SecCorp has reached us about a recent cyber security incident. They are confident that a malicious entity has managed to access a shared folder that stores confidential files. Our threat intel informed us about an active dark web forum where disgruntled employees offer to give access to their employer's internal network for a financial reward. In this forum, one of SecCorp's employees offers to provide access to a low-privileged domain-joined user for 10K in cryptocurrency. Your task is to find out how they managed to gain access to the folder and what corporate secrets did they steal.
Information
Challenge: Rogue
Category: Forensics
Difficulty: Medium
Files : Rogue.zip 23 MB
capture.pcapng 25 MB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/Rogue.zipSHA256SUM: bb3946b4f025b7ac57d4d458a589cabe50292e37aef42b97d4c4e675874cc4c5
Walkthrough
1. Network Analysis
First, let’s look at the protocol hierarchy:
The most interesting protocols, which are most likely to have been used for data exfiltration are FTP and SMB over TCP. Next, we can follow the TCP Streams individually and note the relevant streams:
This reveals that the attacker already compromised the machine, and executed a command to:
– generate a minidump of the lsass process
– compress it into a zip archive
– send it over FTP
Moreover, the source port for these commands is 4444, Metasploit’s default listening port. This is a common method for Credential Stealing. We can also note that the attacker’s IP is 77.75.198.52 and the victim’s 192.168.1.14.
Now, we need to recover the .zip archive sent over FTP. file.
TCP Stream 4 contains the actual ‘log’ of the zip archive being sent over:
And TCP stream 5 is the actual zip archive. We can select ‘Show data as Raw’ and save it in a new folder, as a zip archive. The next TCP Streams are encrypted over TLS, which we cannot decrypt at the moment as we do not have the SSL session keys.
As previously noted, FTP and SMB3 were the most likely protocols used to exfiltrate data. FTP was used to send over the lsass dump, so our next steps must focus on decrypting the SMB3 traffic. We can obtain the required credentials/secrets from the lsass minidump.
2. MiniDump Analysis
Pypykatz is my favourite tool to look at memory/minidump files to extract credentials. First, we can cd into the directory where we saved the zip file and extract it with 7z.
cd minidump
7z x 3858793632.pmd
pypykatz lsa minidump 3858793632.pmd > credentials.txt
3. SMB Traffic Analysis
We dumped the credentials, but we skipped an important step – figuring out which domain and account was compromised. We can check this by filtering for ‘smb2.ses_req_flags‘.
There are only two sessions requests returned, both for the same identifiers:
Account: athomson, Domain: CORP, Host: WS02.
To decrypt the traffic, I used the method explained in this post. We basically need to calculate the Random Session Key from the following:
– User Password/NTLM hash
– Domain
– Username
– Session Key
– NTProofStr
I also saved the Session ID for future reference. Now, we need to save the Session Keys and the NTProofStr for both Sessions:
Session Key
NtProofStr
Even though they have the same session ID, the two sessions have different keys, so we must treat them independently from each other.
echo '0x0000a00000000015|CORP|athomson|d047ccdffaeafb22f222e15e719a34d4|032c9ca4f6908be613b240062936e2d2' > sess1.txt
echo '0x0000a00000000015|CORP|athomson|d09104b2ad7feed3c5e9c30dcb444553|28be9df22813cdfa83d25bf08b63049f' > sess2.txt
Now that we saved the information from the pcap, we need to calculate the Random Key.
4. Random Session Key Generation
The only information we are missing is athomson’s password/NTLM hash. We already dumped the secrets with pypykatz, so we can grep for the username:
cat credentials.txt| grep athomson -A 10
There are two Logon Sessions returned, both with the same NT Hash (THANK GOD):
Example – 2nd LogonSession.
We can save this hash to create the required decryption keys.
I wrote a small python script to help automate/understand the whole thing:
import hashlib
import hmac
from Crypto.Cipher import ARC4
import sys
import struct
input = sys.argv[1]
f = open(input, "r")
info = f.read().split("|")
session = struct.pack('
Now we can extract the Random Keys and use them to decrypt the SMB traffic. Note that the endianess of the Session ID had to be swapped for WireShark to parse it properly.
python3 get_key.py sess1.txt
#returns The Random Session Key for Session ID 1500000000a00000 is: 9ae0af5c19ba0de2ddbe70881d4263ac
python3 get_key.py sess2.txt
#returns The Random Session Key for Session ID 1500000000a00000 is: 7920a1abcdaba8db7c6ff88fa5dccb81
5. Traffic Decryption
Now that we extracted both keys, and the Session ID in the correct format, we can decrypt the traffic. In Wireshark, select Edit > Preferences > Protocols > SMB2 and add the Session ID and keys:
And it works! The traffic for the ‘first’ session shows requests for a file named ‘customer_information.pdf’, but access was denied.
In the ‘second’ session, the request was accepted:
Since the traffic is now decrypted, we can use Wireshark’s export objects feature and save the pdf file:
Opening the file, shows that it is sensible customer data. On page 3… the flag is there!
Flag: HTB{n0th1ng_c4n_st4y_un3ncrypt3d_f0r3v3r}
TLDR
– This challenge is a great combo of pcap analysis and credential dumping.
– Good way of understanding underlying mechanism of SMB3 protocol & how to decrypt the traffic.
– Use pypykatz to get credentials & custom script to calculate decryption key of SMB3 sessions.
