatz it is a Python tool designed for extracting credentials from Windows systems, particularly from the memory of the Local Security Authority Subsystem Service (LSASS).

Use CrackStation

Decrypting the SMB3 Traffic

Going over all the stuff we need, we already have all of them.

• username -> Found in traffic.pcapng
• domain -> Found in traffic.pcapng
• NTProofStr -> Found in traffic.pcapng
• NT Hash or Password -> Found in lsass.DMP

With these, we can calculate the Key Exchange Key.

At last, we need the Encrypted Session Key, which can also be found in the traffic.pcapng file.

Article also shares a Python script for calculating the Key Exchange Key and decrypting the Encrypted Session Key. But, it is written for Python2. So, I have updated it to Python3 and also added functionality to accept NTLM hash as an argument instead of the password.

import hashlib
import hmac
import argparse
from Cryptodome.Cipher import ARC4
from Cryptodome.Cipher import DES
from Cryptodome.Hash import MD4

def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
    cipher = ARC4.new(keyExchangeKey)
    sessionKey = cipher.encrypt(exportedSessionKey)
    return sessionKey

parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u", "--user", required=True, help="User name")
parser.add_argument("-d", "--domain", required=True, help="Domain name")
credential = parser.add_mutually_exclusive_group(required=True)
credential.add_argument("-p", "--password", help="Password of User")
credential.add_argument("-H", "--hash", help="NTLM Hash of User")
parser.add_argument("-n", "--ntproofstr", required=True, help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k", "--key", required=True, help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")

args = parser.parse_args()

#Upper Case User and Domain
user = args.user.upper().encode("utf-16le")
domain = args.domain.upper().encode("utf-16le")

if args.password:
  # If password is supplied create 'NTLM' hash of password
  passw = args.password.encode("utf-16le")
  hash1 = hashlib.new("md4", passw).digest()
else:
  hash1 = bytes.fromhex(args.hash)

# Calculate the ResponseNTKey
h = hmac.new(hash1, digestmod=hashlib.md5)
h.update(user + domain)
respNTKey = h.digest()

# Use NTProofSTR and ResponseNTKey to calculate Key Excahnge Key
NTproofStr = bytes.fromhex(args.ntproofstr)
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()

# Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey, bytes.fromhex(args.key))

if args.verbose:
    print("USER WORK: " + user.hex() + "" + domain.hex())
    print("PASS HASH: " + hash1.hex())
    print("RESP NT:   " + respNTKey.hex())
    print("NT PROOF:  " + NTproofStr.hex())
    print("KeyExKey:  " + KeyExchKey.hex())
print("Random SK: " + RsessKey.hex())

Let’s start by gathering the values we need for decrypting the session for mrealman.

What we need can be found inside the packet 11.

• Username: mrealman
• Domain: WORKGROUP
• NTProofStr: 16e816dead16d4ca7d5d6dee4a015c14
• Encrypted Session Key: fde53b54cb676b9bbf0fb1fbef384698

And we already have the password for the user from cracking the hash found inside lsass.DMP.

• Password: Blockbuster1

Session ID: 0x0000100000000041

Now that we have everything we need, we can run the script to get the Random Session Key.

whoami@mint:~/Desktop/THM-Lab/Block$ python3 genrsk.py -u 'mrealman' -d 'WORKGROUP' -p 'Blockbuster1' -n '16e816dead16d4ca7d5d6dee4a015c14' -k 'fde53b54cb676b9bbf0fb1fbef384698' -v
USER WORK: 4d005200450041004c004d0041004e0057004f0052004b00470052004f0055005000
PASS HASH: 1f9175a516211660c7a8143b0f36ab44
RESP NT:   110fd571fec8b2d44728e3d4d6f32f0a
NT PROOF:  16e816dead16d4ca7d5d6dee4a015c14
KeyExKey:  17e09b2c9b92045329a4382898f50159
Random SK: 20a642c086ef74eee26277bf1d0cff8c

We can add it to Wireshark to decrypt the traffic.

We need to reverse the bytes on the session ID due to endianness.

After adding the session key, we can see that the SMB3 traffic is now decrypted. We also see the user accessing the clients156.csv file.

We can use Wireshark to export the file like so:

Reading the clients156.csv file, we get the first flag.

$ cat %5cclients156.csv
first_name,last_name,password
Jewell,Caseri,eS8/y*t?8$
Abey,Sigward,yB0{g_>KezO
Natassia,Freeth,tS2<1Fef9tiF
Verina,Wainscoat,kT8/2uEMH
Filia,Sommerling,oE9.2c?Sce
Farris,Busst,THM{[REDACTED]}
Bat,Oakes,gE0%f@'qw}s%
Verina,Jedrachowicz,wK4~4L\O
Caril,Wolfarth,yQ3$Ji0~f7aB>F{
Bordie,Baume,iM1}"x)yP'`2|S

Now, we can do the same for the session of the user eshellstrop.

We find the values we need inside the packet 82.

• Session Id: 0x0000100000000045

Running the script to calculate the Random Session Key.

whoami@mint:~/Desktop/THM-Lab/Block$ python3 genrsk.py -u 'eshellstrop' -d 'WORKGROUP' -H '3f29138a04aadc19214e9c04028bf381' -n '0ca6227a4f00b9654a48908c4801a0ac' -k 'c24f5102a22d286336aac2dfa4dc2e04' -v
USER WORK: 45005300480045004c004c005300540052004f00500057004f0052004b00470052004f0055005000
PASS HASH: 3f29138a04aadc19214e9c04028bf381
RESP NT:   f48087e449d58b400e283a27914209b9
NT PROOF:  0ca6227a4f00b9654a48908c4801a0ac
KeyExKey:  9754d7acae384644b196c05cda5315df
Random SK: facfbdf010d00aa2574c7c41201099e8

Adding it to the list of SMB session keys on Wireshark the same way as before.

Once again, we see that the SMB3 traffic is decrypted, and this time we see the user accessing the clients978.csv file.

whoami@mint:~/Desktop/THM-Lab/Block$ cat %5cclients978.csv
first_name,last_name,password
Fran,McCane,vP5{|r$IYDDu
Fredrika,Delea,qU2!&Bev
Josefa,Keir,hX0)gq54I"%d
Joannes,Greatham,vS1)N,z1X1rc
Courtenay,Keble,lV6|0aiSZL@@`bbM
Tonye,Risebrow,THM{[REDACTED]}
Joleen,Balog,tK9'ZapdU.'igGs
Clementia,Kilsby,uC6!Bx}`Xe
Mason,Woolvett,eL0$NO)FRY1IT
Rozele,Izachik,wA8>11$,'0,b+
,,

Make every campaign better than the last with GetResponse Email Marketing + Landing Pages + Marketing Automation — $49 only

GetResponse | Professional Email Marketing for Everyone

Happy Hacking

• NTProofStr: 16e816dead16d4ca7d5d6dee4a015c14
• Encrypted Session Key: fde53b54cb676b9bbf0fb1fbef384698

And we already have the password for the user from cracking the hash found inside lsass.DMP.

• Password: Blockbuster1

We also make a note of Session ID, since we will need it in a minute.