back to blog

Wargames.MY CTF 2024 — Forensic: Oh Man (445 pts)

December 15, 2024 ctfwargamesmy-2024forensicspcapsmbntlmwireshark

Description

We received a PCAP file from an admin who suspects an attacker exfiltrated sensitive data. Can you analyze the PCAP file and uncover what was stolen?

Zip Password: wgmy

Author: h0j3n

Hint : Investigate the tool used by the attacker

Attachment :

Solution

We were given a zip file with the password. When we extract it we get a pcapng file. We open it with wireshark, and we see several SMB3 packet that were encrypted.

This is the first time i encounter such challenge, but we can assume that we need to decrypt the SMB packet. For this, i try to search for some useful article, such as

From the article, we know that we need to :

  1. Get the NTLM Server Challenge from NTLM Request (tshark -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype eq 2' -Tfields -e ntlmssp.ntlmserverchallenge > ntlm_request)

  1. Get the NTLM Username, Domain, and Response from NTLM Response (tshark -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype eq 3' -Tfields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmsspntlmv2_response > ntlm_response)

  1. From the request and response, we can craft a special string to crack the password using John The Ripper. The format for netntlmv2 is username::domain:challenge:response:target_info

  1. Now, we can crack the password using john

We now know that the password to decrypt the SMB packet is password. We can now set the password in Wireshark (Edit -> Preferences -> Protocol -> NTLMSSP)

We can see tha the SMB packet is now decrypted

After being decrypted, we can export the SMB object (File -> Export Object -> SMB)

We know from opengl32sw.dll file that we need to restore the invalid signature using scripts/restore_signature, and run python3 -m pypykatz lsa minidump 20241225_1939.log

I was stuck a little bit here, because i don’t know where is the script to restore the signature. But, after a little search in google, i found a github repo :

I just realize that one of the file that we extract is called “nano.exe”, so we can assume that the file is the executable file of nanodump

We can download the restore_signature file from the github repo

After that, we can use it to restore the signature of the log file

Finally, we can get the secrets using pypykatz

Flag

wgmy{fbba48bee397414246f864fe4d2925e4}