Directory
Do you have what it takes to crack this case?
Challenge Description
A small music company was recently hit by a threat actor.
The company's Art Directory, Larry, claims to have discovered a random note on his Desktop.
Given that they are just starting, they did not have time to properly set up the appropriate tools for capturing artifacts. Their IT contact only set up Wireshark, which captured the events in question.
You are tasked with finding out how this attack unfolded and what the threat actor executed on the system.
Room link: https://tryhackme.com/room/directorydfirroom
1. What ports did the threat actor initially find open? Format: from, lowest to hights, separated by a comma.
We can open .pcap file in Wireshark
Right away, looking at the network log, we can see that this logs looks like an namp scan against the target 10.0.2.74.
now, to filter out our search where the target system's port were open and responded to the attacker, we can narrow down are search results for the reply from 10.0.2.74 in which SYN and ACK packets had be responded
Search filter:
tcp.flags.syn == 1 and tcp.flags.ack == 1
Here, we can find the open ports of the target system:
or, alternatively, we can search for open ports using tshark, which is a command line tool that is similar to WireShark, which too, does analyse and capture network traffic.
For the command line, we need to specify that input file with the -r option, -c to specify the number of packets to read from the file (Here we will be restricting the limit to 4000, this is not the standard method of specifying the count, but as I have not gone in detail to see the point where the namap scan ends), -T to specify the parameter that we are looking at (e.g. pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?) in our case, the fields, then specify the field that we want to filter out with -e and specify as tcp.srcport (which looks for the port number of the source in that tcp communication).
Finally, mention the SYN and ACK keys using the -Y option.
The file command:
tshark -r traffic-1725627206938.pcap -c 4000 -T fields -e tcp.srcport -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" | sort -n | uniq
2. The threat actor found four valid usernames, but only one username allowed the attacker to achieve a foothold on the server. What was the username? Format: Domain.TLD\username
While looking at the open ports that we found, we could notice that the port for Kerberos* was also enabled. Now, this was an experienced based guess (also looking at the format), that, a username being passed could be from some authentication based system like Kerberos only, So, I went down scrolling through the network traffic log and found a section of the log where we would see the packets of attempting to guessing the username or password was being done.
Following this log, I found a packet at packet number: 4817, which was the last attempt done to find the username by the attacker.
In this packet, we could find the Domain name and the username.
similarly, we can try to find this username and the domain using the command line with the following command:
tshark -r traffic-1725627206938.pcap -Y "kerberos" -T fields -e kerberos.CNameString -e kerberos.crealm
3. The threat actor captured a hash from the user in question 2. What are the last 30 characters of that hash?
From the same packet, just select the part of the ciphers's hex values into a text file
and then paste it to a text file and then remove the white spaces between the letters and then you will get the last 30 characters of the hex.
4. What is the user's password?
This was a bit tricky, so what I did was, google for some help.
And I fount this GitHub repository: Krb5RoastParser
Let's follow this GitHub page,
git clone https://github.com/jalvarezz13/Krb5RoastParser.git
Now, according to it's manual, we need to supply the pcap file along with our desired output result like as_req/as_rep/tgs_rep
So, let's pass that in
python3 krb5_roast_parser.py ../traffic-1725627206938.pcap as_rep
and we get the hashes that we can use for cracking it with hashcat. Now, we past the hash to a file and pass it to hashcat
hashcat directory.hash ~/Pranava__Rao/Tools/Fuzzing\ List/rockyou.txt
We get the password
5. What were the second and third commands that the threat actor executed on the system? Format: command1,command2
Scrolling down the Pcap file in wireshark, we can notice that the attacker has gained access to the remote powershell of the target system suing the winrm service of the target.
and if we also follow the packet, we see that it is encrypted (packet number: 4932)
while, googling for the solution, I found this GitHub decrypt-winrm, but I get some error that I could not understand for a fix, but, in the same page, they have liked the source of their code, let's follow that.
Now, running this tool, we can decrypt the traffic.
python3 winrm_decrypt.py -p '<--Password-->' traffic-1725627206938.pcap
don't try to cat the file, lol.
but interestingly, it looks like a base 64 encoded text.
So, let's just filter out the encoded text using the following command:
grep -oP '(?<=<rsp:Arguments>).*?(?=</rsp:Arguments>)' decrypted_traffic.txt > encoded_arguments.txt
Now, decoding it.
while read line; do
echo "$line" | base64 --decode >> arguments.txt
echo "" >> arguments.txt
done < encoded_arguments.txt
Let's make it more read able
grep -a '<S N="V">' arguments.txt | awk -F'[<>]' '{print $3}'
and there you go!!!!
The flag is is also there in this itself.