In this challenge, we were provided a pcap file and were expected to investigate the traffic.
On the first stream(20) we see a reverse shell interaction.
The attacker after getting reverse shell as user smith, executes commands to dump the ntds.dit
and SYSTEM
(stream 21)
On the following 23rd and 24th streams we see that base64 encoded files with certutil are getting transfered using netcat
We can extract those and verify them using file command.
The attacker then starts a winrm session with administrator user. It is very obvious at this point that attacker dumped the hashes from the files obtained before and took over the administrator's account. We can also save this traffic to another pcap file so working on it later on would be easy
Let's do the same thing with attacker.
It looks like Administrator's password is empty so there is a high chance that the attacker used PTH.
I used winrm_decrypt.py to decrypt the traffic
python3 winrm_decrypt.py --hash '8bb1f8635e5708eb95aedf142054fc95' winrm.pcap > stream.txt
We can now grep base64 encoded HTB{
in the traffic.
HTB{n0th1ng_1s_tru3_3v3ryth1ng_1s_d3crypt3d}