Post

Notoriously Tricky Login Mess

Posted
By Ramages 2 min read

This is a writeup of the Forensics challenge Notoriously Tricky Login Mess 1 & 2 by swampCTF

Points: 100 & 231

Preface

This challenge was split in 2 parts, but as I will explain, both sections will be solved in close conjunction and therefore I decided to smash the writeups for the 2 into a single one.

Premise

  1. We found out a user account has been compromised on our network. We took a packet capture of the time that we believe the remote login happened. Can you find out what the username of the compromised account is?
  2. Great job finding the username! We want to find out the password of the account now to see how it was so easily breached. Can you help?

Challenge files:

swampchall.pcap

Observations

As stated in the description for challenge 1, we’re looking for the username account that was compromised, and then for 2, its passwords.

Opening wireshark, we’re initially greeted by the following: Initial wireshark

As highlighted in the image, we se a NTLMSSP_AUTH POST request being made to the \Administrator account.

Solution

If we filter out the traffic to only show us ntlmssp traffic, Initial wireshark

we see another account instead of only \Administrator, namely \adamkadaban, which is our 1st flag.

Now however, we’re onto the 2nd challenge, retrieving the password of the account.

To do this, we want to extract the NTLMv2 hash and run it against a password cracker like hashcat.

Extracting the hash can be tedious, but I found a great explanation of how to do it here.

The focus is on extracting these 5 fields:

1
2
3
4
5

User:
Domain:
Challenge:
HMAC-MD5:
NTLMv2Response:

Which in our case, gives us a total of 6 for the user \adamkadaban, one example of them is here:

1
2
3
4
5

User: adamkadaban
Domain: NULL
Challenge: 1fed9e8e0ca470a3
HMAC-MD5: 98ebffae0b77865893846dfadb757cfb
NTLMv2Response: 0101000000000000801c50dbc266da0188d48d08eff230a80000000002001e0045004300320041004d0041005a002d00450033003300530047004c00380001001e0045004300320041004d0041005a002d00450033003300530047004c00380004001e0045004300320041004d0041005a002d00450033003300530047004c00380003001e0045004300320041004d0041005a002d00450033003300530047004c003800070008005783ebd6c266da010000000000000000

With all this data, we can now run this agains a hascat instance. First however, we need to puzzle it together into a format hashcat understands, which in this case would be the following: adamkadaban:::1fed9e8e0ca470a3:98ebffae0b77865893846dfadb757cfb:0101000000000000801c50dbc266da0188d48d08eff230a80000000002001e0045004300320041004d0041005a002d00450033003300530047004c00380001001e0045004300320041004d0041005a002d00450033003300530047004c00380004001e0045004300320041004d0041005a002d00450033003300530047004c00380003001e0045004300320041004d0041005a002d00450033003300530047004c003800070008005783ebd6c266da010000000000000000

If we now run the command hashcat -m 5600 -a0 ntlmv2.txt rockyou.txt where rockyou is the rockyou list found in /usr/share/wordlists/ in a Kali Linux machine and ntlmv2.txt is a file containing the hash, we get the following result:

Cracked password

And with that, we’ve found our second flag.

So now we have the flags:

swampCTF{adamkadaban}

and

swampCTF{emilyyoudontknowmypassword}

Tools and sources used:

swampCTF, Forensics
Forensics CTF swampCTF
This post is licensed under CC BY 4.0 by the author.